Monday, June 09, 2008

MSN IM -> Blogspot -> Pr0ning

I came across this seductive message, and it contains the link that I can't resist to click since it is asked by horny ladies, the link must be legitimate -

http://cux7850mdmk.blogspot.com

Once you click on it, that blog will bring you to another site which is -

http://66.111.45.170/cams/1/

You can see below what is loaded when you go to the blog that is setup with malicious purpose -

The cut-down zoom in version -

META http-equiv="refresh" content="0;URL=http://66.111.45.170/cams/1/"

I manually check http://66.111.45.170/cams, and you might enjoy the screenshot -


Lets see what is in http://66.111.45.170/cams/1/, the content location is actually at -

http://66.111.45.170/cams/1/index.htm

And the index.htm contains -

meta http-equiv="refresh" content="0; URL=http://www.xxxblackbook.com/?s=register&r=lc129795"

Now you should be happy to land at this page, and lets register as a member.


It's rather easy to get someone to click on "look legitimate" link than from the email spam these days. We see the use of meta http-equiv="refresh", and you can find the information about it here -

http://www.html-reference.com/META_httpequiv_refresh.htm

During discussion at freenode #rawpacket, my friend scholar pointed me out related information here -

http://spamtrackers.eu/wiki/index.php?title=Blogspot

Enjoy ;]

4 comments:

Anonymous said...

Nice one. Alas I can't use irc nowadays. Policy... Duh

王同 said...

This kind of redirection is quite old school. I remember last time when I learn up HTML during high school, I use that before.

C.S.Lee said...

hi ayoi,

Too bad ;(

hi surface,

Yeah, old school but works, just like iframe.

Anonymous said...
This comment has been removed by a blog administrator.