PhishTank submissions

[hhhobbit]

From PhishTank:

http://www.villeblevin.fr/uploads/associations/ConsultaMultaOnline.php

http://triatlon.org/install_versao2010.exe

Normal websites, but the URLs are being distributed in email or they wouldn't be at PhishTank

[hhhobbit]

Oops, one more:

http://www.radiojovemrio.com/site/media/arquivo/Dsc_14021.html

Downloads a file called  lnstall.exe
(that is an "L" at the start, not a Capital "I" (eye),
or a "1" (one)

I asked PhishTank to give us a "malware" button.  No soap. That gives me a dilemna.  Should I click on "it's a phish" which it is not or "it's not a phish"  which it is but designating it as such ignores the obvious fact that it is an extremely dangerous URL.  In fact, by clicking on it is okay basically protects the malware from that point on. Most of them start with less than 5 AV detecting at VirusTotal or only 1-2 at Jotti.

More will be added as I find them at PhishTank.  I was trolling for patterns to add to the PAC filter.  Everything I have tried just seem to give FPs and little to no protection.  Phishers are always changing their MO.

[hhhobbit]

A new one:

http://chronicworship.com/plugins/content/user_logout_SFWM.php

First redirect was to
www.sairaah.com

Second redirect was to:
www.clubs.chuyenluongthevinh.com

The name of file in both cases was:
PDF-to-Word-Trial-09-12-2011-Setup.com

Kaspersky Name:
Trojan.Win32.Jorik.Vobfus.kel

[hhhobbit]

Another one:

epaper.yosungroup.com/epaper/images/4/4m89fh39fg95.pac

This is a PAC filter that filters out everything good and directs you to something bad.
My PAC filter blocks all files with extension ".pac".

[michajp]

Hello,

Normal websites, but the URLs are being distributed in email or they wouldn't be at PhishTank

I believe that PhishTank does not only get submissions of links which are distributed by mail.

Cheers