Author Topic: PhishTank submissions  (Read 7206 times)

0 Members and 1 Guest are viewing this topic.

December 16, 2010, 06:22:26 pm
Read 7206 times

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
From PhishTank:

http://www.villeblevin.fr/uploads/associations/ConsultaMultaOnline.php

http://triatlon.org/install_versao2010.exe

Normal websites, but the URLs are being distributed in email or they wouldn't be at PhishTank

December 16, 2010, 06:35:20 pm
Reply #1

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
Oops, one more:

http://www.radiojovemrio.com/site/media/arquivo/Dsc_14021.html

Downloads a file called  lnstall.exe
(that is an "L" at the start, not a Capital "I" (eye),
or a "1" (one)

I asked PhishTank to give us a "malware" button.  No soap. That gives me a dilemna.  Should I click on "it's a phish" which it is not or "it's not a phish"  which it is but designating it as such ignores the obvious fact that it is an extremely dangerous URL.  In fact, by clicking on it is okay basically protects the malware from that point on. Most of them start with less than 5 AV detecting at VirusTotal or only 1-2 at Jotti.

More will be added as I find them at PhishTank.  I was trolling for patterns to add to the PAC filter.  Everything I have tried just seem to give FPs and little to no protection.  Phishers are always changing their MO.


December 09, 2011, 01:02:44 pm
Reply #2

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
A new one:

http://chronicworship.com/plugins/content/user_logout_SFWM.php

First redirect was to
www.sairaah.com

Second redirect was to:
www.clubs.chuyenluongthevinh.com

The name of file in both cases was:
PDF-to-Word-Trial-09-12-2011-Setup.com

Kaspersky Name:
Trojan.Win32.Jorik.Vobfus.kel

December 09, 2011, 01:11:27 pm
Reply #3

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
Another one:

epaper.yosungroup.com/epaper/images/4/4m89fh39fg95.pac

This is a PAC filter that filters out everything good and directs you to something bad.
My PAC filter blocks all files with extension ".pac".

January 26, 2012, 03:07:31 pm
Reply #4

michajp

  • Full Member

  • Offline
  • ***

  • 59
Hello,


Normal websites, but the URLs are being distributed in email or they wouldn't be at PhishTank



I believe that PhishTank does not only get submissions of links which are distributed by mail.

Cheers