Slashdot Mirror


Spam Opt-out Link Triggers Malicious Code Attack

Maestro4k writes "The Register is reporting on a new spam E-mail circulating out there. In it, clicking on the 'Click here to remove' link launches a site, that when the user scrolls the page, triggers a drag-drop javascript exploit. Scarily the E-mail actually complies with the CAN-SPAM act as it only requires spammers to put an opt-out link in their mailings. As The Reg says "It comes as little surprise that this feature is been taken advantage of in a social engineering exploit; but it does illustrate the security problems of the opt-out approach that were always apparent to security experts - and ignored by legislators." The link in questions points to www. xcelent.biz (As in The Reg story, space intentionally included) so even if you can't block the mail yet it should be easy to block access to the site with the exploit. I suspect this is just the beginning and most spam will include "features" such as this in the near future."

3 of 327 comments (clear)

  1. interesting ports on the spammer's site by Indy1 · · Score: 5, Interesting

    Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-09-22 09:54 MDT
    Interesting ports on 61-218-79-53.HINET-IP.hinet.net (61.218.79.53):
    (The 1651 ports scanned but not shown below are in state: closed)
    PORT STATE SERVICE
    21/tcp open ftp
    22/tcp open ssh
    80/tcp open http
    111/tcp open rpcbind
    135/tcp filtered msrpc
    443/tcp open https
    445/tcp filtered microsoft-ds
    3306/tcp open mysql
    6000/tcp open X11

    Nmap run completed -- 1 IP address (1 host up) scanned in 54.453 seconds

    --
    Lawyers, MBA's, RIAA? A jedi fears not these things!
    1. Re:interesting ports on the spammer's site by caluml · · Score: 5, Interesting

      bash-2.05b$ mysql -h 61-218-79-53.HINET-IP.hinet.net
      Welcome to the MySQL monitor. Commands end with ; or \g.
      Your MySQL connection id is 658 to server version: 3.23.54

      Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

      mysql> show databases;
      +-----------------+
      | Database |
      +-----------------+
      | earth_bizzads |
      | herbalmarketing |
      | mysql |
      +-----------------+
      3 rows in set (0.45 sec)

      mysql>

  2. Re:Microsoft says "No Problem" by bheerssen · · Score: 5, Interesting

    Yep, exactly right.

    For the curious, here is an interesting post that describes the exploit at some length. Essentially, it uses an HTML 'dynsrc' attribute (proprietary Microsoft extension) to allow IE to download the executable, and javascript to use the 'shell:' protocol to execute it. It's not a particularly new flaw, but this is the slickest exploit of it I've seen.

    --
    (Score: -1, Stupid)