Skip to content

Instantly share code, notes, and snippets.

@garrettr
Created February 5, 2015 00:21
Show Gist options
  • Save garrettr/95d67a204cd8f5bdef33 to your computer and use it in GitHub Desktop.
Save garrettr/95d67a204cd8f5bdef33 to your computer and use it in GitHub Desktop.
Flash Payer Update Phishing Attempt

Full URLs, in order. I requested the first URL, and the rest were caused by rapid automatic redirects. The final URL displayed a very convincing phishing page that tried to get me to download a Flash Player Update.

If the page had a title, I included it. Otherwise, the title (in the tab) just displayed the beginning of the URL.

  1. missioncliffs.com
  2. Title: "Flash player is outdated", URL: http://park.above.com/jr.php?gz=eM2dY4GmRFcpjndiUURoUPLqtHyY9NuxJE8VC6aWxCRLKxQDnPVOzvPn%2BqwVdKYIxWN8Njsz%2BR%2FU0HzrhTFu7CP6nCH9mFsd9z%2BDUQgTILSQsAGrvJ65GTtjF5J6Fcm1STlPGhn88aKZMyqjrulpUufW2At%2B7gq96eoIu7pIxtL7mSOgLLRAgs5hw6iE1XPtPW0z0HhtEKxvsBnzQzdIHCA3Q%2FMZzIFsh4B5EwWggXgkZU2veLbhsUhzf44SgiO%2B01D%2B95qX%2F%2FiX%2B%2FaME71B9wV0eH6FWXE1azldPIHev65hyEujGjEy9e%2F6QEOch%2BDIkeIQZmi2xTEth%2FdaJRwh9V%2BC2RkFl99T%2Fe0jniefYfY20agcKeGBvQKm4FNXHjsp5hr%2BmOHKWaBaMulVJ8fvSNj5TdZRDhhCBnDIdqdlTwdKt596mvzug48rfP7UlmHeLJrC11641VuTa9phbWIpF1GRAff5wSKiMm8AlgxNAbCZyxUrgrcm8fXxyOSePEjRYbgz5Cml2bgV2qAW9F%2FQ7sYn2CAUcr0UUZRUgl9r9hI%3D
  3. http://pc4maintainance.freeupgrade24.com/?dist_id=430&channel=kra_yab_vsp_gog_us_dm&v=icmac&c=86d49f0a75b0f5ba5ad0248e186dfaba&cid=ZV719f9d02acc811e4ae2e0662f63201727d072c275ebd&v_id=fbdc17944d9b7fcc47880a6845b2a905
  4. http://zj.zeroredirect2.com/zcredirect?visitid=719f9d02-acc8-11e4-ae2e-0662f6320172&type=js&browserWidth=1266&browserHeight=635&iframeDetected=false
  5. Title: "Flash player is outdated", URL: http://updatenew.traffic-clean.com/?dist_id=430&channel=kra_yab_vsp_gog_us_dm&v=icmac&c=86d49f0a75b0f5ba5ad0248e186dfaba&cid=ZV719f9d02acc811e4ae2e0662f63201727d072c275ebd&v_id=fbdc17944d9b7fcc47880a6845b2a905
  6. http://zj.zeroredirect1.com/zcvisitor/719f9d02-acc8-11e4-ae2e-0662f6320172

Interestingly, this only happened once (the first time I accessed missioncliffs.com). All subsequent accesses (I've tried a few over Tor as well) have redirectd me to ww2.missioncliffs.com, which is a typical generic domain squat page featuring links related to rock climbing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment