Background: Compromised Twitter accounts are tweeting @ friends/followers a random phrase (1) which includes an open redirect URL (2) that leads to phishing sites (5). There are two additional redirects (3, 4) before the recipient reaches the actual phishing site.
Phrases
- This is too funny of you [open redirect]
- OMG when did you do this? [open redirect]
- I can't stop laughing! [open redirect]
- This pic of you is funny lol [open redirect]
Open Redirect
- hxxp://flashscore.ro/redirect/?url=[url redirect]
- hxxp://home.biomal.org/link.php?url=[url redirect]
- hxxp://medicinalfoodnews.com/cgi-bin/redirect.pl?url=[url redirect]
- hxxp://casino.ru/redirect?url=[url redirect] New
URL Redirect
- urrdrct.appspot.com
- rdrctscm.appspot.com
- lnkrdrctu.appspot.com
- xrdrct1.appspot.com
- zrdrxt.appspot.com
- xdssdfsd.appspot.com
- xdswrct.appspot.com
- apprdrct1.appspot.com New
- apprdrct2.appspot.com New
- apsrdrct3.appspot.com New
- mainrdct.appspot.com New
Intermediate Redirect
- hxxp://1trx1.com/LTSanitizer.aspx?u=[phishing site]
- hxxp://1trx1.com/LTSanitizer.aspx?u=hxxp://fapl.ru./redirect/?url=[phishing site] New
Phishing Site
- oauth-session-time-out.appspot.com
- oauth-session-timedout.appspot.com
- oauth-session-timed-out.appspot.com New
- auth-session-timed-out.appspot.com New