On 2/18/21 6:37 PM, Ricky Boone wrote: > Just wanted to forward an example of an interesting URL obfuscation > tactic observed yesterday. > > https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g > > Google then spits back a response with the redirect target in both > JavaScript and non-JavaScript forms (meta refresh tag): > > https://www.google.com/url?q=https%3A%2F%2Fwww.tehminadurranifoundation.org%2F1%2F1%2Findex.php&sa=D&sntz=1&usg=AFQjCNEa27A724-wMQik8STZvuisHK2G4g > > Slightly different response behavior this time, but ultimately > redirects the victim to the malicious destination. The effective > destination in this case has been taken down, but I'll avoid putting > the full link. > > Unfortunately, there didn't seem to be any rules that would help catch > this. I have a couple thoughts on some that I would need to test, but > wanted to share to the community. > I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam as well. If you can send me a spample I could tweak it a bit more.
Giovanni
OpenPGP_signature
Description: OpenPGP digital signature
