Nice. I've copied scrubbed versions of what I've seen so far here: https://gitlab.com/-/snippets/2079108 (I can never remember if it is appropriate to include attachments to mailing lists like this).
On Thu, Feb 18, 2021 at 1:13 PM Giovanni Bechis <giova...@paclan.it> wrote: > > On 2/18/21 6:37 PM, Ricky Boone wrote: > > Just wanted to forward an example of an interesting URL obfuscation > > tactic observed yesterday. > > > > https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g > > > > Google then spits back a response with the redirect target in both > > JavaScript and non-JavaScript forms (meta refresh tag): > > > > https://www.google.com/url?q=https%3A%2F%2Fwww.tehminadurranifoundation.org%2F1%2F1%2Findex.php&sa=D&sntz=1&usg=AFQjCNEa27A724-wMQik8STZvuisHK2G4g > > > > Slightly different response behavior this time, but ultimately > > redirects the victim to the malicious destination. The effective > > destination in this case has been taken down, but I'll avoid putting > > the full link. > > > > Unfortunately, there didn't seem to be any rules that would help catch > > this. I have a couple thoughts on some that I would need to test, but > > wanted to share to the community. > > > I just committed a new variation of GB_GOOGLE_OBFUR that should match this > spam as well. > If you can send me a spample I could tweak it a bit more. > > Giovanni >
