[Dshield] Encoded URL in phising spam

Stephane Grobety security at admin.fulgan.com
Mon Oct 24 15:57:10 GMT 2005


Hello everyone,

Today, I received a strange phishing spam message. It was your
standard "please enter your bank account info so we can rob you clean"
fishing spam but the encoded URL looked strange.

It started by your pretty standard HTTP encoded characters leading to
a chain of local google servers. But the last URL was really weird: it
wouldn't decode to anything sensible, even starting with a tab.

I've included the URL, replacing the % sign with the (percent) string
so, if this is an exploit of some sort, it won't cause trouble.

(the next line might warp)
http://(percent)09(percent)67(percent)0(percent)39(percent)7(percent)09(percent)34k(percent)09(percent)73(percent)73ax(percent)2(percent)09E(percent)43(percent)09(percent)6Ab(percent)(percent)092e(percent)09(percent)4E(percent)(percent)0909E(percent)(percent)0909T/

Anyone has any clue as to what this is supposed to decodes to ?

Good luck and thanks,
Stephane




More information about the list mailing list