Irregular Expressions

Jul 27 2012   12:21AM GMT

Discount Gift Certificates – Part 3



Posted by: Dan O'Connor
Tags:

Still no sign of out bound connections, and I am not sure if I will ever see on at this point.
My next step is to do some static analysis of the code and see if there is any hints in there.

I did have a thought, the suspect file came attached to an HTML email?
That could be an effective way to see who possible loaded the exe, if you linked to a file on a web server from inside the html you could see it hit in the logs. Then scan those IP’s at a later date.

After much searching, all of the links in the file are going to groupon.com.
I was starting to get disappointed when I noticed some extra’s on some of the links…

There is division, user, source. This might be something to work with, but I doubt it will get anything more then an email to groupon to ask about it.
Each of the links appears to have a different user string attached like so.

user=3DDYS6OKLRAMKYYLDPUVAYRXSE3NMMNR3ETX39NA6LFNF8G
user=3DOBPAXTL39667KKV9YNBX7U6K00
user=3DXKHPO5YGT7OX9O42NUL1YK1CB9E

But the source and division seem to be consistent.
utm_source=3Dwelcome_day0&amp=;utm_medium=3Demail
division=3Dmiami

If what I am thinking is correct the attacker is using groupon to manage the campaign, by using it’s methods of tracking. I am assuming that what ever they can see through the analytics allows them to see the IP of the source.

I will send an email to them, see if we get anywhere.

Also we can continue with the static analysis.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: