Irregular Expressions

Jul 27 2012   12:21AM GMT

Discount Gift Certificates – Part 3

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Still no sign of out bound connections, and I am not sure if I will ever see on at this point.
My next step is to do some static analysis of the code and see if there is any hints in there.

I did have a thought, the suspect file came attached to an HTML email?
That could be an effective way to see who possible loaded the exe, if you linked to a file on a web server from inside the html you could see it hit in the logs. Then scan those IP’s at a later date.

After much searching, all of the links in the file are going to
I was starting to get disappointed when I noticed some extra’s on some of the links…

There is division, user, source. This might be something to work with, but I doubt it will get anything more then an email to groupon to ask about it.
Each of the links appears to have a different user string attached like so.


But the source and division seem to be consistent.

If what I am thinking is correct the attacker is using groupon to manage the campaign, by using it’s methods of tracking. I am assuming that what ever they can see through the analytics allows them to see the IP of the source.

I will send an email to them, see if we get anywhere.

Also we can continue with the static analysis.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: