June 7, 2012

Spoofed Xanga malicious emails, similar to Craigslist campaign

Ran Mosessco Principal Security Researcher

Hot on the trail of yesterday's spoofed Craigslist malicious emails comes another variant, spotted today. This one spoofs a Xanga blog notification about a comment on your blog. So far we have seen about 140,000 of these in our Cloud Email Security portal.

Websense Email Security and Websense Web Security protect against this kind of blended threat with ACE, our Advanced Classification Engine.

Let’s look at a sample.

Subject: New Weblog comment on your post! 

As we can see, the "Click here to reply" link goes to this URL:


The target site contains obfuscated JavaScript that redirects to URLs like:


Those are the sites that host the exploit kit.

Basically, the lure has changed, but the URLs suggest this is all part of the same malicious campaign. We can probably expect a few more themes in the coming weeks, as the cybercriminals try to broaden their victim base. 

A little peek behind the curtain here shows how the Websense® Security Labs™ ThreatSeeker™ Network categorizes the URLs in real time, similar to the way our products do real-time categorization for customers:

More detailed analysis of the URL behavior can be found here.

To summarize, the number of emails and varying themes suggest this is not targeted against specific users (Xanga today, Craigslist yesterday), but rather a more typical attempt to cast a broad net. We will be on the lookout for more developments; we anticipate other variants will surface soon.


Ran Mosessco

Principal Security Researcher

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.