{"id":11,"date":"2010-06-03T09:25:31","date_gmt":"2010-06-03T14:25:31","guid":{"rendered":"https:\/\/paulbegley.com\/2010\/06\/malware-as-twitter-password-reset\/"},"modified":"2010-06-03T09:25:31","modified_gmt":"2010-06-03T14:25:31","slug":"malware-as-twitter-password-reset","status":"publish","type":"post","link":"https:\/\/blog.paulbegley.com\/?p=11","title":{"rendered":"Malware as twitter password reset"},"content":{"rendered":"<p>Wow.&#160; This caught me by surprise this morning.&#160; The message below (forwarded to Google Mail) looks legit, but if you hover over the link, you see it points to a binary (password.exe) hosted on gameroomhaven.com.<\/p>\n<p>Most of the message is legit.&#160; The links at the bottom of the post are legit, pointing back to twitter.com.&#160; However, the e-mail address in the SPAM is one I only use for a high school alumni site.&#160; Based on that, I started to look at the message more carefully and noted the malware link posing as the password reset URL.<\/p>\n<p>Lesson here, don\u2019t click on links in your e-mail without verifying the source.<\/p>\n<p>Using the Google Mail \u2018Show original\u2019 feature (drop down in upper right corner of each message) showed the source code for the message where the malicious URL is obvious. A snippet from the original below:<\/p>\n<pre>Hey there.\n\nCan't remember your password, huh?\nIt happens to the best of us.\n\nPlease open this link in your browser:\n\nhttp:\/\/www.gameroomhaven.com\/password.exe\n\nThis will reset your password.\nYou can then login and change it to something you'll remember.<\/pre>\n<p><a href=\"https:\/\/i0.wp.com\/blog.paulbegley.com\/wp-content\/uploads\/2010\/06\/image.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" style=\"border-bottom: 0px; border-left: 0px; display: inline; border-top: 0px; border-right: 0px\" title=\"image\" border=\"0\" alt=\"image\" src=\"https:\/\/i0.wp.com\/blog.paulbegley.com\/wp-content\/uploads\/2010\/06\/image_thumb.png?resize=244%2C226&#038;ssl=1\" width=\"244\" height=\"226\" \/><\/a> <\/p>\n<div style=\"padding-bottom: 0px; margin: 0px; padding-left: 0px; padding-right: 0px; display: inline; float: none; padding-top: 0px\" id=\"scid:0767317B-992E-4b12-91E0-4F059A8CECA8:c8c2134c-d022-4b38-b3de-708c1c7cb707\" class=\"wlWriterEditableSmartContent\">Technorati Tags: <a href=\"http:\/\/technorati.com\/tags\/security\" rel=\"tag\">security<\/a>,<a href=\"http:\/\/technorati.com\/tags\/twitter\" rel=\"tag\">twitter<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Wow.&#160; This caught me by surprise this morning.&#160; The message below (forwarded to Google Mail) looks legit, but if you hover over the link, you see it points to a binary (password.exe) hosted on gameroomhaven.com. Most of the message is &hellip; <a href=\"https:\/\/blog.paulbegley.com\/?p=11\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[16],"tags":[],"class_list":["post-11","post","type-post","status-publish","format-standard","hentry","category-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6YWFc-b","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.paulbegley.com\/index.php?rest_route=\/wp\/v2\/posts\/11","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.paulbegley.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.paulbegley.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.paulbegley.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.paulbegley.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11"}],"version-history":[{"count":0,"href":"https:\/\/blog.paulbegley.com\/index.php?rest_route=\/wp\/v2\/posts\/11\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.paulbegley.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.paulbegley.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.paulbegley.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}