Case 2 - heimerpara.de
Case opened: 2008-07-29
A new mail came in with a link to a page nearly identical to case 1; here's the email:
From - Tue Jul 29 07:09:30 2008 X-Account-Key: account2 X-UIDL: 0001e39b470286bd X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Return-Path: <hazel-setrepme@22designs.com> Received: from www.despammed.com (localhost.localdomain [127.0.0.1]) by outgoing.despammed.com (8.13.8/8.13.8) with ESMTP id m6TB1p46030072 for <mail@outgoing.vivtek.com>; Tue, 29 Jul 2008 04:01:51 -0700 Received: (from root@localhost) by www.despammed.com (8.13.8/8.13.8/Submit) id m6TB1p6w030071 for mail@outgoing.vivtek.com; Tue, 29 Jul 2008 04:01:51 -0700 Received: from cpc3-blac2-0-0-cust892.manc.cable.ntl.com (cpc3-blac2-0-0-cust892.manc.cable.ntl.com [81.102.163.125]) by incoming.despammed.com (8.13.8/8.13.8) with ESMTP id m6TB1m4i030023 for <mail@vivtek.com>; Tue, 29 Jul 2008 04:01:48 -0700 To: mail@vivtek.com Subject: Smackdown highlights From: Beaudrie <hazel-setrepme@22designs.com> Content-Type: text/plain; format=flowed; delsp=yes; charset=ISO-8859-1 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Date: Tue, 29 Jul 2008 12:01:44 +0100 Message-ID: <qx.llpnihqrdiokfs@DJXCL12J> User-Agent: Opera Mail/9.50 (Win32) X-Despammed-Tracer: m6TB1m4i0300231217329309 McCain criticizes Obama for lack of empathy http://heimerpara.de/default.html -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
The payload exploit in this one is quite different (I think) from the first -- certainly the methods are entirely different. Since I don't have case 1 deobfuscated yet, the final exploit might be the same, but I'm guessing it isn't.