For those wondering and not yet aware. The latest incarnations coming via e-mail have changed MO - the link to the exploit itself, isn't directly in the e-mail anymore. Instead, it goes via;
1. Site A
2. 4 x MITMs
5. Exploit site
In this case;
Code: Select all
-> 18.104.22.168 - Resolution failed
-> AS21844 22.214.171.124/16 THEPLANET-AS - ThePlanet.com Internet Services, Inc.
-> 126.96.36.199 - Resolution failed
-> AS3595 188.8.131.52/20 GNAXNET-AS - Global Net Access, LLC
-> 184.108.40.206 - hubble.websiteactive.com
-> AS24446 220.127.116.11/22 NETREGISTRY-AS-AP NetRegsitry Pty Ltd.
-> 18.104.22.168 - bender.verat.net
-> AS15982 22.214.171.124/20 VERAT-AS-1 Drustvo za telekomunikacije Verat d.o.o, Bulevar Vojvode Misica 37
-> 126.96.36.199 - 188.8.131.52.clausweb.ro
-> AS5606 184.108.40.206/18 KQRO GTS Telecom SRL
-> 220.127.116.11 - vanquish.websitewelcome.com
-> AS21844 18.104.22.168/14 THEPLANET-AS - ThePlanet.com Internet Services, Inc.
Presumably, this is an effort at redundancy, to ensure it still delivers when one of the MITMs is down.
http://hphosts.blogspot.com/2011/12/bla ... ering.html
Blackhole exploit: For those wondering, Part 2
I received a comment to the 2009 blog. This one houses a variation of the MO used that I outlined in part 1 (was not going to be a part 2, but it's got a few changes that warranted it).
The MO in this case, is;
1. Site A
There's no MITMs this time. There's also a slight change in the code used on the exploit page itself, though curiously, it's even easier to decode than the last one (only 3 lines needing commented out this time).
http://hphosts.blogspot.com/2011/12/bla ... ng_05.html