1

hxxp://www.tr.im/M2q1M/
https://www.virustotal.com/en/url/7c268f5afaac1c62a693d1a5f6a03d2212123d581d0871bbee440d81df87c0e5/analysis/1444922532/

uBlock Origin has prevented the following page from loading:hxxp://lechequeservice.com/nailas/hotiehotie/Verification%20Set-up.html
Found in: Malware domains
Not blocked by AOS.http://quttera.com/sitescan/www.tr.im

A known PHISH, that is not blocked → http://blog.gmane.org/gmane.comp.security.phishings
Post it as not detected. Abuse on Amazon. This is confirming your post: http://urlquery.net/report.php?id=1444923447311 nailas/hotiehotie/Verification%20Set-up_files/EN-US1_data/bk-coretag.js HTTP/1.1 seems taken down now. But the phishing goes on from IP 192.185.3.213 - clear that this is a threat with a 10 red out of 10 red website risk score at http://toolbar.netcraft.com/site_report?url=http://192.185.3.213
Server there with version 1.8.0 without patch horizon-nginx-rpm- is exploitable!

2

Good find, Be Secure, good find. Checked it against two online cheks and they came up with the following:

With an iFrame check this came up: Suspicious

verification%20set-up_files/en-us1.html’
verification%20set-up_files/en-us.html’ (PHP /VerificationSetUp.html, part of a PHISH!)

The Javascript check flags this: uspicious

le=“width: 475px;”><iframe id=“i0278” marginheight=“0px” marginwidth=“0px” scrolling=“no” src=“verification%20set-up_files/en-us1.html” fram…

Oh and confirmed for IP, threat distribution 100% → https://www.reasoncoresecurity.com/ip-address-54.165.60.202.aspx

What’s spread from that IP:
Files
The IP address has been seen to host the following 3 files.
Threat.InstallMonster.DIREKTTUR (Medium)kerish doctor 2015 4.exe
PUP.iDatixCorporation.Installer (Medium)registrycleanersetup.exe
PUP.OOOSoftMedia (Medium)sdformatter3_1.rar.exe

Downloads
File URLs download from 54.165.60.202.
Threat.InstallMonster.DIREKTTUR (Medium)-http://tr.im/o21 (kerish doctor 2015 4.exe) *
PUP.iDatixCorporation.Installer (Medium)-http://tr.im/o44 (registrycleanersetup.exe) *
PUP.OOOSoftMedia (Medium)-http://tr.im/4t2dz (sdformatter3_1.rar.exe) *

  • and should be added to detection…

polonus