Busy Friday – CareerBuilder, Iran, and Burma

A couple of things to note today, some malcode and some political hacking and attacks.

First is a new fast flux phishing malcode delivery scheme targeting CareerBuilder. Lures bring you in to a number of sites and launch malcode onto your system. Pretty classic technique these days, been used heavily for banks in the past couple of weeks. Now we’re on to CareerBuilder.

Here’s what the page looks like if you go there:


It’s a fast flux botnet, apparently doing double flux too. Here’s what the DNS graph looks like (mimicking the graphics shown on the RBN Exploit blog)


The domain names being used so far include

  • bniyime.com
  • btyonro.com
  • chortom.com
  • ggolrrle.com
  • nbviox.com
  • njieme.com
  • vcveebnu.com
  • veeimor.com
  • vertumru.com
  • carertre.com

Much of that list comes from Gary Warner’s always excellent blog. So, as many of you may be in the job market, keep in mind that not everything from CareerBuilder is really from them.

The second is a pair of politically motivated attacks. The Democratic Voice of Burma is once again under DDoS. This one has been seen before, and it’s unfortunate that it’s happening again. I’ve been digging for information and hope to have some to share soon. At present I don’t have anything I can share.

The second bit of political hacking are reports that defacements have shut down Iranian clerics’ Web sites. I don’t see any DDoS activity around this yet but we are seeing some defacements, some apparently on sites that run buggy OSS codebases, so it’s not surprising that they got owned.



Links to more news about this: Cyber attack launched on Shiite websites: Iran report via the AFP.

One Response to “Busy Friday – CareerBuilder, Iran, and Burma”

September 23, 2008 at 2:46 pm, Politically-motivated hacking in Iran, Burma « Weaponized Culture said:

[…] 23, 2008 by Erich Simmers This is from Jose Nazario of Arbor Networks: The second is a pair of politically motivated attacks. The Democratic Voice of Burma is once again […]

Comments are closed.