Phishers target Blogger.com accounts

A new phishing campaign came out about two hours ago, this time targeting bloggers who use Google's "blogger.com" and "blogspot" services.

The emails are pretty straightforward:

Subject: Your Blogger Account

Dear Blogger account owner,
To update your Blogger account please click the following link:

http://www.blogger.com/update/VE.php?service=blogger&c=111111111111111111&email=youremail@yourdomain.com.

Thank you for using Blogger.

This is a post-only mailing. Replies to this message are not monitored or answered.

The webpages are of course not actually Blogger, but are phishing sites on ".kr" domains, which have been favored lately by the Avalanche/Zeus group.

http://www.blogger.com.esub.co.kr/update/VE.php?service=blogger
http://www.blogger.com.esub.kr/update/VE.php?service=blogger
http://www.blogger.com.esub.ne.kr/update/VE.php?service=blogger
http://www.blogger.com.esug.co.kr/update/VE.php?service=blogger
http://www.blogger.com.esug.kr/update/VE.php?service=blogger
http://www.blogger.com.esug.ne.kr/update/VE.php?service=blogger
http://www.blogger.com.esuk.kr/update/VE.php?service=blogger
http://www.blogger.com.esuk.ne.kr/update/VE.php?service=blogger
http://www.blogger.com.esuk.or.kr/update/VE.php?service=blogger
http://www.blogger.com.esus.co.kr/update/VE.php?service=blogger
http://www.blogger.com.esus.kr/update/VE.php?service=blogger
http://www.blogger.com.esus.ne.kr/update/VE.php?service=blogger
http://www.blogger.com.esut.co.kr/update/VE.php?service=blogger
http://www.blogger.com.esut.kr/update/VE.php?service=blogger
http://www.blogger.com.esut.ne.kr/update/VE.php?service=blogger


Updated: 22FEB2010 @ 9AM Central time

These are the sites we've seen spammed so far this morning . . .

www.blogger.com.dese.ne.kr
www.blogger.com.desr.co.kr
www.blogger.com.desr.kr
www.blogger.com.desr.or.kr
www.blogger.com.desv.co.kr
www.blogger.com.desv.or.kr
www.blogger.com.erdca.ne.kr
www.blogger.com.erdce.kr
www.blogger.com.erdcq.kr
www.blogger.com.erdcu.kr
www.blogger.com.erdcu.ne.kr
www.blogger.com.esuk.kr
www.blogger.com.zoba.co.kr
www.blogger.com.zoba.kr
www.blogger.com.zoba.or.kr
www.blogger.com.zobv.co.kr
www.blogger.com.zohy.kr
www.blogger.com.zohy.or.kr


The phishing site itself looks like this:



We've seen about 350 copies of this phishing campaign so far, but again, its just started up. Look for more URLs to follow.