I didn't do this last year, but I keep seeing the same sites over and over this year, so I figured out I'd let you know about another issue with hacking: "Victim sites".
A "victim site" is a site that gets hacked, and codes get put on it. Then you are led to the site (usually by spam email links). If you get infected, you blame the site owner, who often times doesn't know what's going on.
Here is a list of redirects I got this week (October, 2011). I checked several, and they appear to be mostly legitimate sites that have been defaced (injection script on home page) and an extra folder with a whacky name, where the really nasty stuff is housed (both phishing stuff and drive-by stuff). Some of these sites have been listed as "reported attack sites" by Google and Firefox, but not all. Some sites are being taken down by hosts, which is a shame, when in many cases, the owner of the site had no clue.
I'll put the list of what I found, and add to it next week when I go through the spam folder again. After the list, I'll put a few "tell-tale signs" for a risky URL.
Subj: ACH Payment 0901816 Canceled
Payment Notification #68745890
The ACH transaction (ID:68745890 ), recently initiated from your checking account (by you or any other person), was canceled by the other financial institution
(the link is displayed as): http://nacha.org/report/48969656/detailis.php?n=2145
(but it actually goes to a 'victim site'):
Victim sites: (do NOT go to these pages unless you have massive anti-everything on your pc):
Hints about suspicious site links:
- -------------- 24 hours after I wrote this page, I ended up with another batch of them ------------------------
- -------------- another 24 hours later, it seems to be slowing ------------------------
- -------------- one last batch, from a few days' of phishing ---------------------------
- Any site that does not have a domain name (so it's http://#.#.#.#) should NOT be advertised
- Sites that have a tilde (~) after the first slash (/)... (i.e.: home.somesite.com/~someshortname)
- This is a common trick to use a different/untracked folder on a server
- Sites with directories with nonsense names. A directory of "programs", or "cgi-bin" might be okay, but "0vnsa3"? The only reason for directories like that is to get site owners to think it's something "for the server", so they ignore the folder, if they ever see it at all.
So, I'll add to this list as time permits. If you know someone that owns one of these domains, let them know their sites are being hacked, and links to the hacked area is being spammed. I got about 75 notes using these sites in the last 24 hours or so.
For the most part, site-scanner can find, and cleanup can remove most of this stuff.