This makes sense because the original URL looked like it wasThe obfuscation is to hide its spamminess not its maliciousness.
constructed probably so that it could be easily changed to appear
unique to the AOL spam filters (the hacked address was an AOL address).
The original address ended with PHP, so, my guess is that it was
a script, that pointed the user to the final destination (which
was the coffee-bean web page).
I have to tend to agree (for the most part) with you, becauseThe VT results are worthless...
the virustotal scanner said the initial URL was clean; but, if
we went to the trouble of actually *visiting* the initial URL,
it redirects us to the secondary url, which virustotal finds
has 4 malware red flags.
So, VT "worked" but only *after* I was forced to visit the site
(Yes, I know BD visited it for me - but - really - shouldn't
the VT scanner have been more intelligent (and not give a false
I'll try those other two sites now, and report back.