Noticed some interesting traffic following the below:
hxxp://qobac.cobor.in/pofrj4l/2 > Fiesta Gate
When observing the landing there is no rtu.php file present > http://pastebin.com/n6dYSHY4
The xap (silverlight) file is downloaded, when you pop it into a tool like ILspy, it’s quite clear what is happening.
The rtu.php file simply redirects to fiesta…