Sunday, December 13, 2015

More in-depth analysis of email scam links

In my last post http://security5magics.blogspot.com/2015/12/an-obvious-e-mail-scam-lets-see-where.html

I ran through a quick analysis of a very prominent e-mail scam used today. The scam uses a link which has a PHP file holding a piece of java script at the end. The java script is a redirect to another site, usually a fake pharmacy site.

I felt showing a quick decoding of what the java script does, the following code is very similar to the code from my first post, but is from a different spam e-mail I received today, which leads to a different site. Check it out.
<script type="text/javascript">
    function suddenlye() {
        suddenlya = 5;
        suddenlyb = [124, 110, 115, 105, 116, 124, 51, 121, 116, 117, 51, 113, 116, 104, 102, 121, 110, 116, 115, 51, 109, 119, 106, 107, 66, 44, 109, 121, 121, 117, 63, 52, 52, 120, 114, 102, 119, 121, 117, 110, 113, 113, 120, 123, 102, 113, 122, 106, 51, 119, 122, 44, 64];
        suddenlyc = "";
        for (suddenlyd = 0; suddenlyd < suddenlyb.length; suddenlyd++) {
            suddenlyc += String.fromCharCode(suddenlyb[suddenlyd] - suddenlya);
        }
        return suddenlyc;
    }
    setTimeout(suddenlye(), 1239);
</script>


I used the following site for a quick reference of character codes, since this is what is being used to "encode" the redirect action.

http://stevehardie.com/2009/09/character-code-list-char-code/

So, it's really simple actually, each character code in variable  suddenlyb is then subtracted by variable suddenlya to return the string value of what the code does. Since suddenlya is defined as 5, we simply just subtract each character code in suddenlyb by 5 and then match it to ASCII for our redirect, which happens to be the following.

window.top.location.href='http://smartpillsvalue.ru'=

UPDATE:

I just wanted to post a quick FYI, the code in this scam has different variable names and a different fixed value from which to subtract the char codes from in order to create the redirect. We can quickly find out where the redirect is going by changing the line "return variablenamec;" to "window.alert(variablenamec);"

Friday, December 11, 2015

An obvious e-mail scam, let's see where it takes us

I get a lot of spam in my e-mail accounts, as I'm sure everyone reading does. One campaign that is seen often is an attempt to trick the user into believing that they are getting a message from YouTube, Facebook, Skype or other major sites.

The messages are typically caught by spam filters, and often can be spotted as a fake by a simple glance. I felt I would share one today, just because I thought it would be fun to see where it takes me.

For analysis I use a spare laptop running Ubuntu as the host and have Virtual machines running with Security Onion, SIFT and Windows 7 32bit. For this particular exercise I used SIFT excursively, and when finished I refresh my SIFT VM.

OK, enough of the boring stuff, here's the message I got in my Spam box:


Right away notice the subject doesn't exactly look reputable, neither does the sender address in this case. The rest of the message is crafted very simply, the foal is only to get the user to click the "View mails" link. So where does this link take you? To answer this safely, simply place the cursor over the link, do not click.

What we see is in the lower right corner of the browser is the true link which is:

http://renatocasagrande[.]com/connie[.]php

The first thing I did with this link is post the URL up on VirusTotal, here is the link.

https://www.virustotal.com/en/url/35fbe44d6261f214bccc767401295bb77c4b00bf6ff9d63a72b745562d840f43/analysis/1449871312/

This is a good start, but now I want to extract the PHP file To do this I run the following command:

curl http://renatocasagrande.com/connie.php >> connie.php

Looking at the php file in a text editor I can see the following:



Hmmm, Interesting javascript at the end of this file. 

Curious, what does this PHP file show in VirusTotal?

https://www.virustotal.com/en/file/3662a829b5a441bdaffdf91eea5d5e2d25ee331888778b2e69f63a62a1ca916b/analysis/1449875775/

Interesting, the scan of the URL returned one result as a malicious site, while the file by itself returns 4 results indicating some sort of JavaScript Redirect. Running the PHP through a sandbox reveals the following site as the redirect.

http://naturalpillmall[.]ru

https://www.virustotal.com/en/url/e9a7fdcbd0c15567baf5983bcfc8e2551e20ab0e58eba4643531c3fe7647c1bf/analysis/

Clearly not YouTube :)

One final closing note, I wanted to give credit to the following URL which outlines this scam quite well.

http://www.hotforsecurity.com/blog/fake-amazon-youtube-facebook-notifications-sell-viagra-8069.html