An obvious e-mail scam, let's see where it takes us

I get a lot of spam in my e-mail accounts, as I'm sure everyone reading does. One campaign that is seen often is an attempt to trick the user into believing that they are getting a message from YouTube, Facebook, Skype or other major sites.

The messages are typically caught by spam filters, and often can be spotted as a fake by a simple glance. I felt I would share one today, just because I thought it would be fun to see where it takes me.

For analysis I use a spare laptop running Ubuntu as the host and have Virtual machines running with Security Onion, SIFT and Windows 7 32bit. For this particular exercise I used SIFT excursively, and when finished I refresh my SIFT VM.

OK, enough of the boring stuff, here's the message I got in my Spam box:


Right away notice the subject doesn't exactly look reputable, neither does the sender address in this case. The rest of the message is crafted very simply, the foal is only to get the user to click the "View mails" link. So where does this link take you? To answer this safely, simply place the cursor over the link, do not click.

What we see is in the lower right corner of the browser is the true link which is:

http://renatocasagrande[.]com/connie[.]php

The first thing I did with this link is post the URL up on VirusTotal, here is the link.

https://www.virustotal.com/en/url/35fbe44d6261f214bccc767401295bb77c4b00bf6ff9d63a72b745562d840f43/analysis/1449871312/

This is a good start, but now I want to extract the PHP file To do this I run the following command:

curl http://renatocasagrande.com/connie.php >> connie.php

Looking at the php file in a text editor I can see the following:



Hmmm, Interesting javascript at the end of this file. 

Curious, what does this PHP file show in VirusTotal?

https://www.virustotal.com/en/file/3662a829b5a441bdaffdf91eea5d5e2d25ee331888778b2e69f63a62a1ca916b/analysis/1449875775/

Interesting, the scan of the URL returned one result as a malicious site, while the file by itself returns 4 results indicating some sort of JavaScript Redirect. Running the PHP through a sandbox reveals the following site as the redirect.

http://naturalpillmall[.]ru

https://www.virustotal.com/en/url/e9a7fdcbd0c15567baf5983bcfc8e2551e20ab0e58eba4643531c3fe7647c1bf/analysis/

Clearly not YouTube :)

One final closing note, I wanted to give credit to the following URL which outlines this scam quite well.

http://www.hotforsecurity.com/blog/fake-amazon-youtube-facebook-notifications-sell-viagra-8069.html


Comments