In my last post http://security5magics.blogspot.com/2015/12/an-obvious-e-mail-scam-lets-see-where.html
I ran through a quick analysis of a very prominent e-mail scam used today. The scam uses a link which has a PHP file holding a piece of java script at the end. The java script is a redirect to another site, usually a fake pharmacy site.
I felt showing a quick decoding of what the java script does, the following code is very similar to the code from my first post, but is from a different spam e-mail I received today, which leads to a different site. Check it out.
script type="text/javascript"
function suddenlye() {
suddenlya = 5;
suddenlyb = [124, 110, 115, 105, 116, 124, 51, 121, 116, 117, 51, 113, 116, 104, 102, 121, 110, 116, 115, 51, 109, 119, 106, 107, 66, 44, 109, 121, 121, 117, 63, 52, 52, 120, 114, 102, 119, 121, 117, 110, 113, 113, 120, 123, 102, 113, 122, 106, 51, 119, 122, 44, 64];
suddenlyc = "";
for (suddenlyd = 0; suddenlyd < suddenlyb.length; suddenlyd++) {
suddenlyc += String.fromCharCode(suddenlyb[suddenlyd] - suddenlya);
}
return suddenlyc;
setTimeout(suddenlye(), 1239);
/script
I used the following site for a quick reference of character codes, since this is what is being used to "encode" the redirect action.
http://stevehardie.com/2009/09/character-code-list-char-code/
So, it's really simple actually, each character code in variable suddenlyb is then subtracted by variable suddenlya to return the string value of what the code does. Since suddenlya is defined as 5, we simply just subtract each character code in suddenlyb by 5 and then match it to ASCII for our redirect, which happens to be the following.
window.top.location.href='http://smartpillsvalue.ru'=
UPDATE:
I just wanted to post a quick FYI, the code in this scam has different variable names and a different fixed value from which to subtract the char codes from in order to create the redirect. We can quickly find out where the redirect is going by changing the line "return variablenamec;" to "window.alert(variablenamec);"
Comments
Post a Comment