06-18-2017: "Thank you for confirming receipt" Weight Loss Spam Campaign

Date: June 18, 2017
Source: Email Spam
Previous Same Spam Campaign (June 9, 2017: “Amazon Order Cancelled”):

http://www.vkremez.com/2017/06/amazon-order-cancelled-weight-loss-spam.html

FromAngela Moore Support
Subject: Thank you for confirming receipt
Here is the full spam chain:

  • First email href redirect
  • hxxp://www[.]royalgemsandarts[.]com/neutrality[.]php

  • Obfuscated href JS redirect
  • hxxp://loss5weight-fast[.]world/?a=417768&c=cpcdiet&s=good_live

  • Third-layer PHP redirect
  • hxxp://loss5weight-fast[.]world/int/eqyy/forskolin/?bhu=Q8aE9FQfMfJZxJHHuGyxUz7qZ4Xcny

  • Final landing page
  • hxxps://premium-forskolin-extract[.]com/forskolin_int/?click_id=06_85469609_32230874-37af-4605-94f7-a96bba399453&subid1=326675&netid=3&ver=old&ad=1kgC

    I. Original email spam:

    Email headers:

    Authentication-Results: spf=none (sender IP is 62[.]176[.]169[.]100) smtp.mailfrom=innovationcorp.net; hotmail.com; dkim=none (message not signed) header.d=none;hotmail.com; dmarc=none action=none header.from=innovationcorp.net;Received-SPF: None (protection.outlook.com: innovationcorp.net does not designate permitted sender hosts)Received: from BAY004-MC5F14.hotmail.com by SN1NAM01FT010.mail.protection.outlook.com with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1157.12 via Frontend Transport; Sat, 17 Jun 2017 13:59:14 +0000X-IncomingTopHeaderMarker: OriginalChecksum:C4EC5D1CED9159B632F69622160D2CDB0826E69A1A0A6B56396F57CA34D8B853;UpperCasedChecksum:E0D5D0F87E9B7555077E317749ABDABF68C51B317B0F4B4B52E7CC6CB90E0999;SizeAsReceived:704;Count:13Received: from raider.solvere.sk ([62[.]176[.]169[.]100]) by BAY004-MC5F14.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143); Sat, 17 Jun 2017 06:59:13 -0700

    II.  Review the link href PHP page via the curl command 

    curl hxxp://www[.]royalgemsandarts[.]com/neutrality[.]php

    III. JavaScript function resolves to 

    hxxp://loss5weight-fast[.]world/?a=417768&c=cpcdiet&s=good_live

    viewed by simply printing an alert box to the screen via the alert() JavaScript function.

    IV.  Encoded JavaScript href() redirect from 

    hxxp://loss5weight-fast[.]world/?a=417768&c=cpcdiet&s=good_live -> 

    hxxp://loss5weight-fast[.]world/us/xxrr/cla-safflower-oil/bhu=Q8aEvU5pCPVc8KBpNcbWBXvbBotjvr

    IV. The landing page leads to the “CLA Safflower Oil” weight loss product landing ->

    hxxps://cla-extr[.]com/?click_id=06_85042356_6b816138-2c39-4493-9eab-aff53ec51810&subid1=313491&netid=3&ver=old&ad=1kgC


    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out /  Change )

    Google photo

    You are commenting using your Google account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s