06-27-2017: "Amazon.com – Your Cancellation" Spam Leads to Scareware & Weight Loss Scam

Source: Email spam
Date:  June 27, 2017
Subject: Amazon.com – Your Cancellation 173-222723-2163799 (ref. **)
From: “order-update@amazon[.]com” (ref. *)

Goal: Review the email infection/redirection chain leading to scareware on IE
Background: Previously, the same campaign led to the weigh loss spam.
Tools: Fiddler, any JS debugger

Obfuscated redirection chain to scareware/weight loss spam is as follows:

  1. “Amazon.com – Your Cancellation” email href link
  2. hxxp://www[.]cuinavo[.]com/maritime[.]php
  3. hxxp://bestdiet[.]world/?a=401336&c=cpcdiet&s=4220620174
  4. hxxp://moneybetinc[.]com/d/r6t0b27039?rtb=c2da1390dbacd52002e62d397bb5e4f7[.]0&h=0[.]23&rtc=101890_697e696c2343d7da35a0871e91b02e37_ef9aeab99e7822b8f14ddb4f4fa8bd2f1498533889[.]1375_175&subid=NDAxMzM2LU5ESXlNRFl5TURFM05BPT0%3D
  5. hxxp://blobar[.]org/d/r6t0b27039?k=25a6755c0c62719e2d64bcb003637769[.]1498533321[.]628[.]1&rtb=c2da1390dbacd52002e62d397bb5e4f7[.]0&h=0[.]23&rtc=101890_697e696c2343d7da35a0871e91b02e37_ef9aeab99e7822b8f14ddb4f4fa8bd2f1498533889[.]1375_175&subid=NDAxMzM2LU5ESXlNRFl5TURFM05BPT0%3D&r=&z=240

Scareware I:

hxxp://sjoiadiiwdj32892378310[.]xyz/errorinwindowsfound404errorvirus 

Scareware II: 

hxxp://www[.]microsoft-user-alert[.]xyz/microsoft-alert-call-for-support-1-855-633-1666

Scareware III.

hxxp://errorsporttollfree9[.]xyz/microsoftAlert

Weight loss scam IV: 

hxxp://bestdiet.world/us/xxrr/cla-safflower-oil/?bhu=8mcwpko8zespkyV8J8QiBqm51VGT46J9C

Analysis:

I. “Amazon.com – Your Cancellation” email href link leads to the following website:
  • hxxp://www[.]cuinavo[.]com/maritime[.]php

II. Retrieve the code via curl > code.html, paste the JavaScript function into the JS debugger.
Comment out setTimeout and add “alert” on the function schoole() and observer the next redirect to the following website:
  • hxxp://bestdiet[.]world/?a=401336&c=cpcdiet&s=4220620174
IIII. Launch Fiddler and track the redirection chain to scareware

Run 1:
Run 2:
Run 3:
IV. Observe the landing page leading to scareware popup.

Run 1:


Run 2:
Run 3:

Malicious domain blocklist:
  1. hxxp://www[.]cuinavo[.]com/maritime[.]php
  2. hxxp://bestdiet[.]world/?a=401336&c=cpcdiet&s=4220620174
  3. hxxp://moneybetinc[.]com/d/r6t0b27039?rtb=c2da1390dbacd52002e62d397bb5e4f7[.]0&h=0[.]23&rtc=101890_697e696c2343d7da35a0871e91b02e37_ef9aeab99e7822b8f14ddb4f4fa8bd2f1498533889[.]1375_175&subid=NDAxMzM2LU5ESXlNRFl5TURFM05BPT0%3D
  4. hxxp://blobar[.]org/d/r6t0b27039?k=25a6755c0c62719e2d64bcb003637769[.]1498533321[.]628[.]1&rtb=c2da1390dbacd52002e62d397bb5e4f7[.]0&h=0[.]23&rtc=101890_697e696c2343d7da35a0871e91b02e37_ef9aeab99e7822b8f14ddb4f4fa8bd2f1498533889[.]1375_175&subid=NDAxMzM2LU5ESXlNRFl5TURFM05BPT0%3D&r=&z=240

Scareware I:

hxxp://sjoiadiiwdj32892378310[.]xyz/errorinwindowsfound404errorvirus 

Scareware II: 

hxxp://www[.]microsoft-user-alert[.]xyz/microsoft-alert-call-for-support-1-855-633-1666

Scareware III.

hxxp://errorsporttollfree9[.]xyz/microsoftAlert

Weight loss scam IV: 

hxxp://bestdiet.world/us/xxrr/cla-safflower-oil/?bhu=8mcwpko8zespkyV8J8QiBqm51VGT46J9C

Spam originating IP*

180[.]250[.]153[.]197 (DomainTools)

inetnum:        180.250.128.0 – 180.250.159.255netname:        TLKM_D3D4_ASTINET_180_CUSTOMERcountry:        IDdescr:          PT TELKOM INDONESIAdescr:          Menara Multimedia Lt. 7descr:          Jl. Kebonsirih No.12descr:          JAKARTAadmin-c:        AR165-APtech-c:         HM444-APstatus:         ASSIGNED NON-PORTABLEmnt-by:         MAINT-TELKOMNET


Email headers (defanged)**:

Authentication-Results: spf=softfail (sender IP is 180[.]250[.]153[.]197)
 smtp.mailfrom=unitedwaylane.org; hotmail.com; dkim=none (message not signed)
 header.d=none;hotmail.com; dmarc=fail action=quarantine
 header.from=amazon[.]com;
Received-SPF: SoftFail (protection[.]outlook[.]com: domain of transitioning
 unitedwaylane.org discourages use of 180[.]250[.]153[.]197 as permitted sender)
X-IncomingTopHeaderMarker: OriginalChecksum:62325BB6EE949A25F7137383F5223FB0274314903C8331F43DBB3A9AC69D1140;UpperCasedChecksum:ECDCBA2E3C784D1951EFC14295EED9DC8207A5280F4C245C1B79829DBCE4E91C;SizeAsReceived:1087;Count:19
Received: from localhost ([180[.]250[.]153[.]197]) by BAY004-MC1F55.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143);
 Mon, 26 Jun 2017 02:27:36 -0700
Bristled-Offensively-Uncomputable: premise
Chaotic-Elevators: 891b729f1edbb
Content-Type: text/html; charset=”UTF-8″
From: “order-update@amazon.com”
Content-Transfer-Encoding: 7bit
Bound-Documentaries-Lavishly: 2aaba5abff87f
To: REDACTED
X-AMAZON-MAIL-RELAY-TYPE: notification
Reply-To: “order-update@amazon[.]com”
Bounces-to: a7d24f875448b4c4b5ec283256a1543af0625eaaa589@bounces.amazon.com
Taxonomy-Whitman-Friedrich: 558617B1251C
Message-ID:
Date: Mon, 26 Jun 2017 16:27:36 +0000
X-AMAZON-RTE-VERSION: 2.0
Subject: Amazon.com – Your Cancellation 173-222723-2163799
Return-Path: dbaker@unitedwaylane[.]orgX-OriginalArrivalTime: 26 Jun 2017 09:27:36.0439 (UTC) FILETIME=[729CF070:01D2EE5E]
X-IncomingHeaderCount: 19
X-MS-Exchange-Organization-Network-Message-Id: 089e0edc-2b1d-4a1e-8f14-08d4bc75957e
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
CMM-sender-ip: 180[.]250[.]153[.]197CMM-sending-ip: 180[.]250[.]153[.]197CMM-Authentication-Results: hotmail.com; spf=softfail (sender IP is
 180[.]250[.]153[.]197; identity alignment result is fail and alignment mode is
 relaxed) smtp.mailfrom=dbaker@unitedwaylane[.]org; dkim=none (identity
 alignment result is pass and alignment mode is relaxed) header.d=amazon.com;
 x-hmca=none header.id=order-update@amazon.com
CMM-X-SID-PRA: order-update@amazon.com

Domain Blocklist:

  1. hxxp://www[.]cuinavo[.]com/maritime[.]php
  2. hxxp://bestdiet[.]world/?a=401336&c=cpcdiet&s=4220620174
  3. hxxp://moneybetinc[.]com/d/r6t0b27039?rtb=c2da1390dbacd52002e62d397bb5e4f7[.]0&h=0[.]23&rtc=101890_697e696c2343d7da35a0871e91b02e37_ef9aeab99e7822b8f14ddb4f4fa8bd2f1498533889[.]1375_175&subid=NDAxMzM2LU5ESXlNRFl5TURFM05BPT0%3D
  4. hxxp://blobar[.]org/d/r6t0b27039?k=25a6755c0c62719e2d64bcb003637769[.]1498533321[.]628[.]1&rtb=c2da1390dbacd52002e62d397bb5e4f7[.]0&h=0[.]23&rtc=101890_697e696c2343d7da35a0871e91b02e37_ef9aeab99e7822b8f14ddb4f4fa8bd2f1498533889[.]1375_175&subid=NDAxMzM2LU5ESXlNRFl5TURFM05BPT0%3D&r=&z=240

Scareware I:

hxxp://sjoiadiiwdj32892378310[.]xyz/errorinwindowsfound404errorvirus 

Scareware II: 

hxxp://www[.]microsoft-user-alert[.]xyz/microsoft-alert-call-for-support-1-855-633-1666

Scareware III.

hxxp://errorsporttollfree9[.]xyz/microsoftAlert

Weight loss scam IV: 

hxxp://bestdiet.world/us/xxrr/cla-safflower-oil/?bhu=8mcwpko8zespkyV8J8QiBqm51VGT46J9C 

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s