Source: Email spam
Date: June 27, 2017
Subject: Amazon.com – Your Cancellation 173-222723-2163799 (ref. **)
From: “order-update@amazon[.]com” (ref. *)
Goal: Review the email infection/redirection chain leading to scareware on IE
Background: Previously, the same campaign led to the weigh loss spam.
Tools: Fiddler, any JS debugger
Obfuscated redirection chain to scareware/weight loss spam is as follows:
- “Amazon.com – Your Cancellation” email href link
- hxxp://www[.]cuinavo[.]com/maritime[.]php
- hxxp://bestdiet[.]world/?a=401336&c=cpcdiet&s=4220620174
- hxxp://moneybetinc[.]com/d/r6t0b27039?rtb=c2da1390dbacd52002e62d397bb5e4f7[.]0&h=0[.]23&rtc=101890_697e696c2343d7da35a0871e91b02e37_ef9aeab99e7822b8f14ddb4f4fa8bd2f1498533889[.]1375_175&subid=NDAxMzM2LU5ESXlNRFl5TURFM05BPT0%3D
- hxxp://blobar[.]org/d/r6t0b27039?k=25a6755c0c62719e2d64bcb003637769[.]1498533321[.]628[.]1&rtb=c2da1390dbacd52002e62d397bb5e4f7[.]0&h=0[.]23&rtc=101890_697e696c2343d7da35a0871e91b02e37_ef9aeab99e7822b8f14ddb4f4fa8bd2f1498533889[.]1375_175&subid=NDAxMzM2LU5ESXlNRFl5TURFM05BPT0%3D&r=&z=240
Scareware I:
hxxp://sjoiadiiwdj32892378310[.]xyz/errorinwindowsfound404errorvirus
hxxp://www[.]microsoft-user-alert[.]xyz/microsoft-alert-call-for-support-1-855-633-1666
Scareware III.
hxxp://errorsporttollfree9[.]xyz/microsoftAlert
hxxp://bestdiet.world/us/xxrr/cla-safflower-oil/?bhu=8mcwpko8zespkyV8J8QiBqm51VGT46J9C
- hxxp://www[.]cuinavo[.]com/maritime[.]php
- hxxp://bestdiet[.]world/?a=401336&c=cpcdiet&s=4220620174
- hxxp://www[.]cuinavo[.]com/maritime[.]php
- hxxp://bestdiet[.]world/?a=401336&c=cpcdiet&s=4220620174
- hxxp://moneybetinc[.]com/d/r6t0b27039?rtb=c2da1390dbacd52002e62d397bb5e4f7[.]0&h=0[.]23&rtc=101890_697e696c2343d7da35a0871e91b02e37_ef9aeab99e7822b8f14ddb4f4fa8bd2f1498533889[.]1375_175&subid=NDAxMzM2LU5ESXlNRFl5TURFM05BPT0%3D
- hxxp://blobar[.]org/d/r6t0b27039?k=25a6755c0c62719e2d64bcb003637769[.]1498533321[.]628[.]1&rtb=c2da1390dbacd52002e62d397bb5e4f7[.]0&h=0[.]23&rtc=101890_697e696c2343d7da35a0871e91b02e37_ef9aeab99e7822b8f14ddb4f4fa8bd2f1498533889[.]1375_175&subid=NDAxMzM2LU5ESXlNRFl5TURFM05BPT0%3D&r=&z=240
Scareware I:
hxxp://sjoiadiiwdj32892378310[.]xyz/errorinwindowsfound404errorvirus
hxxp://www[.]microsoft-user-alert[.]xyz/microsoft-alert-call-for-support-1-855-633-1666
Scareware III.
hxxp://errorsporttollfree9[.]xyz/microsoftAlert
hxxp://bestdiet.world/us/xxrr/cla-safflower-oil/?bhu=8mcwpko8zespkyV8J8QiBqm51VGT46J9C
inetnum: 180.250.128.0 – 180.250.159.255netname: TLKM_D3D4_ASTINET_180_CUSTOMERcountry: IDdescr: PT TELKOM INDONESIAdescr: Menara Multimedia Lt. 7descr: Jl. Kebonsirih No.12descr: JAKARTAadmin-c: AR165-APtech-c: HM444-APstatus: ASSIGNED NON-PORTABLEmnt-by: MAINT-TELKOMNET
Authentication-Results: spf=softfail (sender IP is 180[.]250[.]153[.]197)
smtp.mailfrom=unitedwaylane.org; hotmail.com; dkim=none (message not signed)
header.d=none;hotmail.com; dmarc=fail action=quarantine
header.from=amazon[.]com;
Received-SPF: SoftFail (protection[.]outlook[.]com: domain of transitioning
unitedwaylane.org discourages use of 180[.]250[.]153[.]197 as permitted sender)
X-IncomingTopHeaderMarker: OriginalChecksum:62325BB6EE949A25F7137383F5223FB0274314903C8331F43DBB3A9AC69D1140;UpperCasedChecksum:ECDCBA2E3C784D1951EFC14295EED9DC8207A5280F4C245C1B79829DBCE4E91C;SizeAsReceived:1087;Count:19
Received: from localhost ([180[.]250[.]153[.]197]) by BAY004-MC1F55.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143);
Mon, 26 Jun 2017 02:27:36 -0700
Bristled-Offensively-Uncomputable: premise
Chaotic-Elevators: 891b729f1edbb
Content-Type: text/html; charset=”UTF-8″
From: “order-update@amazon.com”
Content-Transfer-Encoding: 7bit
Bound-Documentaries-Lavishly: 2aaba5abff87f
To: REDACTED
X-AMAZON-MAIL-RELAY-TYPE: notification
Reply-To: “order-update@amazon[.]com”
Bounces-to: a7d24f875448b4c4b5ec283256a1543af0625eaaa589@bounces.amazon.com
Taxonomy-Whitman-Friedrich: 558617B1251C
Message-ID:
Date: Mon, 26 Jun 2017 16:27:36 +0000
X-AMAZON-RTE-VERSION: 2.0
Subject: Amazon.com – Your Cancellation 173-222723-2163799
Return-Path: dbaker@unitedwaylane[.]orgX-OriginalArrivalTime: 26 Jun 2017 09:27:36.0439 (UTC) FILETIME=[729CF070:01D2EE5E]
X-IncomingHeaderCount: 19
X-MS-Exchange-Organization-Network-Message-Id: 089e0edc-2b1d-4a1e-8f14-08d4bc75957e
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
CMM-sender-ip: 180[.]250[.]153[.]197CMM-sending-ip: 180[.]250[.]153[.]197CMM-Authentication-Results: hotmail.com; spf=softfail (sender IP is
180[.]250[.]153[.]197; identity alignment result is fail and alignment mode is
relaxed) smtp.mailfrom=dbaker@unitedwaylane[.]org; dkim=none (identity
alignment result is pass and alignment mode is relaxed) header.d=amazon.com;
x-hmca=none header.id=order-update@amazon.com
CMM-X-SID-PRA: order-update@amazon.com
Domain Blocklist:
- hxxp://www[.]cuinavo[.]com/maritime[.]php
- hxxp://bestdiet[.]world/?a=401336&c=cpcdiet&s=4220620174
- hxxp://moneybetinc[.]com/d/r6t0b27039?rtb=c2da1390dbacd52002e62d397bb5e4f7[.]0&h=0[.]23&rtc=101890_697e696c2343d7da35a0871e91b02e37_ef9aeab99e7822b8f14ddb4f4fa8bd2f1498533889[.]1375_175&subid=NDAxMzM2LU5ESXlNRFl5TURFM05BPT0%3D
- hxxp://blobar[.]org/d/r6t0b27039?k=25a6755c0c62719e2d64bcb003637769[.]1498533321[.]628[.]1&rtb=c2da1390dbacd52002e62d397bb5e4f7[.]0&h=0[.]23&rtc=101890_697e696c2343d7da35a0871e91b02e37_ef9aeab99e7822b8f14ddb4f4fa8bd2f1498533889[.]1375_175&subid=NDAxMzM2LU5ESXlNRFl5TURFM05BPT0%3D&r=&z=240
Scareware I:
hxxp://sjoiadiiwdj32892378310[.]xyz/errorinwindowsfound404errorvirus
hxxp://www[.]microsoft-user-alert[.]xyz/microsoft-alert-call-for-support-1-855-633-1666
Scareware III.
hxxp://errorsporttollfree9[.]xyz/microsoftAlert
hxxp://bestdiet.world/us/xxrr/cla-safflower-oil/?bhu=8mcwpko8zespkyV8J8QiBqm51VGT46J9C
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}
Reverse Engineering, Malware Deep Insight 