07-15-17: Fake "Gmail Notification" Leads to Scareware

Source: Email spam
Date:  July 15, 2017
SubjectMessage notification
From: Gmail Notification

Goal: Review the email infection/redirection chain leading to scareware.
Background: Previously, the same campaign led to the weigh loss and scareware spam via the Amazon theme
Tools: Fiddler, any JS debugger


Here is the full spam chain:


  • First email href redirect
  • hxxp://cafevillan[.]com/steels[.]php

  • Obfuscated href JS redirect
  • hxxp://weight4losspremium[.]world/?a=401336&c=cpcdiet&s=51207175

  • Third-layer PHP redirect
  • hxxp://checktimenow[.]com/d/r6t0b27039?rtb=c2da1390dbacd52002e62d397bb5e4f7.0&h=1.23&rtc=85474_ae3e8edaee4e456bfc314eda161e6629_1d496eab7185b1313998aa2f2f47a6301500262006.8435_100&subid=NDAxMzM2LU5URXlNRGN4TnpVPQ%3D%3D

  • Fourth-layer PHP redirect
  • hxxp://blobar[.]org/d/r6t0b27039?k=cb4771fda26bfb56027d6ae4c757eaf6.1500261371.850.1&rtb=c2da1390dbacd52002e62d397bb5e4f7.0&h=1.23&rtc=85474_ae3e8edaee4e456bfc314eda161e6629_1d496eab7185b1313998aa2f2f47a6301500262006.8435_100&subid=NDAxMzM2LU5URXlNRGN4TnpVPQ%3D%3D&r=&z=240 

  • Final landing page
  • hxxp://www[.]micro-soft-alert[.]cf/call-microsoft-support-at-1-855-633-1666

    Analysis:

    I. “Gmail – Message notification” email href link leads to the following website:
    • hxxp://cafevillan[.]com/steels[.]php

    II. Retrieve the code via curl > code.html, paste the JavaScript function into the JS debugger.
    Comment out setTimeout and add “alert” on the function shorte() and observer the next redirect to the following website:
    • hxxp://weight4losspremium[.]world/?a=401336&c=cpcdiet&s=51207175

    III. Launch Fiddler and track the redirection chain to scareware
    • hxxp://www[.]micro-soft-alert[.]cf/call-microsoft-support-at-1-855-633-1666

    *Message source:
    Authentication-Results: spf=fail (sender IP is 89[.]30.155.66)
     smtp.mailfrom=faxaway[.]com; hotmail.com; dkim=none (message not signed)
     header.d=none;hotmail.com; dmarc=none action=none header.from=faxaway.com;
    Received-SPF: Fail (protection.outlook.com: domain of faxaway.com does not
     designate 89[.]30.155.66 as permitted sender) receiver=protection.outlook.com;
     client-ip=89[.]30.155.66; helo= web01.multiserve.nl;
    Received: from web01[.]multiserve.nl ([89[.]30.155.66]) by BAY004-MC5F15.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143);
    Fri, 14 Jul 2017 21:21:48 -0700
    From: Gmail Notification
    Date: Sat, 15 Jul 2017 06:21:49 +0000
    Content-Transfer-Encoding: 7bit
    Message-ID:
    Firearms-Christianizer-Shard: 1f161d59242f7a
    To: REDACTED*
    Content-Type: text/html; charset=”UTF-8″
    Subject: Message notification
    Return-Path: colluney@faxaway[.]com

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out /  Change )

    Google photo

    You are commenting using your Google account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s