07-15-17: Fake "Gmail Notification" Leads to Scareware

Source: Email spam
Date:  July 15, 2017
Subject: Message notification
From: Gmail Notification

Goal: Review the email infection/redirection chain leading to scareware.
Background: Previously, the same campaign led to the weigh loss and scareware spam via the Amazon theme
Tools: Fiddler, any JS debugger

• hxxp://cafevillan[.]com/steels[.]php
  

II. Retrieve the code via curl > code.html, paste the JavaScript function into the JS debugger.

Comment out setTimeout and add “alert” on the function shorte() and observer the next redirect to the following website:

• hxxp://weight4losspremium[.]world/?a=401336&c=cpcdiet&s=51207175

III. Launch Fiddler and track the redirection chain to scareware

• hxxp://www[.]micro-soft-alert[.]cf/call-microsoft-support-at-1-855-633-1666

*Message source:
Authentication-Results: spf=fail (sender IP is 89[.]30.155.66)
 smtp.mailfrom=faxaway[.]com; hotmail.com; dkim=none (message not signed)
 header.d=none;hotmail.com; dmarc=none action=none header.from=faxaway.com;
Received-SPF: Fail (protection.outlook.com: domain of faxaway.com does not
 designate 89[.]30.155.66 as permitted sender) receiver=protection.outlook.com;
 client-ip=89[.]30.155.66; helo= web01.multiserve.nl;
Received: from web01[.]multiserve.nl ([89[.]30.155.66]) by BAY004-MC5F15.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143);
Fri, 14 Jul 2017 21:21:48 -0700
From: Gmail Notification
Date: Sat, 15 Jul 2017 06:21:49 +0000
Content-Transfer-Encoding: 7bit
Message-ID:
Firearms-Christianizer-Shard: 1f161d59242f7a
To: REDACTED*
Content-Type: text/html; charset=”UTF-8″
Subject: Message notification
Return-Path: colluney@faxaway[.]com