Monday, December 18, 2017
(Fake) Viagra Spam is Making a Stiff Comeback

(Fake) Viagra Spam is Making a Stiff Comeback

789
0
- Advertisement -

This is a good old style Spam campaign leading to sites selling (Possibly Fake) Viagra & Cialis.

Sites pretending to be Canadian Pharma companies, though are Russian registered domains.

Spam masquerading to be from Google, LinkedIn all leading to (fake?) Viagra shops.

Spam Mails

Spams were received which had Google and LinkedIn icons and pretended to be notification message. We analysed three separate spam messages, one was received on each day betwwen 8th and 10th February, 2016.

Two of these spams were masquerading as from being Google and the third one masquerading to be from LinkedIn.

Redirection via Compromised Site

The spams contained links to PHP files on compromised web sites.

E.g.
arteconomist[.]com/greenberg[.]php
egram[.]info/gets[.]php

As the Fiddler captures show below, both of the above URLs return HTTP 404 but contains quite a lot of random words.

And the very of the 404 pages returned, is a JavaScript which is constructing the URL of the final landing page.

Arteconomics redirect-Fiddler capture

Below is a screenshot of the Fiddler capture from the second sample.

Egrams redirect: Fiddler capture

JavaScript URL constructor: Sample #1

The JavaScript found in the first 404 page (arteconomics) was as shown below:

<script type=”text/javascript”>
function walkinge()
{
walkinga = 21;
walkingb = [140,126,131,121,132,140,67,137,132,133,67,129,132,120,118,
137,126,132,131,67,125,135,122,123,82,60,125,137,137,133,79,
68,68,131,118,137,138,135,118,129,133,126,129,129,130,118,129,
129,67,135,138,60,80];

walkingc=””;
for(walkingd=0;walkingd<walkingb.length;walkingd++)
{
walkingc+=String.fromCharCode(walkingb[walkingd]-walkinga);
}
return walkingc;
}
setTimeout(walkinge(),1255);
</script>

The first JavaScript explained

The Javascript above contains an array of integers:

140-126-131-121-132-140-67-137-132-133-67-129-132-120-118-137-126-132-131-67-125-135-122-123-82-60-125-137-137-133-79-68-68-131-118-137-138-135-118-129-133-126-129-129-130-118-129-129-67-135-138-60-80

And looking at the simple for() loop in the JavaScript, we can see that the script is simply subtracting decimal 21 from each interger value in the array.

After performing the same subtraction manually (Ok, actually a little Reg-Ex and then Excel),  we find that the resultant array becomes:

119-105-110-100-111-119-46-116-111-112-46-108-111-99-97-116-105-111-110-46-104-114-101-102-61-39-104-116-116-112-58-47-47-110-97-116-117-114-97-108-112-105-108-108-109-97-108-108-46-114-117-39-59

Now we can already see that this array contains ASCII values, so a manual lookup on to the ASCII table we find that the above array is actually:

window.top.location.href=’http://naturalpillmall . ru’;

(whitespace added to deactivate the link)

JavaScript URL constructor: Sample #2

The JavaScript found in the the 404 page (egrams) was as shown below:

<script type=”text/javascript”>
function hurrye()
{
hurrya=91;
hurryb= [210,196,201,191,202,210,137,207,202,203,137,199,202,
190,188,207,196,202,201,137,195,205,192,193,
152,130,195,207,207,203,149,138,138,201,188,
207,208,205,188,199,203,196,199,199,200,188,
199,199,137,205,208,130,150];

hurryc=””;
for(hurryd=0;hurryd<hurryb.length;hurryd++)
{
hurryc+=String.fromCharCode(hurryb[hurryd]-hurrya); }
return hurryc;
}
setTimeout(hurrye(),1325);
</script>

The second JavaScript explained

The Javascript above contains the following array of integers:

210-196-201-191-202-210-137-207-202-203-137-199-202-190-188-207-196-202-201-137-195-205-192-193–152-130-195-207-207-203-149-138-138-201-188–207-208-205-188-199-203-196-199-199-200-188-199-199-137-205-208-130-150

And looking at the for() loop in the script, we can see that the script is simply subtracting decimal 91 from each interger value in the array.

After performing the same subtraction manually,  we find that the resultant array becomes:

119-105-110-100-111-119-46-116-111-112-46-108-111-99-97-116-105-111-110-46-104-114-101-102-61-39-104-116-116-112-58-47-47-110-97-116-117-114-97-108-112-105-108-108-109-97-108-108-46-114-117-39-59

So we find that the above array is actually the same as in the first JavaScript:

window.top.location.href=’http://naturalpillmall . ru’;

(whitespace added to deactivate the link)

The third sample

The third sample was constructed very much the same way,except foe the fact the final landing page URL was a different one:

h–t://onlinenaturalassist[.]ru

Final Landing Pages

The final landing pages were:

h–p://onlinenaturalassist[.]ru
h–p://naturalpillmall[.]ru

When we visited both of these URLs, they both have exactly the same content and look. Both are newly registered domains (see WHOIS screenshot below) and both are selling (fake) Viagra and Cialis etc.

NO COMMENTS

This website uses cookies so that we can provide you with the best user experience and to deliver advertising messages and offers on the website that are relevant to you. To read more about the cookies we use and to change your settings see our policy, please click on the link next:

Our Cookie Policy.

This website uses cookies so that we can provide you with the best user experience and to deliver advertising messages and offers on the website that are relevant to you. By continuing to use the site, you agree to the use of cookies.

What are 'COOKIES' ?

Web Browser Cookies

A cookie is a small text file that is sent by a website to your computer or mobile/tablet where it is stored by your web browser. A cookie contains limited non-personal data, usually a unique identifier and the name of the site. This enables a website to recognise you as you move around the site and/or each time you revisit. Cookies are used for a wide variety of purposes such as to keep you logged in or to remember what's in your basket if you're shopping online, to remember your preferences and settings, to analyse how the site is used by you, and to serve advertising to you.

Cookies which are served by the website you are visiting are called "first party cookie". If they are served by another web-site providing services to that website, such as an analytics company or advertising network then they are called "Third party cookies". They will either be stored for the duration of your visit called a "session cookie" or they might remain for a fixed period, which could be months or even years, to remember you across multiple browsing sessions (known as a "persistent cookie").

Google Analytics

We use 'Google Analytics' to collect statistical information about how our websites are used. They use information such as your IP address, browser type and unique identifiers stored in (first party) cookies on your device to record how you interact with our website. We also use 'Google Demographics' data to help us tknow how many users we have, which parts of our sites are most popular, what browsers are used (so we can maximise compatibility), the country or region where our users are located, and the demographics and interests of our users. This enables us to better understand who is using our site and to ensure we are reaching our target demographic, and to improve and tailor our services accordingly.

NOTE:

For more information on cookies and privacy, please visit the UK Information Commissioner's Offce web-site at:

ICO Cookie and Privacy Information

Close