Tuesday, July 3, 2012

No, the Weird Link I Received via Email is Not Legitimate

Seeing a weird sudden uptick in (possibly malicious) spam from those contacts with my email saved in their address books.

It's another repackaged version of a very old scam, taking advantage of those with virus/spyware infected machines or otherwise email boxes with compromised (and/or simply weak) passwords.

Rather than just spoofing the sender email addresses in the crap email, these messages are being sent directly from the actual email accounts of the compromised users.

The crap email itself always seems to be sent to 10-15 people at once. Nothing appears in the subject line. The body itself only contains a link address, which in itself appears to be a generally legitmate sounding domain.

But the url always includes a weirdly long path which seems to be unique to the email. Makes me wonder if whoever is recycling these domains for their spam use is tracking information on those who are clicking the link.

URLs received (so far) include:
www [DOT] easypinturas [DOT] cl/wp-content/themes/easy/googles.html?cab=ty.psml&sg=mkv.ytf&fhb=qyiv

www [DOT] tomstexascountycourthouses [DOT] com/wp-content/uploads/fgallery/fmaus.html?ffnc=dwdqxi

www [DOT] 509art [DOT] com/wp-content/uploads/slideshow-gallery-pro/google.html?er=rc.gio&cn=ar.reg&fhb=tdsy

www [DOT] ccrystalpublications [DOT] com/home/home/celesteme/ccrystalpublications.com/home/wp-content/uploads/sermons/images/goodbody.html

www [DOT] nickandemilywedding [DOT] com/wp-content/themes/ligneous/photo.php?fly138.png

www [DOT] pasmi [DOT] org/wp-content/themes/pasmi/art.php?cloth1.php

Some of these domains have since been killed. But new deriveratives are being sent out just as quick.

Spun up a test sandbox to see what would happen with the links and saw only redirects to spam websites when the links were opened. The first 'hop' before the redirect always read (complete with the bad english):

You are here because one of your friends
have invited you.
Page loading, please wait....

Um, no I'm not
Um, no I'm not

And then a redirect kicks the page to one of several (legitmate looking) spam sites.

I've included two of the examples below, but there are several others.

"7 News Money Blog" looks like a legimiate site, but it's clearly just another crap "Work at Home" scam

This other site was especially daring as it stole the Fox News website template for their weightloss scam
This other site was especially daring as it stole the Fox News website template for their weightloss scam

Could be a bunch of different bugs causing this. Not sure which one(s). It's definitely getting around though (whatever it is).