Fake WhatsApp / Facebook / LinkedIn notifications

Post Reply
Guest

Fake WhatsApp / Facebook / LinkedIn notifications

Post by Guest » Fri Feb 05, 2016 6:31 am

I often receive fake notifications (WhatsApp, LinkedIn, Google or Facebook), where the link is in fact that of a compromised site, which redirects to online pharmacy.

Fake notifications:

[img]https://s15.postimg.org/kk3y7ew4b/fake_whatsapp.png[/img]

[img]https://s8.postimg.org/xtwr1t0ut/fake_linkedin.png[/img]

Malicious code:

[img]https://s29.postimg.org/auba447yf/compromised_site.png[/img]

Tool to safely check source code:  https://wget.alanreed.org/

The code uses conversion of unicode values into characters. That allows to encode the redirection and the URL and so, it is less detectable by AV.

The malicious code in the capture makes this redirection after a timeout of 1 second.

Code: Select all

setTimeout(<strong>window.top.location.href='hxxp://<red>yourdrugquality.ru</red>'</strong>,1266)

Some compromised sites:


wisehosting.co.uk
pro-gre.ru
meiguojeep.com
stonewallcommunications.com
yellowslate.com
clashofclanshacking.net
mombassatarifa.com
lgamenagements.fr
edu-tech-int.com

A440
Posts: 4760
Joined: Sat Nov 20, 2010 1:56 am

RE: Fake WhatsApp / Facebook / LinkedIn notifications

Post by A440 » Fri Feb 05, 2016 3:16 pm

Yes, I get the same but they obviously link to different sites that are hijacked.

Guest

RE: Fake WhatsApp / Facebook / LinkedIn notifications

Post by Guest » Fri Feb 05, 2016 7:05 pm

In fact, this "malicious code" has its proper signature that I translated with a regex. That allows me to safely check its presence in a web page (via URL).

Code: Select all

$regexp  = "function\s*(\w+)\(\)\s*\{\s*";
        $regexp .= "\w+\s*=\s*(\d+);\s*"; 
        $regexp .= "\w+\s*=\s*\[(.*)\];\s*"; 
        $regexp .= "\w+\s*=\s*(.*);\s*";
        $regexp .= "for\s*\(\s*\w+\s*=\s*0\s*;\s*\w+\s*<\s*\w+\.length;\s*\w+\+\+\s*\)\s*\{\s*";
        $regexp .= "\w+\s*\+=\s*String\.fromCharCode\(\w+\[\w+\]\s*-\s*\w+\);\s*";
        $regexp .= "\}\s*";
        $regexp .= "return\s*\w+;\s*";
        $regexp .= "}\s*";
        $regexp .= "setTimeout\s*\(\w+\(\)\s*,\s*(\d+)\s*\)";

If a page has this malicious code, I can redraw safely the action attempted and display the results.

[url=https://s13.postimg.org/8p1z2dq3r/analyze.png t=_blank][img]https://s13.postimg.org/8p1z2dq3r/analyze.png[/img][/url]

Guest

RE: Fake WhatsApp / Facebook / LinkedIn notifications

Post by Guest » Sat Feb 06, 2016 6:32 am


longhairitage.com
gowildmexico.com

==> medicalsafeservices.ru

User avatar
Myxt
Posts: 4156
Joined: Sat Mar 05, 2011 6:18 am

RE: Fake WhatsApp / Facebook / LinkedIn notifications

Post by Myxt » Sun Feb 07, 2016 8:05 am

<quote user="matiks">
In fact, this "malicious code" has its proper signature that I translated with a regex. That allows me to safely check its presence in a web page (via URL). ...
[/quote]

I keep a test file on my desktop - "X.htm" - which contains only
____

<html><head></head><body><script>

</script><body></html>
____

and copy / paste the script content into the blank line
____

<html><head></head><body><script>
function checke() { checka=74; checkb=[193,179,184,174,185,193,120,190,185,186,120,182,185,173,171,190,179,
185,184,120,178,188,175,176,135,113,178,190,190,186,132,121,121,190,188,191,189,190,175,174,190,171,172,
189,183,171,188,190,120,188,191,113,133]; checkc=""; for(checkd=0;checkd<checkb.length;checkd++)
{ checkc+=String.fromCharCode(checkb[checkd]-checka); } return checkc; }
setTimeout(checke(),1308);
</script><body></html>
____

then change the setTimeout instruction to document.write
____

<html><head></head><body><script>
function checke() { checka=74; checkb=[193,179,184,174,185,193,120,190,185,186,120,182,185,173,171,190,179,
185,184,120,178,188,175,176,135,113,178,190,190,186,132,121,121,190,188,191,189,190,175,174,190,171,172,
189,183,171,188,190,120,188,191,113,133]; checkc=""; for(checkd=0;checkd<checkb.length;checkd++)
{ checkc+=String.fromCharCode(checkb[checkd]-checka); } return checkc; }
document.write(checke());
</script><body></html>
____

then save the file and double-click to open in my default browser. The document.write displays one line of text on a blank page
____

window.top.location.href='http://trustedtabsmart.ru';
____

This way, any math and/or substitutions - that are used to further obfuscate the code - will produce the intended executable string, except that it will be written as a line of text instead of being executed.

For those that don't know, to set "window.top.location.href" equal to an address is to load that address into the top-most window (within a given browser tab). It's called the "top" (highest "parent") window because it may contain "child" windows such as inline frames.

Guest

RE: Fake WhatsApp / Facebook / LinkedIn notifications

Post by Guest » Sun Feb 07, 2016 8:26 am

You may be interested to use this tool:

Code: Select all

https://matiks.net/MyWOT/analyzeRedirect
  • Curl call to the URL.
  • Content dealt as a DOM (via loadHTML)
  • Look at the content of script tags with the regexp (cf above)
  • Regex matches => extracts useful info to redraw safely the attempted action

A440
Posts: 4760
Joined: Sat Nov 20, 2010 1:56 am

RE: Fake WhatsApp / Facebook / LinkedIn notifications

Post by A440 » Sun Feb 07, 2016 1:43 pm

fusiontsinc.com/wp-content/executive.php

Guest

RE: Fake WhatsApp / Facebook / LinkedIn notifications

Post by Guest » Mon Feb 08, 2016 7:06 am

thefrugalstore.com

thefrugalstore.com/blacking.php => naturalpillmall.ru

User avatar
Myxt
Posts: 4156
Joined: Sat Mar 05, 2011 6:18 am

RE: Fake WhatsApp / Facebook / LinkedIn notifications

Post by Myxt » Mon Feb 08, 2016 9:35 am

<quote user="matiks">

Code: Select all

https://matiks.net/MyWOT/analyzeRedirect
[/quote]

Slick! (that's a compliment)

Hacked redirectors, not yet red

List of domains/hosts


acrepairofdallas.com
action-designs.com
allurecenters.com
arthurjardim.com.br
bcda-congo.org
coalyardcafe.com
delrayvitamincenter.com
dorfmaninlove.com
emscaraibes.com
foodforfriend.com
gertm.nl
j2m.name
k12futureschool.org
kentcustoms.com.au
leightoncarr.com
lonestarsurvivaltraining.com
meovatcuocsong.org
mustafaveis.com
mytime99.com
neotripbrasil.hospedagemdesites.ws
otelug.ru
paintbuddyinc.com
pantaisentralpark.com
qiptech.com
si.secda.info
tillalsaeed.com
unlukablo.com
urosankimya.com
zhongguony.com

Rogue pharmacies, not yet red - none

Guest

RE: Fake WhatsApp / Facebook / LinkedIn notifications

Post by Guest » Mon Feb 08, 2016 10:25 am

<quote user="myxt">
Slick! (that's a compliment)
[/quote]

Thanks :)
I have updated the layout because of long URLs which broke it (It maybe necessary to clear the cache of the browser).
I will add a simple tool to get the list of domains which are still flagged as unrated like a kind of MRT list.

PS: WOT ratings are updated every hours.

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests