Redswitches.com & 1and1.com – unresponsive to SEO spammer complaints

Guest

RE: WARNING

Post by Guest » Sun Nov 29, 2015 9:44 am

<quote user="myxt">
Be extremely cautious about visiting those link targets! Be prepared to disinfect and/or restore your system drive.

teesplanet.com/dwindle.php
https://www.virustotal.com/en/url/8fe68 ... 448787178/

smokecloud9.com/brutal.php
https://www.virustotal.com/en/url/c0dde ... 448787452/

[/quote]

The malicious code in these pages, is a kind of encryption using a convertion of unicode numbers into characters:

So the code in teesplanet.com/dwindle.php
Simply do a redirection:

Code: Select all

window.top.location.href='http://yourdrugquality.ru';
As for, smokecloud9.com/brutal.php:

Code: Select all

window.top.location.href='http://medicaltableteshop.ru'

targeted sites are yourdrugquality.ru & medicaltableteshop.ru (scam sites)

PS: to get safely the code for studying, it is better to use wget online.

User avatar
Myxt
Posts: 2086
Joined: Sat Mar 05, 2011 6:18 am

RE: WARNING

Post by Myxt » Mon Nov 30, 2015 5:34 am

<quote user="matiks">
The malicious code in these pages, is a kind of encryption using a convertion of unicode numbers into characters:

So the code in teesplanet.com/dwindle.php
Simply do a redirection:

Code: Select all

window.top.location.href='http://yourdrugquality.ru';
As for, smokecloud9.com/brutal.php:

Code: Select all

window.top.location.href='http://medicaltableteshop.ru'

targeted sites are yourdrugquality.ru & medicaltableteshop.ru (scam sites)

PS: to get safely the code for studying, it is better to use wget online.
[/quote]
Very well, those two redirecting pages may not be destructive at this moment:
teesplanet.com/dwindle.php > local security > Trojan-Downloader.JS.Redirector.a
smokecloud9.com/brutal.php > local security > Trojan-Downloader.JS.Redirector.a
Sample AV report:
C:\Users\x\AppData\Local\Mozilla\Firefox\Profiles\y.default\cache2\entries\F4B687D86C057313D348619857FFD076342F0079
> Detected object (file) was deleted.

Thoughts:

The redirecting pages have irrelevant names clearly intended to be re-usable for any purpose. In fact, the longstanding redirectors are at least as valuable as the temporary disposable targets which the "encryption" is intended to shield from the light of day. I would not be surprised to find that these targets are only advertised via these redirectors.

Like A440, I have received several of these "poison pen" letters. Normal spam from rogue pharmacies plainly states that they offer cheap drugs, to appeal to recipients who want cheap drugs. To effectively sell a tangible product, whether it is drugs or cars, there is negative appeal in an irrelevant phish mail in the guise of a brand name social media vendor with a message waiting for you, especially when the pretense is so obviously shabby as if someone is playing this like a game, or more likely "farming" these redirectors from a common control center, and testing whether the farm will work successfully as a future social engineering attack.

Average users must (should) rely on security vendors' analyses because they do not have technical and/or physical resources to sacrifice either to malware or to the dirty targets. Because I don't have the physical resources, I have followed a few of these links which were cited only for phishing, etc, by multiple vendors, and cited for malware by none. In some of these cases, my local security has reacted by detecting, neutralizing, and quarantining automatically downloaded objects it identified as malware, as above. Thus my warning.

Some of these redirectors behave differently based on how they are approached. BitDefender and others report malware while Sucuri reports no content, RedirectDetective reports a 404, etc - and other odd combinations. So perhaps malicious code is dynamically added when a live browser seems to be present. To get the code safely, may not get all of the code. I normally do not have time to analyze these detections to an atomic level, especially when there are so many.

This spam campaign has a recognizable signature, and it seems wholly unsuited to hawking happy pills, but ideally suited to spreading malware among social media addicts. Already this campaign appears to be sitting on the fence. Thus my decision to actually post my warning here.

Guest

RE: Redswitches.com & 1and1.com – unresponsive to SEO spammer

Post by Guest » Mon Nov 30, 2015 6:22 am

I agreed with your statements. As I also received these messages, I was curious to know more about this embedded scripts. I guess, "hackers" use this encryption to make redirections more complicated to detect (urls are not written as the command: "window.location.href"). When you are in these infected pages, the script is deferred of one second... (settimeout - close to 1000ms).
When I meet these fake notifications I assess them as "Malware and Viruses" to warn other WOT members and I will not study malicious codes for each :)

User avatar
A440
Posts: 2326
Joined: Sat Nov 20, 2010 1:56 am

RE: Redswitches.com & 1and1.com – unresponsive to SEO spammer

Post by A440 » Mon Nov 30, 2015 6:39 am

I'm also finding that many links are routing through tracking sites that tell the spammers *exactly* who is following their links ([red]affiliate.trk4.com[/red]). There is also the possibility of these guys mining browser cookies as well, thus I need to find a better way to anonymously check these links.

1and1, oneandone, com, net, de, et al. are making bank from this and should be rated appropriately.

User avatar
Myxt
Posts: 2086
Joined: Sat Mar 05, 2011 6:18 am

RE: Redswitches.com & 1and1.com – unresponsive to SEO spammer

Post by Myxt » Mon Nov 30, 2015 7:35 am

<quote user="matiks">... the script is deferred of one second ...[/quote]

That makes sense: a browser will wait quite a while; an automated scanner, probably not long (though Anubis is tedious).

User avatar
Myxt
Posts: 2086
Joined: Sat Mar 05, 2011 6:18 am

RE: Redswitches.com & 1and1.com – unresponsive to SEO spammer

Post by Myxt » Mon Nov 30, 2015 8:27 am

<quote user="a440">I'm also finding that many links are routing through tracking sites that tell the spammers *exactly* who is following their links ([red]affiliate.trk4.com[/red]). There is also the possibility of these guys mining browser cookies as well, thus I need to find a better way to anonymously check these links.[/quote]

I always keep additional Limited (= not Administrator) user accounts on my machines, that are Local (= not Microsoft or other manufacturer-based logins), that have all apps, identifications, geo-location, sharing, and reporting disabled, and that do not use email or social media. I keep Firefox untied from everything because it supports the most armor.

When you get spam, mark it as junk before you open it - your email client should react by disabling code in the email that accesses external resources, such as [img]hxxp://scum.con/evil.jpg[/img]

If you plan to visit addresses found in the message code, at least exit your email client so it doesn't bleed PII. Better yet, analyze the raw message on your Limited Local account who is PII-ignorant. Or do your research on a (non-personalized) Linux (full installation) that is Windows-ignorant, and let those trackers eat gravel.

If you find it exciting to watch grass grow:
check JavaScript and Flash at wepawet.iseclab.org
get AI risk opinions at zulu.zscaler.com
check PHP and non-binaries at anubis.iseclab.org
see through a browser's eyes at urlquery.net
check malware at quttera.com but *ignore* detections based only on links to other bad sites

User avatar
A440
Posts: 2326
Joined: Sat Nov 20, 2010 1:56 am

RE: Redswitches.com & 1and1.com – unresponsive to SEO spammer

Post by A440 » Tue Dec 01, 2015 1:43 am

Yet another that points to [red]1and1.com[/red]:
Delivered-To: xxx@gmail.com
Received: by 10.55.77.71 with SMTP id a68csp1709239qkb;
Mon, 30 Nov 2015 15:46:53 -0800 (PST)
X-Received: by 10.25.213.145 with SMTP id m139mr28105505lfg.150.1448927213159;
Mon, 30 Nov 2015 15:46:53 -0800 (PST)
Return-Path: [dreamers(at)mixom.com]
Received: from u18131555.onlinehome-server.com (u18131555.onlinehome-server.com. [74.208.223.13])
by mx.google.com with SMTP id o90si30776983lfi.52.2015.11.30.15.46.52
for [xxx@gmail.com];
Mon, 30 Nov 2015 15:46:53 -0800 (PST)
Received-SPF: neutral (google.com: 74.208.223.13 is neither permitted nor denied by best guess record for domain of dreamers@mixom.com) client-ip=74.208.223.13;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 74.208.223.13 is neither permitted nor denied by best guess record for domain of dreamers@mixom.com) smtp.mailfrom=dreamers(at)mixom.com
Content-Type: text/html; charset=UTF-8
Aligned-Glassed-Poultice: 614
Strindberg-Becker: walls
MIME-Version: 1.0
From: Youtube Notify [dreamers@mixom.com]
Banjos-Marvels: unflagging
Message-ID: [485f76c.5b86d14aaac@mixom.com]
To: "xxx@gmail.com" [xxx@gmail.com]
Content-Transfer-Encoding: 7bit
X-Priority: 1
Subject: You have delayed e-mails rupturing
Date: Mon, 30 Nov 2015 18:46:53 +0000

[html]
[head]

[title][/title] [/head] [body transformation=24 style="background:#f0f0f0;"] [div style="max-width:700px;"]

[table cellspacing="0" cellpadding="0" style="background:#fff;font-family:arial;font-size:13px;color:#333;width:100%;"] [tr] [td walworth='26' style="padding:20px;"]

[div revisiting='9' style="background:#f0f0f0;padding:0px 10px"]
[span miserable="99" style="font-size:22px;font-weight:bold;color:#333;margin-right:2px;"]You[/span][span style="font-size:22px;font-weight:bold;color:#fff;background:#bf171d;border-radius:10px;-webkit-border-radius:10px;-moz-border-radius:10px;border:solid 5px #bf171d;"]Tube[/span] [/div] [br/]
[br/] You have delayed e-mail.[br/]
[br/]

[a style="color:#0000ff;" href="http://www.nuitentipi.fr/canvassing.php"]View e-mails[/a].[br/] [br/] Warm wishes[br/] Youtube support[br/]

[br/]

[/td] [/tr]

[tr] [td style="padding:0px 20px 20px 20px;background:#f0f0f0"] [div arabianizes='82' style="padding-top:10px;font-size:11px;color:#7c7c7c"]

&copy; 2015 YouTube, LLC 901 Cherry Ave, San Bruno, CA 94066. This e-mail was sent to xxx@gmail.com because you indicated that you are willing to receive occasional YouTube product-related e-mails.

If you do not wish to receive such e-mails in the future, please unsubscribe. You can also change your preferences by visiting your Email Options in your YouTube account.

[/div]
[/td] [/tr] [/table] [/div] [/body]

[/html]

User avatar
Myxt
Posts: 2086
Joined: Sat Mar 05, 2011 6:18 am

RE: Redswitches.com & 1and1.com – unresponsive to SEO spammer

Post by Myxt » Tue Dec 01, 2015 7:18 am

[red]nuitentipi.fr/canvassing.php[/red] > http://urlquery.net/report.php?id=1448953370526 > [red]curingremedyshop.ru[/red]

User avatar
A440
Posts: 2326
Joined: Sat Nov 20, 2010 1:56 am

RE: Redswitches.com & 1and1.com – unresponsive to SEO spammer

Post by A440 » Wed Dec 02, 2015 8:41 am

. . . and more (header only):
Received: by 10.55.77.71 with SMTP id a68csp2363190qkb;
Tue, 1 Dec 2015 14:58:11 -0800 (PST)
X-Received: by 10.194.178.202 with SMTP id da10mr28932547wjc.158.1449010690928;
Tue, 01 Dec 2015 14:58:10 -0800 (PST)
Return-Path: <comite.volley66@excite.fr>
Received: from u17473837.onlinehome-server.com (u17473837.onlinehome-server.com. [74.208.201.232])
by mx.google.com with SMTP id 81si38920966wmm.87.2015.12.01.14.58.10
for <xxx@gmail.com>;
Tue, 01 Dec 2015 14:58:10 -0800 (PST)
Received-SPF: neutral (google.com: 74.208.201.232 is neither permitted nor denied by best guess record for domain of comite.volley66@excite.fr) client-ip=74.208.201.232;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 74.208.201.232 is neither permitted nor denied by best guess record for domain of comite.volley66@excite.fr) smtp.mailfrom=comite.volley66@excite.fr
Content-Transfer-Encoding: 7bit
Message-ID: <5df616622ca91@excite.fr>
Emerging-Queries: 4C5F3F556
Date: Tue, 1 Dec 2015 17:58:10 -0700
Disagrees-Immaterial-Dalzell: 6CBE241A823
Naughtiness-Startup: 987A9ED8DC
Content-Type: text/html; charset=UTF-8
From: Youtube+ Notifier <comite.volley66@excite.fr>
X-Priority: 1
Subject: Deferred e-mails congregation
etc. . .
which came from:

NetRange: 74.208.0.0 - 74.208.255.255
CIDR: 74.208.0.0/16
NetName: 1AN1-NETWORK
NetHandle: NET-74-208-0-0-1
Parent: NET74 (NET-74-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS8560
Organization: 1&1 Internet Inc. (11INT)
RegDate: 2006-11-22
Updated: 2012-02-02

OrgName: 1&1 Internet Inc.
OrgId: 11INT
Address: 701 Lee Rd
Address: Suite 300
City: Chesterbrook
StateProv: PA
PostalCode: 19087
Country: US
RegDate: 2006-09-05
Updated: 2013-04-23

and points to:

[red]iyagi.de/creaks.php[/red]
which redirects to:
[red]privatehealingshop.xyz[/red]

User avatar
A440
Posts: 2326
Joined: Sat Nov 20, 2010 1:56 am

RE: Redswitches.com & 1and1.com – unresponsive to SEO spammer

Post by A440 » Fri Dec 11, 2015 3:04 am

Yet more spam from [red]1and1.com[/red]:
Delivered-To: xxx @ gmail.com
Received: by 10.55.77.71 with SMTP id a68csp609632qkb;
Thu, 10 Dec 2015 11:26:12 -0800 (PST)
X-Received: by 10.50.138.72 with SMTP id qo8mr782837igb.50.1449775572545;
Thu, 10 Dec 2015 11:26:12 -0800 (PST)
Return-Path: <devonleblancir @ billigheizen24.com>
Received: from u16248505.onlinehome-server.com (u16248505.onlinehome-server.com. [74.208.107.105])
by mx.google.com with SMTP id kk9si216240igb.68.2015.12.10.11.26.11
for <xxx @ gmail.com>;
Thu, 10 Dec 2015 11:26:12 -0800 (PST)
Received-SPF: neutral (google.com: 74.208.107.105 is neither permitted nor denied by best guess record for domain of devonleblancir @ billigheizen24.com) client-ip=74.208.107.105;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 74.208.107.105 is neither permitted nor denied by best guess record for domain of devonleblancir @ billigheizen24.com) smtp.mailfrom=devonleblancir @ billigheizen24.com
Content-Type: text/html; charset=UTF-8
MIME-Version: 1.0
Subject: Incoming voicemessage, 3:27PM
To: "xxx @ gmail.com" <xxx @ gmail.com>
Date: Thu, 10 Dec 2015 15:27:59 +0000
Message-ID: <bab6aa6e2e8c7e9d6998d678e44aa988c @ billigheizen24.com>
Content-Transfer-Encoding: 7bit
From: WhatsAppNotifier <devonleblancir @ billigheizen24.com>
Mangled-Breakdown-Hellman: 982fd85d98da51ca
<<etcetera>>
This spam points to [red]saferemedymarket.ru[/red]

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest