Jump to content

reveal obfuscated url for reporting


+BFsej@2n

Recommended Posts

Common spammer tactic is to obfuscate referring URLs with Google search domains and leveraging the USG hash (white-list) to circumvent the redicrect notification.

When reporting to spamcop it fails to strip the Google portion (and USG hash) and ends up citing that Google is not interested in such reports (which is well known). As a consequence the obfuscated URLs are never being reported to the hoster.

Below is a list of such obfuscated URLs used by a ROKSO actor, embedded in the spam message body, that spamcop fails to parse and strip.

[1]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fberocosteda.com%2F&usg=AOvVaw3ezoL8hVu4kfAt_PID4Foq
https://www.google.com/url?sa=t&url=http%3A%2F%2Fberocosteda.com%2F&usg=AOvVaw3ezoL8hVu4kfAt_PID4Foq
https://www.google.de/url?sa=t&url=http://berocosteda.com/&usg=AOvVaw3ezoL8hVu4kfAt_PID4Foq
https://www.google.com/url?sa=t&url=http://berocosteda.com/&usg=AOvVaw3ezoL8hVu4kfAt_PID4Foq

[2]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fdimolgetas.com%2F&usg=AOvVaw1NLrGoMdpiw1XaPaO8Nmyc
https://www.google.com/url?sa=t&url=http%3A%2F%2Fdimolgetas.com%2F&usg=AOvVaw1NLrGoMdpiw1XaPaO8Nmyc
https://www.google.de/url?sa=t&url=http://dimolgetas.com/&usg=AOvVaw1NLrGoMdpiw1XaPaO8Nmyc
https://www.google.com/url?sa=t&url=http://dimolgetas.com/&usg=AOvVaw1NLrGoMdpiw1XaPaO8Nmyc

[3]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fjakalamas.com%2F&usg=AOvVaw2fZQmcdMGpN7efJ3ldNEcW
https://www.google.com/url?sa=t&url=http%3A%2F%2Fjakalamas.com%2F&usg=AOvVaw2fZQmcdMGpN7efJ3ldNEcW
https://www.google.de/url?sa=t&url=http://jakalamas.com/&usg=AOvVaw2fZQmcdMGpN7efJ3ldNEcW
https://www.google.com/url?sa=t&url=http://jakalamas.com/&usg=AOvVaw2fZQmcdMGpN7efJ3ldNEcW

[4]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fceranovan.com%2F&usg=AOvVaw2BSm1IZIVWmN94K1U5dWgZ
https://www.google.com/url?sa=t&url=http%3A%2F%2Fceranovan.com%2F&usg=AOvVaw2BSm1IZIVWmN94K1U5dWgZ
https://www.google.de/url?sa=t&url=http://ceranovan.com/&usg=AOvVaw2BSm1IZIVWmN94K1U5dWgZ
https://www.google.com/url?sa=t&url=http://ceranovan.com/&usg=AOvVaw2BSm1IZIVWmN94K1U5dWgZ

[5]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fonademas.com%2F&usg=AOvVaw00Lwiq9T_Yn7BhfAKapv-w
https://www.google.com/url?sa=t&url=http%3A%2F%2Fonademas.com%2F&usg=AOvVaw00Lwiq9T_Yn7BhfAKapv-w
https://www.google.de/url?sa=t&url=http://onademas.com/&usg=AOvVaw00Lwiq9T_Yn7BhfAKapv-w
https://www.google.com/url?sa=t&url=http://onademas.com/&usg=AOvVaw00Lwiq9T_Yn7BhfAKapv-w

[6]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fgastoreda.com%2F&usg=AOvVaw1231cZ-3uqfeYmCKd9VCvR
https://www.google.com/url?sa=t&url=http%3A%2F%2Fgastoreda.com%2F&usg=AOvVaw1231cZ-3uqfeYmCKd9VCvR
https://www.google.de/url?sa=t&url=http://gastoreda.com/&usg=AOvVaw1231cZ-3uqfeYmCKd9VCvR
https://www.google.com/url?sa=t&url=http://gastoreda.com/&usg=AOvVaw1231cZ-3uqfeYmCKd9VCvR

[7]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fmelabode.com%2F&usg=AOvVaw1JuX2fb14pXRGjcKrhIOjR
https://www.google.com/url?sa=t&url=http%3A%2F%2Fmelabode.com%2F&usg=AOvVaw1JuX2fb14pXRGjcKrhIOjR
https://www.google.de/url?sa=t&url=http://melabode.com/&usg=AOvVaw1JuX2fb14pXRGjcKrhIOjR
https://www.google.com/url?sa=t&url=http://melabode.com/&usg=AOvVaw1JuX2fb14pXRGjcKrhIOjR

[8]
https://www.google.de/url?sa=t&url=http%3A%2F%2Flapederon.com%2F&usg=AOvVaw1ZCcwxvq0h3IdfAf2PZ0uO
https://www.google.com/url?sa=t&url=http%3A%2F%2Flapederon.com%2F&usg=AOvVaw1ZCcwxvq0h3IdfAf2PZ0uO
https://www.google.de/url?sa=t&url=http://lapederon.com/&usg=AOvVaw1ZCcwxvq0h3IdfAf2PZ0uO
https://www.google.com/url?sa=t&url=http://lapederon.com/&usg=AOvVaw1ZCcwxvq0h3IdfAf2PZ0uO

[9]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fozapeder.com%2F&usg=AOvVaw0IL9oAY8JDGA9TeVMT4YAG
https://www.google.com/url?sa=t&url=http%3A%2F%2Fozapeder.com%2F&usg=AOvVaw0IL9oAY8JDGA9TeVMT4YAG
https://www.google.de/url?sa=t&url=http://ozapeder.com/&usg=AOvVaw0IL9oAY8JDGA9TeVMT4YAG
https://www.google.com/url?sa=t&url=http://ozapeder.com/&usg=AOvVaw0IL9oAY8JDGA9TeVMT4YAG

[10]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fwanotera.com%2F&usg=AOvVaw2gkdWY3V5MyfVIlk5SxaWG
https://www.google.com/url?sa=t&url=http%3A%2F%2Fwanotera.com%2F&usg=AOvVaw2gkdWY3V5MyfVIlk5SxaWG
https://www.google.de/url?sa=t&url=http://wanotera.com/&usg=AOvVaw2gkdWY3V5MyfVIlk5SxaWG
https://www.google.com/url?sa=t&url=http://wanotera.com/&usg=AOvVaw2gkdWY3V5MyfVIlk5SxaWG

[11]
https://www.google.de/url?sa=t&url=http%3A%2F%2Fsawedapos.com%2F&usg=AOvVaw3j8ios4sEoeVgSMD3vZPLl
https://www.google.com/url?sa=t&url=http%3A%2F%2Fsawedapos.com%2F&usg=AOvVaw3j8ios4sEoeVgSMD3vZPLl
https://www.google.de/url?sa=t&url=http://sawedapos.com/&usg=AOvVaw3j8ios4sEoeVgSMD3vZPLl
https://www.google.com/url?sa=t&url=http://sawedapos.com/&usg=AOvVaw3j8ios4sEoeVgSMD3vZPLl

Link to comment
Share on other sites

I'm afraid you'll have to preprocess the mail yourself and replace the google urls with the obfuscated ones, or add them as new links after each instance. This could get tedious if you have many of them, but you should be able to write a perl scri_pt to help.

This is what I do. The code to unpack mime messages, parse each attachment, sanitize and demunge and extract payload urls from js, word and powershell macros, while also removing bayes poisoning text, resolving link shorteners, redacting innocent sites and personal information and coping with all the tricks the spammers and scammers use is truly frightening!

I report hundreds of messages a day mostly automatically for over a decade and still haven't managed to catch all the edge cases and it takes up a significant amount of my time that I probably should be using to find some work that actually pays!

Link to comment
Share on other sites

5 years ago, this piece was posted by a now Chief Information Security Officer (CISO), then working for Cybersecurity with NCR:

https://isc.sans.edu/forums/diary/How+Malware+Campaigns+Employ+Google+Redirects+and+Analytics/19843/

I agree, feature request is best policy as not everyone has the ability and possibility to run a scri_pt with every submission, whereas every submission runs through a scri_pt 😉

Link to comment
Share on other sites

  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...