Jump to content

most spams lately with attachment (XHTML or HTML)


RobiBue
 Share

Recommended Posts

(Please don't ask for a Tracking URL as this is just an informative post and not a help wanted ;) )

Lately, all spams I have been getting are phishing spams containing an attachment which is encoded in base64 (mostly short)

I then run it through the trusty online base64 decoder to get the source

(mostly something like

<body onload="document.location.href=window.atob('aHR0cHM6Ly94dm94Mi5iZW1vYnRyay5jb20vZ28vYWM2LXNvbWUgdHJhY2luZyBudW1iZXJzPyM=');" /> 

note: the .atob link was modified by me to keep the original website domain intact but changed the tracing info)

I then run only the atob text through the decoder again to receive the website it would "take me to" (although there is more)...

https://xvox2.bemobtrk.com/go/ac6-some tracing numbers?#

now, I open my cygwin terminal and start a get --spider website command (--spider to keep the last page from downloading because usually that part doesn't interest me)

the result I get is something like this (I also changed some tracing information that is not relevant to this post -- mostly anything in [%..%])

$ wget --spider https://xvox2.bemobtrk.com/go/ac6sometracingnumbers?#
Spider mode enabled. Check if remote file exists.
--2021-10-24 08:35:10--  https://xvox2.bemobtrk.com/go/ac6sometracingnumbers?
Resolving xvox2.bemobtrk.com (xvox2.bemobtrk.com)... 35.153.222.28, 54.172.72.35, 3.232.85.129, ...
Connecting to xvox2.bemobtrk.com (xvox2.bemobtrk.com)|35.153.222.28|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://go.2coo.xyz/click?pid=[%number%]&offer_id=[%offer%]&bemobdata=[%somemoredata%] [following]
Spider mode enabled. Check if remote file exists.
--2021-10-24 08:35:10--  https://go.2coo.xyz/click?pid=[%number%]&offer_id=[%offer%]&bemobdata=[%somemoredata%]
Resolving go.2coo.xyz (go.2coo.xyz)... 172.67.142.95, 104.21.79.57, 2606:4700:3034::ac43:8e5f, ...
Connecting to go.2coo.xyz (go.2coo.xyz)|172.67.142.95|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://trace.affiliateedge.com/visit/?bta=[%btanumber%]&nci=[%ncinumber%]&afp=[%afpinformation%] [following]
Spider mode enabled. Check if remote file exists.
--2021-10-24 08:35:11--  https://trace.affiliateedge.com/visit/?bta=[%btanumber%]&nci=[%ncinumber%]&afp=[%afpinformation%]
Resolving trace.affiliateedge.com (trace.affiliateedge.com)... 35.234.86.61
Connecting to trace.affiliateedge.com (trace.affiliateedge.com)|35.234.86.61|:443... connected.
HTTP request sent, awaiting response... 302 Object moved
Location: https://www.luckyredcasino.com/?btag=[%btagcode%] [following]
Spider mode enabled. Check if remote file exists.
--2021-10-24 08:35:12--  https://www.luckyredcasino.com/?btag=[%btagcode%]
Resolving www.luckyredcasino.com (www.luckyredcasino.com)... 104.18.226.39, 104.18.227.39, 2606:4700::6812:e227, ...
Connecting to www.luckyredcasino.com (www.luckyredcasino.com)|104.18.226.39|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.

add that with a modification note to the spam source and let every single one of the link owners know that they need to keep their phishing clients from accessing the web!

 

Here it was (including the original source of the phishing spam)

( https://trace.affiliateedge.com/visit/?bta=... ) To: google-cloud-compliance@google.com
( https://www.luckyredcasino.com/?btag=... ) To: abuse@cloudflare.com
( https://go.2coo.xyz/click?pid=... ) To: abuse@cloudflare.com
( 134.0.112.147 ) To: abuse@reg.ru 

I am hoping that they all get their act together ;)

 

Sometimes I do check the resulting file, mostly when it's a direct 200 result and not a 302 redirect and there I sometimes find in the source something like this or a JS which loads a page similarly and just run it as above...

<body onload="document.location.href=window.atob('aHR0cHM6Ly94dm94Mi5iZW1vYnRyay5jb20vZ28vYWM2LXNvbWUgdHJhY2luZyBudW1iZXJzPyM=');" /> 

 

Link to comment
Share on other sites

  • 3 weeks later...
On 10/24/2021 at 9:04 AM, RobiBue said:

Lately, all spams I have been getting are phishing spams containing an attachment which is encoded in base64 (mostly short)

Spammers have been using base64 for a few decades to get their spam hidden by MTA rules and SpamCop.  Maybe they found out that SpamCop does decode most base64 stuff, or maybe they are looking for a new rule method to be able to hide the links or spam text.

Link to comment
Share on other sites

12 hours ago, gnarlymarley said:

Spammers have been using base64 for a few decades to get their spam hidden by MTA rules and SpamCop. 

I mostly use it to follow links manually without downloading any malware (hence my --spider flag in the wget call) to get to the origin of the scam instead of hitting only the first link with a complaint ;)

Link to comment
Share on other sites

16 hours ago, RobiBue said:

I mostly use it to follow links manually without downloading any malware

I don't think spamassassin has a rule for the atob base64 decoding, but I added one so if I get an email that tries to use atob in the body, it should be rejected at the SMTP level.  Thanks for the heads up.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...