RobiBue Posted October 24, 2021 Share Posted October 24, 2021 (Please don't ask for a Tracking URL as this is just an informative post and not a help wanted ) Lately, all spams I have been getting are phishing spams containing an attachment which is encoded in base64 (mostly short) I then run it through the trusty online base64 decoder to get the source (mostly something like <body onload="document.location.href=window.atob('aHR0cHM6Ly94dm94Mi5iZW1vYnRyay5jb20vZ28vYWM2LXNvbWUgdHJhY2luZyBudW1iZXJzPyM=');" /> note: the .atob link was modified by me to keep the original website domain intact but changed the tracing info) I then run only the atob text through the decoder again to receive the website it would "take me to" (although there is more)... https://xvox2.bemobtrk.com/go/ac6-some tracing numbers?# now, I open my cygwin terminal and start a get --spider website command (--spider to keep the last page from downloading because usually that part doesn't interest me) the result I get is something like this (I also changed some tracing information that is not relevant to this post -- mostly anything in [%..%]) $ wget --spider https://xvox2.bemobtrk.com/go/ac6sometracingnumbers?# Spider mode enabled. Check if remote file exists. --2021-10-24 08:35:10-- https://xvox2.bemobtrk.com/go/ac6sometracingnumbers? Resolving xvox2.bemobtrk.com (xvox2.bemobtrk.com)... 35.153.222.28, 54.172.72.35, 3.232.85.129, ... Connecting to xvox2.bemobtrk.com (xvox2.bemobtrk.com)|35.153.222.28|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://go.2coo.xyz/click?pid=[%number%]&offer_id=[%offer%]&bemobdata=[%somemoredata%] [following] Spider mode enabled. Check if remote file exists. --2021-10-24 08:35:10-- https://go.2coo.xyz/click?pid=[%number%]&offer_id=[%offer%]&bemobdata=[%somemoredata%] Resolving go.2coo.xyz (go.2coo.xyz)... 172.67.142.95, 104.21.79.57, 2606:4700:3034::ac43:8e5f, ... Connecting to go.2coo.xyz (go.2coo.xyz)|172.67.142.95|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://trace.affiliateedge.com/visit/?bta=[%btanumber%]&nci=[%ncinumber%]&afp=[%afpinformation%] [following] Spider mode enabled. Check if remote file exists. --2021-10-24 08:35:11-- https://trace.affiliateedge.com/visit/?bta=[%btanumber%]&nci=[%ncinumber%]&afp=[%afpinformation%] Resolving trace.affiliateedge.com (trace.affiliateedge.com)... 35.234.86.61 Connecting to trace.affiliateedge.com (trace.affiliateedge.com)|35.234.86.61|:443... connected. HTTP request sent, awaiting response... 302 Object moved Location: https://www.luckyredcasino.com/?btag=[%btagcode%] [following] Spider mode enabled. Check if remote file exists. --2021-10-24 08:35:12-- https://www.luckyredcasino.com/?btag=[%btagcode%] Resolving www.luckyredcasino.com (www.luckyredcasino.com)... 104.18.226.39, 104.18.227.39, 2606:4700::6812:e227, ... Connecting to www.luckyredcasino.com (www.luckyredcasino.com)|104.18.226.39|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Remote file exists and could contain further links, but recursion is disabled -- not retrieving. add that with a modification note to the spam source and let every single one of the link owners know that they need to keep their phishing clients from accessing the web! Here it was (including the original source of the phishing spam) ( https://trace.affiliateedge.com/visit/?bta=... ) To: google-cloud-compliance@google.com ( https://www.luckyredcasino.com/?btag=... ) To: abuse@cloudflare.com ( https://go.2coo.xyz/click?pid=... ) To: abuse@cloudflare.com ( 134.0.112.147 ) To: abuse@reg.ru I am hoping that they all get their act together Sometimes I do check the resulting file, mostly when it's a direct 200 result and not a 302 redirect and there I sometimes find in the source something like this or a JS which loads a page similarly and just run it as above... <body onload="document.location.href=window.atob('aHR0cHM6Ly94dm94Mi5iZW1vYnRyay5jb20vZ28vYWM2LXNvbWUgdHJhY2luZyBudW1iZXJzPyM=');" /> Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted November 9, 2021 Share Posted November 9, 2021 On 10/24/2021 at 9:04 AM, RobiBue said: Lately, all spams I have been getting are phishing spams containing an attachment which is encoded in base64 (mostly short) Spammers have been using base64 for a few decades to get their spam hidden by MTA rules and SpamCop. Maybe they found out that SpamCop does decode most base64 stuff, or maybe they are looking for a new rule method to be able to hide the links or spam text. Quote Link to comment Share on other sites More sharing options...
RobiBue Posted November 10, 2021 Author Share Posted November 10, 2021 12 hours ago, gnarlymarley said: Spammers have been using base64 for a few decades to get their spam hidden by MTA rules and SpamCop. I mostly use it to follow links manually without downloading any malware (hence my --spider flag in the wget call) to get to the origin of the scam instead of hitting only the first link with a complaint Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted November 11, 2021 Share Posted November 11, 2021 16 hours ago, RobiBue said: I mostly use it to follow links manually without downloading any malware I don't think spamassassin has a rule for the atob base64 decoding, but I added one so if I get an email that tries to use atob in the body, it should be rejected at the SMTP level. Thanks for the heads up. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.