Rich Quick Make Money!

Published: 2012-12-06
Last Updated: 2012-12-06 18:54:27 UTC
by Daniel Wesemann (Version: 1)
2 comment(s)

Based on reader reports (thanks Fred!) it looks like some carefully crafted spam is making its way past filters at the moment. The spams have content like

To all of my friends who didn't have the a moment to watch me on the channel-20 news last Tuesday talking about my blog, and financial accomplishments. I'm forwarding you the News Article, so you can read the whole story on how I became financially independent and wealthy. hxxp://r,turn,com/r/formclick/id/Ln5c6GsFyTbGgAsAbQABAA/url/%68%74%74%70%3a%2f\%6a%2e%6d%70/TSQHMO?djyna

I'm using hxxp and , instead of . to keep the domains from becoming clickable .. and to hopefully keep your spam/virus filter from panicking belatedly over this ISC diary instead of over the real spam earlier :)

We first expected some sort of Fake AV malware campaign, but it looks like the site "only" pushes the latest work-at-home-get-rich-quick scam. At least for the moment. Looking at the URL closely, here's what's going down: r,turn,com has an open redirect. The bad guys use this as a trampoline to bounce whoever clicks on the link to the next stage.

"%68%74%74%70%3a%2f\%6a%2e%6d%70" is really only hexadecimally encoded ASCII, and translates to "hxxp:/\j,mp", so the next stage is hxxp://j,mp/TSQHMO?djyna.  

There, we get a redirect to hxxp://wallyplanet,info/fizo.htm?33722, where we get a file that contains window.location = "hxxp://bit,ly/Vn3lWj".  Which redirects to hxxp://picklecook,us/fizo2.htm, where we get a file that contains window.location = "hxxp://CNBC-20NEWS,NET/momstory294b.htm", where we finally get the sob story and the get-rich-quick scam.

I doubt the spam filters follow this mess all the way, hence the URL reputation score in the spam filters apparently got tricked, and let the email through.

 

2 comment(s)

Comments

I've seen a lot of these recently too, but the ones I've seen all redirect through Google's 'I'm feeling lucky' search function. The text, however, is very similar.

http://www.spamcop.net/sc?id=z5437114469z86be7092445a4ce5204f6e49e98b94d8z;action=display
I wrote a little article on this last week. The one I received used the I'm feeling lucky functions as well. The funny part is that my site started becoming the number 1 site for that particular search term thus leading the affected users to land on my site verse the malicious content. My article: http://www.tekdefense.com/news/2012/12/4/are-you-feeling-lucky.html

Diary Archives