February 22, 2011

A refreshing change to our .ORG site: it's now serving spam

Ran Mosessco Principal Security Researcher

Websense Security Labs™ gets to see a lot of large email spam campaigns that come through our ThreatSeeker™ Network. However, what's nice is that not only do we get to analyze and protect against the larger campaigns, we can also notice smaller campaigns or oddball variants. 

A few days ago, we came across this interesting piece of email. Although small, it's interesting to see the crossover of malicious style compromises into the spam world. It also highlights the business model the spammers are going by... or perhaps it points to something more dangerous (more on that later). 

Websense customers are protected with our Advanced Classification Engine analytics, our suite of technologies withinTRITON

The process starts with an email that has a subject line like "The refreshed site of our company". The email message thanks the recipient for assisting them (the company) in solving a problem they had on their Web site, and urging the user to open it. Here are a couple of examples:


Figure 1:


Figure 2:


So, the spammers are using social engineering techniques to lure the user into clicking on the provided link. For an informed user, this type of text should raise a red flag - it is too generic to be legitimate, and doesn't really contain enough information about "the company". When I saw this email I immediately thought "malicious", since this type of social engineering is prevalent in malicious mails. Notice the "testimonials" about the "service" - what type of service?


However, the text is generic enough by itself to bypass content rules (unless specifically applied against this campaign). The links provided are pages on compromised legitimate Web sites, so the spammers are once again trying to bypass reputation-based filtering. All of this is very common these days.


Clicking on the provided links leads us to the compromised Web sites, where we see very little content on the specific pages:


Figure 3:


But what we do see is quite suspicious - obfuscated JavaScript. This further supports the notion that something malicious is going on. We could use one of the few handy tools we have here at Websense Security Labs™ to deobfuscate the HTML source, but instead, let's pause for a minute and try to do it manually.

We see the script starts by defining the variable ihe46 as a series of 2-3 digit numbers. If we scan the code further down we see a "for" loop that mentions +String.fromCharCode(kw1277). So we can understand that this loop will use the character code to create a string. The loop runs the length of the ihe46 variable, and uses its values to create the string... but wait, not the straight values, as we can see from this bit: {kw1277=ihe46[kmbi209]-65. In this case we need to deduct 65 from each number in the series to get to the real character codes we should be using. For example, the first number is 165, so we deduct 65, and see what the result (100) converts to - the letter "d" in the decimal code table. If we continue down the series we can arrive at the final string which reads:


Figure 4:


Following the link, I expected it to lead to a malicious Web site. Instead, a familiar face appeared:


Figure 5:


Yes, it's our friend the smirking Canadian pharmacist...


The other example, also obfuscated in the same way but with a different offset, leads to a similar result:


Figure 6:


This is not the first time we have seen a connection between malicious techniques and spam, such as back in September 2010 and June 2010, and it's no surprise since the infrastructure used to spread malicious and spam content is shared (botnets). What we are also reminded of here is how the business model of the spammers affects the way the spam is delivered. In this case, there's quite a departure from "normal" pharmaceutical spam. The initial email message has no related terms whatsoever. The spammers need the link to be clicked on to make their money... so they will use whatever technique they can to get the user to do that.  We can assume that the spammer's "clients" (owners of the various pharmaceutical sites) would prefer actual orders being placed on the final target site, so it's not clear how popular this technique will be for "straight spam". We do remember that any compromised site can be turned malicious, and we have seen, for example, how Zeus in the past redirected the victim to pharmaceutical sites after the victim's machine was exploited.


So, this campaign could either be a spam experiment... or maybe a staging/dry run for a malicious campaign. We'll have to wait and see.


In the meantime, we suggest resisting the temptation to see how you helped an unknown company improve their Web site...


Ran Mosessco

Principal Security Researcher

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.