This past weekend I wrote about a totally harmless, weirdly meaningless, spam attack. Thursday afternoon another began. I’ve got 80 already.
I think they’re coming from the same place except this one is a lot scarier.
The weekend spam attack was just a few words. Once it was sent it was totally out of the spammer’s control. Today’s spam delivers an html file. Strings attached? Could be.
In and of itself html isn’t a problem. The entire worldwide web is built on html. This file’s contents seem to be a duplicate of something Amazon.com legitimately sends. Thursday afternoon that lulled me into a sense of security. Then I got a comment from Vince Batchelor.
If you look at the source of the html file, you see some javascript in the middle of the file.
Again, like html javascript itself isn’t nefarious. Nearly every web page you visit uses javascript, even this one! The javascript in this spam is different. It’s squeezed into the middle of the Amazon message where it definitely doesn’t belong. Inside the javascript is an encoded set of commands¹. Unlike the rest of the javascript encoding makes this part unreadable by humans!
Don’t worry it can still be decoded!
I’m a little over my head here, but the code creates a clickable link to a South African website which in turn sends you to another website which Google labels a malware carrier. I’m sure I don’t have that 100% right. Whatever it does it’s unexpected and eye raising.
This spam continues to be passed to my inbox by Gmail as if it were no problem at all! Shouldn’t they be filtering it?
My javascript interpretation isn’t good enough to understand whether this is a vicious or just suspicious set of emails, but I think we’re being set up. The next hits probably won’t be as docile.
¹ – For those of you who’d like to examine the code I’ve placed it here.
[note – Alexander decoded the file and placed it in his comments. Even though he made it refer to a non-existent page some browsers thought that itself was a virus! I have removed his code but left his explanation – Geoff]
What the payload does is the following:
[removed]
As you can see, my version simply adds a meta header that redirects the current page to hxxp://graduationoutfitters.co.za/1.html
It appears that each email redirects to a different .html page, all of which are hosted on legitimate websites (http://graduationoutfitters.co.za/ is not a spam/virus distributor) that have probably been hacked.
The table is inserted by a tool named HTMLPower. It appears that it has nothing to do with the acual payload.
For those of us defenseless types, it could help if you post the subject lines of these spamails as they appear. Right now I have nothing but the usual suspects in my spam folder, but I’d love to know what to look out for if they start making it by.
The subject is: hello. They all attempt to have you open a file which is xxxxxdoc.html (x=random digit).