by RSS Nelson Ngu  |  Dec 06, 2016  |  Filed in: Security Research

We recently received a URL through Skype that caught our attention. It was a link belonging to LinkedIn, with our Skype ID as a parameter at the end of the URL.

hxxps://www.linkedin.com/slink?code=e2nsPHa#jpulusiv=victimskypeid

Usually, people would be wary when they receive links that look somewhat suspicious. But this link is from LinkedIn, the world’s largest networking site, so it would easy for anyone receiving this to quickly dismiss any thought of it being harmful. And the convincing personalized Skype ID at the end of the link only increases one’s confidence and curiosity to just click on that link!

So what happens next?

Well, once you click on it you are redirected to hxxp://www.baidu.com/link? url=6kdJhiuGhlv0r4EfUsqBKW9t86Werul6GdqAieiiPyC, and then redirected to one of these scam sites selling fat loss or brain improvement products:

hxxp://easyfatloss-a.net/
hxxp://vpworldfor.com/
hxxp://hotvqqqhops.com/

(Note: the above 3 websites are already blocked by FortiGuard Anti Spam)

And while all these redirections take place (obviously an attempt by the scammers to cover/hide their tracks), the victim’s account is used to spam all the contacts in their Skype account the same way it started in the first place. And the process repeats itself.

Here’s the redirection path reflected on urlquery.net’s report:

(Image source: http://urlquery.net/report.php?id=1477360225655)

Further investigation into the domains “izatex(.)ru” and “adnanbostan(.)ru” are provided below:

curl -v izatex(.)ru
* Rebuilt URL to: izatex(.)ru/
* Hostname was NOT found in DNS cache
* Trying 104.28.16.170…
* Connected to izatex(.)ru (104.28.16.170) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: izatex(.)ru
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Thu, 17 Nov 2016 21:54:59 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=d43aa46bb692c53416b4774b22908a0c21479419698; expires=Fri, 17-Nov-17 21:54:58 GMT; path=/; domain=.izatex(.)ru; HttpOnly
< Location: hxxp://intellectvvv.com/?a=370961&c=brain&s=pahas&27352
* Server cloudflare-nginx is not blacklisted
< Server: cloudflare-nginx
< CF-RAY: 30366c9de40129cb-SEA
<
* Connection #0 to host izatex(.)ru left intact
ping intellectvvv(.)com
PING intellectvvv(.)com (5.149.248.236) 56(84) bytes of data.
64 bytes from marriageagency.in(.)ua (5.149.248.236): icmp_seq=1 ttl=54 time=133 ms
curl -v hxxp://adnanbostan.ru
* About to connect() to adnanbostan(.)ru port 80 (#0)
* Trying 178.208.80.103…
* Connected to adnanbostan(.)ru (178.208.80.103) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: adnanbostan(.)ru
> Accept: */*
>
< HTTP/1.1 302 Found
< Server: nginx
< Date: Thu, 17 Nov 2016 17:57:15 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 1
< Connection: keep-alive
< Keep-Alive: timeout=60
< Location: hxxp://intellectzzz.com/?a=373727&c=brain&s=beget&9008
<
* Connection #0 to host adnanbostan(.)ru left intact

We investigated the domains further and found 32 additional related domains and IPs.

178.208.78.89
185.112.157.139
192.99.182.95
46.166.128.136
5.149.248.236
adnanbostan(.)ru
cobdurierni(.)com
configinfofat(.)com
diet-newest(.)info
fatlossway(.)net
fatLossway-b(.)net
fatlossway-c(.)net
fatlossway-d(.)net
goodfastint(.)com
hitdrretrast(.)com
easyfatloss-a(.)net
hotvqqqhops(.)com
vpworldfor(.)com
intellectvvv(.)com
intellectzzz(.)com
izatex(.)ru
mindforbig(.)com
mindvipshop(.)com
safepaymentpage(.)net
u2019(.)ru
v-hd(.)ru
weightuulossu(.)com
witsswits(.)com
witxxsmind(.)com
womensenews(.)ru
worldformind(.)com

The graphs below shows some interesting traffic, such as the number of hits, sudden spikes, and recent start dates of the traffic – all typical characteristics of websites with questionable intent.

 

Here is another example, with a similar modus operandi:

hxxp://www.baidu.com/link?url=b12cAcwR1I5ZEysu76naKRsJOAXSv8vd1XmHX6HmqYe#98866=victimskypeid

This leads another very convincing looking website with the baidu.com domain and also ending with the Skype User’s ID. Baidu is the largest web services (search engine) company in China.

When clicked, it also redirects to brain improvement scam/phishing sites:

hxxp://goodllwits.com/intl/kmau/inteligen?bhu=2m55FhyMc1UQoxBPpx8a4YyjtumzU4v4
hxxp://mindllwits.com/intl/kmau/inteligen?bhu=2m55FhyMc1UQoxBPpx8jp3v16voCnwG1
hxxp://braininfoxx.com/intl/kmau/inteligen?bhu=2m55FhyMc1UQoxBPpx8jp3v16voEGFew
hxxp://brainvipwit.com/intl/kmau/inteligen?bhu=bHVFxtJVSq1qDzzkWhcNF3xWWuce9v6Djf
hxxp://witzzsmind.com/intl/kmau/inteligen?bhu=bHVFxtJVSq1qDzzkWhcNF3xWWuceq9mY47

All of these sites have exactly the same content, were recently created between the 11th and 16th of November, 2016, with the domain ownership information hidden.

We ran a query on the Baidu link, and the report can be found here: http://urlquery.net/report.php?id=1479371457834

When the potential victim attempts to purchase the brain improvement product, they are redirected to the payment site at hxxps://verty-top-ssl.com/brain_int/special3/

Interestingly, this payment site’s main page hosts a fat-loss scam, shown below:

Note that verty-top-ssl(.)com was also recently created on 19th October 2016.

Identical content is also hosted on portal-top-ssl(.)com. This site was also created recently, on 18th October 2016, but had already been taken down at the time of this writing. However, you can see a screenshot of the site when you look it up in Domaintools. It carries a maximum “Risk Score” of 100.

Scams similar to these are very active on the Internet. They are everywhere, on every corner, and appear on the ads on popular websites and social media.

For those who know what to look for, these sites are easily identifiable as scams - from the Forbes logo that does not link to Forbes websites, to the fake Facebook testimonials (no links to Facebook either.) Most people who take the time should be able to easily identify these sites as a scam without much difficulty.

However, fat-loss and brain improvement products continue to be some of the most popular and sought after products on the market today. The scammers who have built this phishing campaign were smart to focus on these two products. I would also say that they have designed their sites with careful attention, ensuring that they take advantage of the most desperate, uninformed, and non-IT savvy targets.

Judging from the way they attempt to obfuscate their tracks with multiple redirections, using new domains for only 10 days or so, and their unscrupulous “marketing” via compromised/stolen Skype accounts, it is likely that there is a highly skilled syndicate behind these scams, and more importantly, there is a substantial amount of money being made.

Aside from earning good money from selling bogus pills, these scammers will also not hesitate to sell their victims’ credit card information on the Darknet. 

by RSS Nelson Ngu  |  Dec 06, 2016  |  Filed in: Security Research