mandag 28. januar 2013

Something smells fishy...

Immediately after i had replied on someones tweet i received a tweet from a unknown girl with the name of Hugh - who clearly has some issues setting up the christmas lights. Clearly a spam account of some sort. As i do not know that person or could expect that link to contain anything but shady bidnid. Thus i decided, out of pure curiosity, to run that link on a test environment and logged what was going on, hopefully i will find some fun and malicious content. 


Little girl with christmas lights problem sendt me this link

When we click that link above we expect it to redirect us to a real url, since the sender (Hugh) has compressed the url at http://is.gd. The url is actually pointing to r.eurocable.com.br (with a GET parameter as seen below), the ip-address (5.12.190.202) points to a Romanian server. Then we yet again get redirected to cioara.info which are located in Canada, this is where we get a HTTP 200 OK response.

Domain record can be found here. I also did a quick google search on this hostname just to find a few mentions regarding its twitter spam (eg: WOT reputation).

The page source-coude contains a functions called dosub(), which simply submits a form called "frm1". It submits information using http://just-perfect-gifts.com/index.php as form processing agent. The domain just-perfect-gifts.com are located on the same ip as cioara.info, namely 184.107.175.178 which was powered by a ngnix http daemon and php 5.3.18. It is registered through GoDaddy and registrar info via Domains By Proxy... We continue to jump as we load the content of http://just-perfect-gifts.com/index.php it will use <meta http-equiv="refresh"> to load the main page. 

So we end up on a page which is telling me that i have the "opportunity to make some easy money" - clearly spam message as we already saw in the Web of Trust-reputation above. I also found that the domainname was sold on flippa.com in October. The user who was selling this site was suspended from Flippa, and it is getting pretty clear at this time what is actually going on, as that spam message was a way to get a lot of views and thereby get a good rating via Google Analytics. If we see the attachment provided by the user, which is Google Analytics Reports of www.just-perfect-gifts.com. There is certainly a lot of traffic to that site as it was created in May 2012, but the average user has only been at that site a few seconds. I also found another post from the user where he/she is stating that "I am offering twitter followers and accounts."

Next i went through the source-code where i can confirm these findings as i quickly find google analytics code along with facebook-likes button and a Twitter follow button. It says "Follow @JPgifts" but links me to "https://twitter.com/MicroLeavesCash". What i noticed was how the main site was loaded over and over, until i closed the connection. This is clearly a easy way to make a lot of traffic to a site - and to make the site look more valuable one could generate traffic via false advertising and throwing links to users on social media like facebook and twitter.

Okay, ill stop it here as i feel i have wasted enough time on this boring incident, i was actually hoping it contained a malicious iframe of some sort.

Ingen kommentarer:

Legg inn en kommentar