Malicious Spam Campaigns
Analyzing a malicious spam campaign that I have encountered.
Malicious P*rnHub Spam Campaign
The first email I am going to take a look at has the subject line:
To STOP receiving these emails from us just hit reply and let us Know !!
Indicators:
No logo
Strange subject line
Needing to reply to an email to stop receiving them
Reply address
No links
No attachments
This is super strange. I have never seen spam emails that don’t have any sort of malicious links or attachments. Instead the spammer wants you to click on 1 of 2 buttons that direct the victim to reply to a TON of emails.
mailto:support@schwambach.net;admin@libertejuive.me;admin@haikuo.me;lisapsparks122@gmail.com;monicaamden8@gmail.com;media=
market770@gmail.com;makroobmin0@gmail.com;sauermisael272@gmail.com;adanweissnat550@gmail.com;pouroskamryn@gmail.com;stephenmsmith111@gmail.com;aquisto=
n09@gmail.com;hilaliofchsor@gmail.com;mongolis454@gmail.com;kolamipaprat@gmail.com;dhasanhasanin@gmail.com;shayoojulie@gmail.com;bbb1234hh5@gmail.com;=
o12866788542234@gmail.com;o49485114@gmail.com;alinasorkova497@gmail.com;o78372923@gmail.com;hiyo73404@gmail.com;boitajdiiida@gmail.com;yohello119@gmai=
l.com;habalstdophabala@gmail.com;farenukvova@gmail.com;rebeccafriffin@gmail.com;sykescallum060@gmail.com;c.smithmatthew@gmail.com;kabyalaabsabs@gmail.=
com;dreda4488@gmail.com;luskmirian@gmail.com;edwaardavis@outlook.com;abdoalam644@gmail.com;hodgesantonio11@gmail.com;chiwchiw723@gmail.com;herrodvinni=
e443@gmail.com;wchtabreerd@gmail.com;kamronnatalia661@gmail.com;oliviaprince488@gmail.com;ethandaviss@outlook.com;sabmlevspec@onet.pl;sfigaoprgovisovu
@onet.pl;stepan.dolgoruk496@yandex.ru;slobodyanyuk.83287@yandex.ru;sanych1959942@yandex.ru;mariabugaeva24571@yandex.ru;alla.rykodelnica648@yandex.ru;amanigio@aliyun.comIt uses mailto: and sets the subject line as “Unsubscribe P*rnHub”. This is all hidden behind a simple button. There are 2 of these, one of which is so “confirm” your sub, the second is to “cancel” your sub. This very much plays on peoples perhaps nervousness when dealing with adult content.
The email domains that I have an interest in are as follows:
schwambach.net
libertejuive.me
haikuo.me
onet.pl
aliyun.comThe rest are either, Gmail, Outlook or Yandex emails. More on these domains later. I want to go over the rest of the email for additional clues.
Another thing that stuck out to me was the actual senders address. Using phishtool.com I was able to quickly look over the various interesting details without having to scrub through it manually. The return path was a valid address, which was odd to me. Since a lot of the time spam emails try and spoof. But this was from a Firebase app.
Firebase is Google’s mobile and web app development platform. Sadly the site had not been set up yet.
Press enter or click to view image in full size
Because it was a valid address, the spammer would have gotten around SPF and DKIM checks. Now to look into the URLs that the email has you reply to.
schwambach.netThe above URL leads to a index of page. The IP is located in Paris France and was registered via NameCheap. Searching for that IP address it seems its being used by a variety of other domains.
Press enter or click to view image in full size
3 of which I have already seen:
schwambach.net
libertejuive.me
haikuo.meSo these 3 are connected via the same server. The following are old results from the same IP address that had been scanned in the past:
You can guess the content of these website, just judging by the name. So to me currently, this looks like an old phishing/malicious server being used for a new scam. The IP address is also being tracked of VirusTotal. The various URLs that are connected with the above IP addresses are a ton of malicious content, which seems to be a lot of drive-by downloads.
There were 2 other domains that are also listed within the email:
@onet.pl
@aliyun.comThe first one, onet.pl seems to be a Polish news website that, according to wiki, reaches 42% of Polish internet users every week. A very strange thing to include in the spam email, perhaps the 2 emails that end in onet.pl are compromised somehow?
Press enter or click to view image in full size
Both of those onet.pl emails exist and are valid. Which does lead me to believe they might be compromised somehow. I have contacted the website to see if they are aware of such an issue.
The last URL that I wanted to look into was:
aliyun.comThis didn’t take much research, it turned out to be Alibaba’s cloud computing company. Sort of a dead end, a rather strange dead end.
This was an odd spam email, that relies on someones embarrassment of adult content in order to trick them into replying to the list of email addresses above. Not really knowing the rest, I would imagine the scam would start after the first reply, potentially black mail, or even a link to a URL to “cancel” your subscription. Tricking the email client into placing the correspondence into the inbox itself, not the spam box. Thus giving a slight air of authenticity.
Recommendations
Block the following email domains:
schwambach.net
libertejuive.me
haikuo.meLast updated