Security Magic

In my last post  http://security5magics.blogspot.com/2015/12/an-obvious-e-mail-scam-lets-see-where.html I ran through a quick analysis of a very prominent e-mail scam used today. The scam uses a link which has a PHP file holding a piece of java script at the end. The java script is a redirect to another site, usually a fake pharmacy site. I felt showing a quick decoding of what the java script does, the following code is very similar to the code from my first post, but is from a different spam e-mail I received today, which leads to a different site. Check it out. script type="text/javascript" function suddenlye() { suddenlya = 5; suddenlyb = [124, 110, 115, 105, 116, 124, 51, 121, 116, 117, 51, 113, 116, 104, 102, 121, 110, 116, 115, 51, 109, 119, 106, 107, 66, 44, 109, 121, 121, 117, 63, 52, 52, 120, 114, 102, 119, 121, 117, 110, 113, 113, 120, 123, 102, 113, 122, 106, 51, 119, 122, 44, 64]; suddenlyc = ""; for (suddenlyd = 0; suddenlyd < suddenlyb.leng...

I get a lot of spam in my e-mail accounts, as I'm sure everyone reading does. One campaign that is seen often is an attempt to trick the user into believing that they are getting a message from YouTube, Facebook, Skype or other major sites. The messages are typically caught by spam filters, and often can be spotted as a fake by a simple glance. I felt I would share one today, just because I thought it would be fun to see where it takes me. For analysis I use a spare laptop running Ubuntu as the host and have Virtual machines running with Security Onion, SIFT and Windows 7 32bit. For this particular exercise I used SIFT excursively, and when finished I refresh my SIFT VM. OK, enough of the boring stuff, here's the message I got in my Spam box: Right away notice the subject doesn't exactly look reputable, neither does the sender address in this case. The rest of the message is crafted very simply, the foal is only to get the user to click the "View mails"...