You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Ricky Boone <ri...@gmail.com> on 2021/02/18 17:37:23 UTC
Phishing campaign using nested Google redirect
Just wanted to forward an example of an interesting URL obfuscation
tactic observed yesterday.
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g
Google then spits back a response with the redirect target in both
JavaScript and non-JavaScript forms (meta refresh tag):
https://www.google.com/url?q=https%3A%2F%2Fwww.tehminadurranifoundation.org%2F1%2F1%2Findex.php&sa=D&sntz=1&usg=AFQjCNEa27A724-wMQik8STZvuisHK2G4g
Slightly different response behavior this time, but ultimately
redirects the victim to the malicious destination. The effective
destination in this case has been taken down, but I'll avoid putting
the full link.
Unfortunately, there didn't seem to be any rules that would help catch
this. I have a couple thoughts on some that I would need to test, but
wanted to share to the community.
Re: Phishing campaign using nested Google redirect
Posted by John Hardin <jh...@impsec.org>.
On Fri, 19 Feb 2021, Giovanni Bechis wrote:
> On 2/19/21 1:09 AM, John Hardin wrote:
>> On Thu, 18 Feb 2021, Giovanni Bechis wrote:
>>
>>> On 2/18/21 6:37 PM, Ricky Boone wrote:
>>>> Just wanted to forward an example of an interesting URL obfuscation
>>>> tactic observed yesterday.
>>>>
>>>> https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g
>>>
>>> I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam as well.
>>> If you can send me a spample I could tweak it a bit more.
>>
>> We may need to coordinate a little here - there's also a google.com/url redir rule in my sandbox, and they may be overlapping.
>
> I proposed a shared sandbox for that reason when we developed bitcoin rules (and we had similar problems with overlapping rules).
Perhaps it's time we pursued that. :)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The promise of nuclear power: electricity too cheap to meter
The reality of nuclear power: FUD too cheap to meter
-----------------------------------------------------------------------
3 days until George Washington's 289th Birthday
Re: Phishing campaign using nested Google redirect
Posted by Giovanni Bechis <gi...@paclan.it>.
On 2/19/21 1:09 AM, John Hardin wrote:
> On Thu, 18 Feb 2021, Giovanni Bechis wrote:
>
>> On 2/18/21 6:37 PM, Ricky Boone wrote:
>>> Just wanted to forward an example of an interesting URL obfuscation
>>> tactic observed yesterday.
>>>
>>> https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g
>>
>> I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam as well.
>> If you can send me a spample I could tweak it a bit more.
>
> We may need to coordinate a little here - there's also a google.com/url redir rule in my sandbox, and they may be overlapping.
>
I proposed a shared sandbox for that reason when we developed bitcoin rules (and we had similar problems with overlapping rules).
Giovanni
Re: Phishing campaign using nested Google redirect
Posted by John Hardin <jh...@impsec.org>.
On Thu, 18 Feb 2021, Giovanni Bechis wrote:
> On 2/18/21 6:37 PM, Ricky Boone wrote:
>> Just wanted to forward an example of an interesting URL obfuscation
>> tactic observed yesterday.
>>
>> https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g
>
> I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam as well.
> If you can send me a spample I could tweak it a bit more.
We may need to coordinate a little here - there's also a google.com/url
redir rule in my sandbox, and they may be overlapping.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
Today: Perseverence lands on Mars
Re: Phishing campaign using nested Google redirect
Posted by RW <rw...@googlemail.com>.
On Thu, 18 Feb 2021 16:08:01 -0800 (PST)
John Hardin wrote:
> In our case it's best to upload an entire email (all headers intact
> and with as little obfuscation as possible) to something like
> Pastebin, then post the URL to that here so it can be downloaded.
...
> For just URLs, though, examples could just be pasted into the body of
> your post (as you did) or in a .txt attachment.
I'd still suggest uploading them to pastebin. Other spam filters may
already have better handling for those URLs.
Re: Phishing campaign using nested Google redirect
Posted by Ricky Boone <ri...@gmail.com>.
On Thu, Feb 18, 2021 at 7:08 PM John Hardin <jh...@impsec.org> wrote:
>
> In our case it's best to upload an entire email (all headers intact and
> with as little obfuscation as possible) to something like Pastebin, then
> post the URL to that here so it can be downloaded. This keeps the spample
> from being modified during transit in ways that could impede analysis and
> rule development and testing.
>
> For just URLs, though, examples could just be pasted into the body of your
> post (as you did) or in a .txt attachment.
Gotcha, thanks. Hopefully the copies I put up on GitLab are still
useful for testing any rules; I didn't see any issues when I ran SA
against the redacted copies. Since they included real addresses,
names, etc., I have to redact certain elements due to my company's
policies.
Re: Phishing campaign using nested Google redirect
Posted by John Hardin <jh...@impsec.org>.
On Thu, 18 Feb 2021, Ricky Boone wrote:
> Nice. I've copied scrubbed versions of what I've seen so far here:
> https://gitlab.com/-/snippets/2079108 (I can never remember if it is
> appropriate to include attachments to mailing lists like this).
In our case it's best to upload an entire email (all headers intact and
with as little obfuscation as possible) to something like Pastebin, then
post the URL to that here so it can be downloaded. This keeps the spample
from being modified during transit in ways that could impede analysis and
rule development and testing.
For just URLs, though, examples could just be pasted into the body of your
post (as you did) or in a .txt attachment.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
Today: Perseverence lands on Mars
Re: Phishing campaign using nested Google redirect
Posted by Ricky Boone <ri...@gmail.com>.
Nice. I've copied scrubbed versions of what I've seen so far here:
https://gitlab.com/-/snippets/2079108 (I can never remember if it is
appropriate to include attachments to mailing lists like this).
On Thu, Feb 18, 2021 at 1:13 PM Giovanni Bechis <gi...@paclan.it> wrote:
>
> On 2/18/21 6:37 PM, Ricky Boone wrote:
> > Just wanted to forward an example of an interesting URL obfuscation
> > tactic observed yesterday.
> >
> > https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g
> >
> > Google then spits back a response with the redirect target in both
> > JavaScript and non-JavaScript forms (meta refresh tag):
> >
> > https://www.google.com/url?q=https%3A%2F%2Fwww.tehminadurranifoundation.org%2F1%2F1%2Findex.php&sa=D&sntz=1&usg=AFQjCNEa27A724-wMQik8STZvuisHK2G4g
> >
> > Slightly different response behavior this time, but ultimately
> > redirects the victim to the malicious destination. The effective
> > destination in this case has been taken down, but I'll avoid putting
> > the full link.
> >
> > Unfortunately, there didn't seem to be any rules that would help catch
> > this. I have a couple thoughts on some that I would need to test, but
> > wanted to share to the community.
> >
> I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam as well.
> If you can send me a spample I could tweak it a bit more.
>
> Giovanni
>
Re: Phishing campaign using nested Google redirect
Posted by Giovanni Bechis <gi...@paclan.it>.
On 2/18/21 6:37 PM, Ricky Boone wrote:
> Just wanted to forward an example of an interesting URL obfuscation
> tactic observed yesterday.
>
> https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g
>
> Google then spits back a response with the redirect target in both
> JavaScript and non-JavaScript forms (meta refresh tag):
>
> https://www.google.com/url?q=https%3A%2F%2Fwww.tehminadurranifoundation.org%2F1%2F1%2Findex.php&sa=D&sntz=1&usg=AFQjCNEa27A724-wMQik8STZvuisHK2G4g
>
> Slightly different response behavior this time, but ultimately
> redirects the victim to the malicious destination. The effective
> destination in this case has been taken down, but I'll avoid putting
> the full link.
>
> Unfortunately, there didn't seem to be any rules that would help catch
> this. I have a couple thoughts on some that I would need to test, but
> wanted to share to the community.
>
I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam as well.
If you can send me a spample I could tweak it a bit more.
Giovanni