Sponsored by..

Thursday, 6 December 2012

iTunes "Christmas gift card" / api.myobfuscate.com / nikolamireasa.com

Here's a malware-laden spam with a twist:

From:     iTunes [shipping@new.itunes.com]
To:     purchasing [purchasing@[redacted]]
Date:     6 December 2012 20:59
Subject:     Christmas gift card

Order Number: M1V7577311
Receipt Date: 06/12/2012
Shipping To: purchasing@[redacted]

Order Total: $500.00
Billed To: Hilary Shandonay, Credit card



Item Number     Description     Unit Price
1     Christmas gift card (View\Download )     $500.00
Subtotal:     $500.00
Tax:     $0.00
Order Total:     $500.00


Please retain for your records.
Please See Below For Terms And Conditions Pertaining To This Order.

Apple Inc.
You can find the iTunes Store Terms of Sale and Sales Policies by launching your iTunes application and clicking on Terms of Sale or Sales Policies

FBI ANTI-PIRACY WARNING
UNAUTHORIZED COPYING IS PUNISHABLE UNDER FEDERAL LAW.

Answers to frequently asked questions regarding the iTunes Store can be found at http://www.apple.com/support/itunes/store/



Apple ID Summary •  Detailed invoice

Apple respects your privacy.

Copyright © 2011 Apple Inc. All rights reserved

In this case the link goes through a free web hosting site at [donotclick]longa-neara.ucoz.org which contains some heavily obfuscated javascript that eventually leads to malicious landing page on [donotclick]nikolamireasa.com/less/demands-probably.php hosted on 188.93.210.133 (logol.ru, Russia). That IP hosts the following toxic domains that you should block:

nikolamireasa.com
portgazza.cu.cc
hopercac.cu.cc
hopercas.cu.cc
ukumuxur.qhigh.com
ymuvyjih.25u.com

Heck, you might just want to cut your losses and block 188.93.210.0/23 too. Anyway, the curious thing is that the malicious javascript uses an intermediary obfuscation site called api.myobfuscate.com which you can see has been used to infect a few sites before.

Now, perhaps myobfuscate.com was created with the best of intentions, but if the bad guys have a use for it then you can bet they are probably about to abuse it in a big way.

Both api.myobfuscate.com and www.myobfuscate.com are hosted on the same IP at 188.64.170.17 (also in Russia) which is part of a tiny netblock of 188.64.170.16/31 which you may as well block too. The 188.64.170.17 IP also contains the following domains which might also be abused in the same way:

htmlobfuscator.com
api.htmlobfuscator.com
htmlobfuscator.info
javascript-obfuscator.info
javascriptcompressor.info
javascriptcrambler.com
javascriptobfuscate.com
javascriptobfuscator.info
myobfuscate.com
api.myobfuscate.com
obfuscatorjavascript.com
api.obfuscatorjavascript.com
js.robotext.com
js.robotext.info
js.robottext.ru

In my opinion, obfuscating javascript is a really bad thing and there is no legitimate reason to use it. Blocking access to free-to-use obfuscation tools like this may run the risk of breaking some legitimate sites. But only if they have been coded by idiots.


1 comment:

Laurent Chamuleau said...

What to do if you have clicked on those links... ?? :s