Here's a malware-laden spam with a twist:
From: iTunes [shipping@new.itunes.com]
To: purchasing [purchasing@[redacted]]
Date: 6 December 2012 20:59
Subject: Christmas gift card
Order Number: M1V7577311
Receipt Date: 06/12/2012
Shipping To: purchasing@[redacted]
Order Total: $500.00
Billed To: Hilary Shandonay, Credit card
Item Number Description Unit Price
1 Christmas gift card (View\Download ) $500.00
Subtotal: $500.00
Tax: $0.00
Order Total: $500.00
Please retain for your records.
Please See Below For Terms And Conditions Pertaining To This Order.
Apple Inc.
You can find the iTunes Store Terms of Sale and Sales Policies by launching your iTunes application and clicking on Terms of Sale or Sales Policies
FBI ANTI-PIRACY WARNING
UNAUTHORIZED COPYING IS PUNISHABLE UNDER FEDERAL LAW.
Answers to frequently asked questions regarding the iTunes Store can be found at http://www.apple.com/support/itunes/store/
Apple ID Summary • Detailed invoice
Apple respects your privacy.
Copyright © 2011 Apple Inc. All rights reserved
In this case the link goes through a free web hosting site at
[donotclick]longa-neara.ucoz.org which contains some heavily obfuscated javascript that eventually leads to malicious landing page on
[donotclick]nikolamireasa.com/less/demands-probably.php hosted on
188.93.210.133 (logol.ru, Russia). That IP hosts the following toxic domains that you should block:
nikolamireasa.com
portgazza.cu.cc
hopercac.cu.cc
hopercas.cu.cc
ukumuxur.qhigh.com
ymuvyjih.25u.com
Heck, you might just want to cut your losses and block
188.93.210.0/23 too. Anyway, the curious thing is that the malicious javascript uses an intermediary obfuscation site called
api.myobfuscate.com which you can see has been used to
infect a few sites before.
Now, perhaps
myobfuscate.com was created with the best of intentions, but if the bad guys have a use for it then you can bet they are probably about to abuse it in a big way.
Both
api.myobfuscate.com and
www.myobfuscate.com are hosted on the same IP at
188.64.170.17 (also in Russia) which is part of a tiny netblock of
188.64.170.16/31 which you may as well block too. The 188.64.170.17 IP also contains the following domains which might also be abused in the same way:
htmlobfuscator.com
api.htmlobfuscator.com
htmlobfuscator.info
javascript-obfuscator.info
javascriptcompressor.info
javascriptcrambler.com
javascriptobfuscate.com
javascriptobfuscator.info
myobfuscate.com
api.myobfuscate.com
obfuscatorjavascript.com
api.obfuscatorjavascript.com
js.robotext.com
js.robotext.info
js.robottext.ru
In my opinion, obfuscating javascript is a really bad thing and there is no legitimate reason to use it. Blocking access to free-to-use obfuscation tools like this may run the risk of breaking some legitimate sites. But only if they have been coded by idiots.