Malware Analysis WARNING - False threat detected - phone number scam

[DardiM]

I have been redirected several times to analog web page (yesterday and today) when pasting to Vivaldi's Browser some links of sample files host website.

There is also a vocal message with this screen.

If you see the same, DON'T TRUST WHAT THEY SAY : It's a completely false information, you only have to close the new tab created on your browser.

And don't make a call !

=> Social Engineering



Quick analysis

Here details :

https://malwaretips.com/threads/warning-false-threat-detected-phone-number-scam.61208/#post-521610

https://malwaretips.com/threads/warning-false-threat-detected-phone-number-scam.61208/#post-526706

 

[JM Safe]

I have been redirected several time to this web page (yesterday and today) when pasting sample links on Vivaldi's Browser.

There is also a vocal message with this screen.

If you seen the same, DON'T TRUST WHAT THEY SAY : It's a completely false information, you only have to close the new tab created on your browser.

And don't make a call !




View attachment 107709

@DardiM Can you please put the link here in hxxp form?

 

[DardiM]

hxxp://probleme-navigateur-mg25yp1761.fr?cid=118&ec=IEVVW&v=2&pid=1322367&clid=15171095931467987376

But warning, it chain flood a message box

 

[JM Safe]

hxxp://probleme-navigateur-mg25yp1761.fr?cid=118&ec=IEVVW&v=2&pid=1322367&clid=15171095931467987376

I scanned it for the first time, and here is the results: https://www.virustotal.com/it/url/5...28a957a42f560de38b03da60/analysis/1467990363/

 

[DardiM]

I scanned it for the first time, and here is the results: Scan report for http://probleme-navigateur-mg25yp1761.fr/?cid=118&ec=IEVVW&v=2&pid=1322367&clid=15171095931467987376 at 2016-07-08 15:06:03 UTC - VirusTotal

The site would seem clean from several programs. The very bad thing here : the phone number to make a call that would certainly cost a BIG amount of 'euro'. I know a lot of user able to believe this sort of information.

N.B. : The url on my screenshot (taken yesterday) is different than today.

 

[JM Safe]

The site would seem clean from several programs. The very bad thing here : the phone number to make a call that would certainly cost a BIG amount of 'euro'. I know a lot of user able to believe this sort of information.

N.B. : The url on my screenshot (taken yesterday) is different than today.

It is strange that AVs and products see it as clean

 

[DardiM]

It is strange that AVs and products see it as clean

Because it's clean (from code) and the only bad part is the phone number (Social Engineering)
Not already reported url
The domain name isn't the same each time I've seen it
Only "probleme-navigateur-" are in all urls.

That's the aim of my thread, Warn people (even if I now that most people here may not fall into the trap)

 

[JM Safe]

Because it's clean as the only bad part is the phone number
Not already reported url

OK, anyway thanks for sharing this

 

[DardiM]

What is funny :
- the IP they said been mine => from INDIA ...(I'm from France )
- with Vivaldi and my setting, the spam message doesn't appear.
On IE11 => a message box is Spamming in a way that I can 't click to close the tab, close IE in a normal way, report the link. Had to Kill the Process and disable JavaScript before reporting the url

 

[SpartacusSystem]

Yeah, I've been redirected to that page also in the past, it's clever how they adapt the phone numbers depending on where your location is from. For me that number was 0800...

 

[SpartacusSystem]

Sometimes, when I'm bored, I do have some fun in actually calling the number as it is free! I even pretend to put in some fake passwords, addresses and debit card numbers into a txt file in order to entice them. It's funny seeing them on TeamViewer within an instant transferring the files over!

The amount of satisfaction I get watching them tear up a worthless operating system inside a VirtualBox because I know I'm stopping them from at least doing it so some innocent people who may fall for such scams.

 

[DardiM]

Sometimes, when I'm bored, I do have some fun in actually calling the number as it is free! I even pretend to put in some fake passwords, addresses and debit card numbers into a txt file in order to entice them. It's funny seeing them on TeamViewer within an instant transferring the files over!

The amount of satisfaction I get watching them tear up a worthless operating system inside a VirtualBox because I know I'm stopping them from at least doing it so some innocent people who may fall for such scams.

Depanding of the countrie. In France there are a lot of overtaxed phone number. One call => "IEA" it hurts
But the number used currently seems to be a "normal" number.

I looked inside to see the source : very simple
That why it can only be reported, but not detect as malware from the 'code only' point of view (but a real spammer if Javascript enabled :'( ).

(1)

Spoiler: On Body

<body onload="myFunction();" onclick="myFunction();" onkeydown="myFunction();" ,="" onunload="myFunction();" style="color:white;">

(2)

Spoiler: functions

<script type="text/javascript">
// POPDSP JavaScript Document

var tollfree='01 78 90 46 88';
var hhref='http://google.com';
var m1='**** Ne pas redemarrer votre ordinateur **** \n\n Windows a détecté une altération des données, et virus. \n\nLes infections détectées indiquent plusieurs téléchargements récents sur l\'ordinateur qui ont ensuite créé d’autres erreurs sur l\'ordinateur.\n\nContactez le support technique au 01 78 90 46 88 et indiquez le code erreur suivaut au technicien afin de réparer : IEVVW.';
var m2=m1;

function myFunction() {
setInterval(function() {
alert(m1)
}, 1000);
alert(m2);
}

function rtclickcheck(keyp) {
if (navigator.appName == "Netscape" && keyp.which == 3) {
alert(m1);
}

if (navigator.appVersion.indexOf("MSIE") != -1 && event.button == 2) {
alert(m2);
}
}
document.onmousedown = rtclickcheck;

window.onbeforeunload = function() {
return m1;
};
var OSName = "Unknown OS";
if (navigator.appVersion.indexOf("Win") != -1) OSName = "Windows";
if (navigator.appVersion.indexOf("Mac") != -1) OSName = "MacOS";
if (navigator.appVersion.indexOf("X11") != -1) OSName = "UNIX";
if (navigator.appVersion.indexOf("Linux") != -1) OSName = "Linux";
</script>

(3)

Spoiler: Stay or Quit buttons

onclick="location.reload(true);"

(4)
image : base64 encoded

(5)

Spoiler: Audio

<audio autoplay="">
<source src="https://s3.eu-central-1.amazonaws.com/lp-images-553/02fr_converted_med.mp3" type="audio/mpeg">
</audio>

(6)

Spoiler: Google analytics part :p

<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-53771600-1', 'auto');
ga('send', 'pageview', '118_GA');
</script>

 

[jamescv7]

Usually programs that are related to technical/phone support scam considered to be legitimate due to digital signature and no unusual behavior found.

There primary target is to lure you on some scenario for such transaction of cash.

 

[ravi prakash saini]

only Fortinet scanner is reporting it as phishing site
Scan report for http://www.probleme-navigateur-mg25yp1761.fr/?cid=118&ec=IEVVW&v=2&pid=1322367&clid=15171095931467987376 at 2016-07-09 17:58:26 UTC - VirusTotal

 

[DardiM]

only Fortinet scanner is reporting it as phishing site
Scan report for http://www.probleme-navigateur-mg25yp1761.fr/?cid=118&ec=IEVVW&v=2&pid=1322367&clid=15171095931467987376 at 2016-07-09 17:58:26 UTC - VirusTotal

Some progress

 

[DGLauren]

It was just such a scam that brought me to these forums this week. What a great find, for me!!

 

[JM Safe]

only Fortinet scanner is reporting it as phishing site
Scan report for http://www.probleme-navigateur-mg25yp1761.fr/?cid=118&ec=IEVVW&v=2&pid=1322367&clid=15171095931467987376 at 2016-07-09 17:58:26 UTC - VirusTotal

Now it flag it as phishing, but when I scanned the url for the first time, no AVs detected it.

 

[DardiM]

I found from where it comes :

=> ......zippyshare.com
=> button "download now"

=> 104.154.237.93

Example :

104.154.237.93/Njc4OTcyMzI4Nz............NDEvMGo2M2xuaTl3aw== => base 64 encoded
(104.154.237.93/67897232874/67898555241/0............i9wk)

=> open new tab with random adds / scam / dangerous websites
(false online games, false java script to update message, the warning seen on the first post, etc...)

uses cookies to remember you, to avoid opening more than one time each bad website

=> 93.237.154.104.bc.googleusercontent.com

Spoiler: IP trace

General IP Information
IP: 104.154.237.93
Decimal: 1754983773
Hostname: 93.237.154.104.bc.googleusercontent.com
ASN: 15169
ISP: Google Cloud
Organization: Google Cloud

General IP Information
IP: 93.237.154.104
Decimal: 1575852648
Hostname: p5ded9a68.dip0.t-ipconnect.de
ASN: 3320
ISP: Deutsche Telekom AG
Organization: Deutsche Telekom AG

The base domain name of googleusercontent.com clearly is what it says it is, “Google User Content” which is known to be connected to the Google App Engine “Platform as a Service” product. And that allows any user to create and deploy code in Python, Java, PHP & Go applications to their service.

=> Report suspected abuse on Google Cloud Platform - Google Developers Help