Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Symantec Intelligence

World Cup spam with obfuscated JavaScript attachment

Created: 15 Jun 2010
MarissaVicario's picture
0 0 Votes
Login to vote

Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec Hosted Services

The FIFA World Cup, which officially started in South Africa last Friday, has been the subject of intense public interest for the past months. This interest in football has been noticed by scammers and malware authors, who are skilled at using high profile events to try to entice unsuspecting users into opening their malicious messages.

MessageLabs Intelligence recently saw some spam for a pharmaceutical site using the World Cup to try to entice users to open the message. The subject of these messages was:

Subject: FIFA World Cup South Africa... bad news

The exact motives of the spammer are unclear, but it's likely that they hope that recipients will read this subject and think that perhaps the tournament has been disrupted somehow (perhaps like the Africa Cup of Nations earlier this year), and then quickly open the message. The body of the message contains more World Cup-related text, enticing recipients to open an attached document, named "news.html":

Hello!!
FIFA World Cup 2010 scandal news, read attached document

The below example is indeed an HTML file. It contains a single 'script' element containing some obfuscated JavaScript--in other words, the spammer has gone to considerable lengths to try to disguise what the JavaScript actually does. When writing JavaScript normally, developers would generally aim to make code as readable and clear as possible. The obfuscated JavaScript contains code to redirect the recipient's browser to a different location, but the location is disguised as:

hJt>t>p>:S/2/2aSd>v2aSnlcleldSwloloJd>tSe2c2hJ.2cSo>ml/2xJnSuJ4JeSjS/2z2.Shltlm

From looking at the first few characters ("hJt>t>p>:"), you might have already noticed what's going on. If you remove the "J" and ">" characters, this becomes "http:"--the start of a URL. The code simply removes these characters and some others (5, 2 and 'l') and this reveals the destination URL:

http://redacted/xnu4ej/z.htm

This URL points to a page which the spammer has created on a server which looks to have been compromised. The page contains a hidden 1 by 1 pixel iframe to load a tracking "bug" (presumably so the spammer can monitor the response rate to the spam) and then uses an HTML-based redirect to direct the user to a pharmaceutical web site from where they can buy common drugs.

This particular spam is noteworthy as it uses a high-profile event with global interest and appeal, and uses obfuscated JavaScript in an attachment. This approach--along with deceiving recipients into opening a message by using something completely unrelated--is usually more associated with malware.

As the tournament continues, MessageLabs Intelligence expects to see more World Cup-related spam and malware threats emerge.