A Small Spam Campaign

About a week ago, I saw this on VirusTotal:

https://virustotal.com/en/url/4edb3a7d65360fb15dcdf411bb5cce35eba2b454cf9b6d7d7d5dd4d5dbfff7f9/analysis/

A user by the name of “sgsturby” reported that it was spam. I only had about 20 minutes free so I done some quick google searches involving the domain, which resulted in this:

spam1

The domain is listed at untrustworthy with a category of Spam by Web of Trust. I then went onto twitter and searched for the domain and found these two twitter accounts regurlarly tweeting the domain as well as some other spam:

What I first noticed is that these two account mainly tweet in Japanese and occasionally English and Russian.

After that, I did a WhoIs check on the domain and found this information:

Domain Name: lnaj7k8qspkistk3sll0hqp6mo2wq8go.com
Registry Domain ID: 2110457972_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.discount-domain.com
Registrar URL: http://www.onamae.com
Updated Date: 2017-04-03T00:00:00Z
Creation Date: 2017-04-02T00:00:00Z
Registrar Registration Expiration Date: 2018-04-02T00:00:00Z
Registrar: GMO INTERNET, INC.
Registrar IANA ID: 49
Registrar Abuse Contact Email: email@gmo.jp
Registrar Abuse Contact Phone: +81.337709199
Domain Status: ok https://icann.org/epp#ok
Registry Registrant ID: Not Available From Registry
Registrant Name: Whois Privacy Protection Service by onamae.com
Registrant Organization: Whois Privacy Protection Service by onamae.com
Registrant Street: 26-1 Sakuragaoka-cho
Registrant Street: Cerulean Tower 11F
Registrant City: Shibuya-ku
Registrant State/Province: Tokyo
Registrant Postal Code: 150-8512
Registrant Country: JP
Registrant Phone: +81.354562560
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: email@whoisprotectservice.com
Registry Admin ID: Not Available From Registry
Admin Name: Whois Privacy Protection Service by onamae.com
Admin Organization: Whois Privacy Protection Service by onamae.com
Admin Street: 26-1 Sakuragaoka-cho
Admin Street: Cerulean Tower 11F
Admin City: Shibuya-ku
Admin State/Province: Tokyo
Admin Postal Code: 150-8512
Admin Country: JP
Admin Phone: +81.354562560
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: email@whoisprotectservice.com
Registry Tech ID: Not Available From Registry
Tech Name: Whois Privacy Protection Service by onamae.com
Tech Organization: Whois Privacy Protection Service by onamae.com
Tech Street: 26-1 Sakuragaoka-cho
Tech Street: Cerulean Tower 11F
Tech City: Shibuya-ku
Tech State/Province: Tokyo
Tech Postal Code: 150-8512
Tech Country: JP
Tech Phone: +81.354562560
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: email@whoisprotectservice.com
Name Server: ns1.elasticdomain.net
Name Server: ns2.elasticdomain.net
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2017-04-03T00:00:00Z <<<

Using a tool called Fiddler, I then checked out some of the bitly links that these accounts were posting and found these domains:

bit.ly/M3kdw8
bit.ly/1ekUb52
onamae.com
bgipeo.com
enmoderugby.com
http://www.bankcustomercare.in/complaint-212576-mobile-no-change-p25?utm_source=feedburner&utm_medium=twitter&utm_campaign=Feed%3A+bankcustomercare+%28Bank+Customer+Care%29
http://www.googmail.info/tv/list.php
http://www.gourpedia.com/light/tv/?id=4e10150ce884c90f610f8aabb2a552e2

From what I have gathered, this spam campaign mainly operates using Email services, Twitter and spams website inboxes using contact forms.

Keep in mind that I have not done an in-depth analysis of these domains and this is not the full extent of the spam campaign. This is just a quick blog post to make security researchers aware of the campaign.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s