Tumblr Redirects
Recently I’ve been seeing spams as shown below:
Your inbox is full of surprises from a special someone. You should go check it out now. To receive this special gift, View Here
Sent from Yahoo! Mail on Android
The “view here” goes to links such as (one used the t.co url shortening service however before going to Tumblr):
kmghoshk.tumblr.com
wcmxztol.tumblr.com
These links contain the below obfuscated javascript:
var dnc='http'; var ghmr='://e'; function
ertryu(wnz,hfy){return wnz+hfy} var ndnkkl=ertryu(dnc,ghmr);var qvst='card';
var fcv='love'; function ikgofp(gtq,ojh){return gtq+ojh} var
pdgfvt=ikgofp(qvst,fcv);var ymm='wis'; var zko='h.co'; function
hgypvh(ocu,cln){return ocu+cln} var ehillv=hgypvh(ymm,zko);var jah='m/?'; var
wlo='6QBc'; var ehjh='kb'; function iatyan(rcw,dgi,ygk){return rcw+dgi+ygk} var
hjgfam=iatyan(jah,wlo,ehjh); var kwzkgy=ndnkkl+pdgfvt+ehillv+hjgfam;
document.location = kwzkgy
var uvw='http'; var unn='://e'; function xoimr(qmn,cey){return qmn+cey} var opbsj=xoimr(uvw,unn);var jvgt='card'; var smo='lov'; function dbog(tzp,nqh){return tzp+nqh} var rvoa=dbog(jvgt,smo);var foi='ersw'; var rth='ish'; function qzhlg(uwu,mrg){return uwu+mrg} var wtzdi=qzhlg(foi,rth);var hqzh='.com'; var vrly='/?C'; function shfq(fgk,yom){return fgk+yom} var vzby=shfq(hqzh,vrly);var dih='qdve'; var ibt='e'; function rdetyd(xep,itr){return xep+itr} var ybvpit=rdetyd(dih,ibt); var vaybau=opbsj+rvoa+wtzdi+vzby+ybvpit; document.location = vaybau
These decode to links pointing to:
hxxp://ecardlovewish.com/?6QBckb
Which in turn go to silly dating sites (iHookup, ScoreNextDoor, etc…)
Update 1:
The bad guys have added an additional method for this:
var bwl='htt'; var jwu='p://'; function relz(dgk,cpy){return dgk+cpy} var bgbr=relz(bwl,jwu);var daih='ecar'; var zpd='d3-'; function eettgr(xyl,too){return xyl+too} var sdiocl=eettgr(daih,zpd);var xand='love'; var max='r.co'; function sccfhz(krs,mre){return krs+mre} var abbghb=sccfhz(xand,max);var khd='m/?5'; var esd='Mzo'; var zcl='GyEy'; function frmy(jxx,sbe,onn){return jxx+sbe+onn} var qpyj=frmy(khd,esd,zcl); var otoa=bgbr+sdiocl+abbghb+qpyj; document.location = otoa
The below Snort sig should match both of these now:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Tumblr spam redirect"; flow:from_server; file_data; content:"='htt"; content:"://"; within: 15; metadata:policy security-ips drop, service http; classtype:bad-unknown; sid:10000014; reference:url,malwareandmore.blogspot.com/2012/06/tumblr-redirects.html; rev:2;)
