Having had the jumpstation.co.uk domain from pre-2000s I get a lot of spam and I have seen most spam campaigns and techniques. This today made me sit up and pay attention.
I am a professional(*) and open these links in Virtual Machines. DO NOT TRY THIS AT HOME
Subject: Urgent! Email Removal Initiated!
Date: 13 Sep 2024 08:30:17 +0000
Reply-To: jumpstation.co.uk-Mailserver<noreply@jumpstation.co.uk>
Dear Email,
email@jumpstation.co.uk removal from server has been approved and initiated, Due to ignorance of last verification warning.
Removal will occur in exactly 48 hours from now 9/13/2024 8:30:17 a.m.
We recommend that you do any of the below and protect your mailbox and increase email security.
Continue Removal
Cancel Removal
jumpstation.co.uk Webmail Support
The Continue Removal and Cancel Removal links go to the same place.
But kudos on using noreply @ jumpstation.co.uk
The result of following that link was not what I expected.
The url shows gateway.lighthouse.storage but that is my site showing!
In the HTML source they are just using an iframe to load my site and then add the modal over the top.
What is especially interesting is that use of the JUMPSTATION name and the favicon. If I had been not paying attention and this had gone to a work domain I had not used for a while then this might have been genuinely convincing.
The favicon is not downloaded by the enemy webserver, converted and served as an image. No, Google seems to have a service for that
https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&fallback_opts=TYPE,SIZE,URL&url=http://jumpstation.co.uk&size=16
Many many spam/scam emails I get have numerous redirects that bounce between compromised servers. This one was just uses gateway.lighthouse.storage .
I followed the root domain and reported it through their contact us form.
FYI the rendered scam web page is just one huge encoded string parsed through document.write
document.write(unescape('%3C%53% ... ')
Which seems to decode to be also more encoded Javascript. So ... as soon as anti-malware tools catch up to double encoding, the scammers will switch to triple encoding ??
Unsurprisingly entering your password in multiple times redirects to jumpstation.co.uk
The login data gets POSTed to https://huntanstongolfclub .com/icon/bomb.php but I was bored and didn't try investigate an further...
But I did bomb the bomb :D
for i in {1..50000}; do curl "https://huntanstongolfclub .com/icon/bomb.php" --data-raw "email=donald@whitehouse .gov&password=chumpette";done
Sometimes I will take more effort in spamming the spammers with more difficult to filter data.
(*) Well not a professional to do with scam/spam, but I am a professional of something.
email
root
flog archives
Disclaimer:
This page is by me for me, if you are not me then please be aware of the following
I am not responsible for anything that works or does not work including files and pages made available at www.jumpstation.co.uk
I am also not responsible for any information(or what you or others do with it) available at www.jumpstation.co.uk
In fact I'm not responsible for anything ever, so there!