What risks do I have now that I accidentaly opened a suspicious URL send to me by Skype?

What risks do you have?

Possibly that your computer is now infected with malicious software like a virus or a trojan horse. The following steps should be taken if you didn't already.

What to do?

There are some steps you can take:

  • First of all, don't click on links that you don't trust or know
  • Use unshortenit.it or urlex.org to check where the shortened links will send you and analyse those URL's using virustotal.com
  • Make sure you have a virus-scanner*, anti-spyware** software (and a adblocker plugin*** installed)
  • Update, update, update (make sure all software including your operating system is up-to-date)
  • Perform a full-system anti-virus and anti-malware scan
  • Change your Skype password since it's unclear if this was caused by a compromised computer of your University contact or by your leaked Skype password
  • Inform your University contact, he might be infected

For example: *Avira Anti-Virus, **Spybot Search and Destroy, ***Adblock Plus, Adblock, uBlock Origin

What caused it?

  1. An annoying University contact that's trying to be funny
  2. An infected University contact (that has no idea that) his computer or hacked Skype account is used for sending such messages to his Skype contacts

Additional information

The technique that is used here is URL obfuscation, usually using different URL shorten services or hacked websites for redirecting traffic.

Analyzing the URL forwarding

Below is a trace of how the URL is redirecting: Warning: Do not open those URLs:

1: http://bit.ly/28PPw3V#dahubas=my_skype_id
2: http://www.shopintoledo.com/redirect.aspx?url=http://fatjtohuh.net-www-rostizado.gq/?/welcome/site/?vuhonoh
3: http://fatjtohuh.net-www-rostizado.gq/?/welcome/site/?vuhonoh
4: http://cheergoldfulsilvermotion.com/?a=370960&c=brain&s=wee
5: http://318-inteligen.cheergoldfulsilvermotion.com/intl/vwme/inteligen/

Malware detection

The first three URLs don't seem infected (by the results of virustotal.com). The last two URLs seems to be infected as shown in the image below (detection rate of 2/67, and a suspicious mark). The detection rate for the domain cheergoldfulsilvermotion.com seems even higher (3/67, and a suspicious mark).

enter image description here

Sucuri sitecheck also shows that there is malicious code detected on the website, as shown in the picture below. The payload is called mwjs-iframe-injected530?v22, see this report about it. It seems to be related to, don't open http://aspectsdesktoponepro.org/go.php?sid=4 which is again flagged as malicious by SOPHOS anti-virus on virustotal.com.

enter image description here

Advanced malware analysis / reverse engineering

If you like to perform advanced malware analysis or reverse engineering on the used malware in this case. Make sure you do it in an isolated environment, for example using a isolated virtual machine. I posted the first steps on how to do so and the first results on the following two locations:

  • pastebin.com
  • pastebin.com
  • jsunpack.jeek.org

Update: Further investigation shows a connection to IP address 5.45.81.159 which is also related to fatgoldworkburnachieve.com and 891-health.goldlovelyozmotion.com which all seem to be infected with malware named MW:HTA:7, see report here and report here. Anyway, they all mostly end up redirecting to http://fgnfdfthrv.bee.pl/?q= wich highly blacklisted, and marked as malicious (malware) site. The deobfuscated JavaScript code that I could found on the bee.pl subdomain where the redirects seem to end, is this: 

function are_cookies_enabled() {
    var cookieEnabled = (navigator.cookieEnabled) ? true : false;
    if (typeof navigator.cookieEnabled == "undefined" && !cookieEnabled) {
        document.cookie = "testcookie";
        cookieEnabled = (document.cookie.indexOf("testcookie") != -1) ? true : false;
    }
    return (cookieEnabled);
}
if (are_cookies_enabled()) {
    window.location.href = 'http://408-iq.fatgoldworkburnachieve.com/us/iwis/brain_cnn/';
} else {
    window.location.href = 'http://savethechildren.org/';
}

It seems that in case you had cookies enabled you get redirected to a malicious site. In case you had them disabled it seems to send you to savethechildren.org, which seems uninfected to me. The http://408-iq.fatgoldworkburnachieve.com/us/iwis/brain_cnn/ seems to redirect to different URLs everytime I connect to it in different ways. Examples of where I ended are:

  • https://integrated-payments-zone.com/brain_int/?a=370945&click_id=06_84198625_849b0176-94f3-4b48-9746-b6122b7a9497&subid1=326965&netid=3&ver=old
  • http://408-iq.fatgoldworkburnachieve.com/us/iwis/brain_cnn/
  • http://108-iq.topggolddbestanyw.com/nl/xdxz/inteligen/
  • http://408-iq.fatgoldworkburnachieve.com/us/iwis/brain_cnn/go.php

Tags:

Obfuscation

Url Redirection

Skype

Malware

Spam

Recent Posts