workers.dev_scam is a spam with a bounce link to a phish page. The phish page is hidden in a compromised webserver. The page contains fields requesting the victim’s login, password and other credentials. Besides the phish, there is a script that automates a download of spyware into the victim’s browser. The first encounter of workers.dev scam was a compromised subdomain in workers.dev, Hence the name of the scam. The phish page is identical to googleapiscam with similar phish fields. The Phish page & virus repository are found in sub-domains hosted by no-ip; such as servebeer.com , servehttp.com, servehalflife.com; 3utilities.com. The same phish design are also found in domains hosted by cloudflare: dangyou-gw1.com ; xul77zi8z.com, w1163.com; h1252.com.
| Here is an example of the spam header: |
return-path: <lmfp@service.o121u.cn> envelope-from <lmfp@service.o121u.cn> ; wed, 24 aug 2022 17:32:22 +0800 return-path: <lmfp@service.o121u.cn> delivery-date: wed, 24 aug 2022 17:32:22 +0800 received: from 997645-cd48245.tmweb.ru 89.223.69.206:59212 helo=service.o121u.cn with esmtp exim 4.95 envelope-from <lmfp@service.o121u.cn> id 1oqmkh-00068e-6q wed, 24 aug 2022 17:32:22 +0800 dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mykey; d=service.o121u.cn; h=date:from:to:subject:message-id:mime-version:content-type; bh=x+rhahichzasugndpzdlcxb+/ok=; b=zy0via0ipeht3xm1nkudmawvo0unc/8d0moo3sbw5ilrhclukfqjin0bysa0x9d8c5fw/y7jcw0w mmdwgh5uzyseers61umqlm4mfzl/s1weozinyghyxb1ah0quwluowcwgrpuc8hqmxljf2bmwfmv8 ut77ijzabtwnl4rhxva= received: from xnolqgl 20.222.121.4 by service.o121u.cn id h0no260001gb for ; wed, 24 aug 2022 12:31:27 +0300 envelope-from <lmfp@service.o121u.cn> date: wed, 24 aug 2022 09:31:19 +000 from: =?utf-8?b?44gi44gn44gt44gj44go?= subject: =?utf-8?b?6ieq5yuv6yca5lya5yem55cg44gr44gk44ge44gm44cq44gi44gn44gt44gj44go44cr?= message-id: <20220824093126084780@service.o121u.cn> x-mailer: foxmail 6, 13, 102, 15 cn mime-version: 1.0 content-type: multipart/alternative; boundary=”=====003_dragon508416676571_=====” x-spam-status: no, score=1.7 x-spam-score: 17 x-spam-bar: + message has been attached to this so you can view it or label similar future email. if you have any questions, see root\@localhost for details. content preview: 日頃より「えきねっと」をご利用いただきありがとうございます。 「えきねっと」は 2022 年 8 月 24 日水にサービスをリニューアルいたしました。これ に伴い、「えきねっと」利用規約・会員規約を変更し、最後に content analysis details:1.7 points, 5.0 required pts rule name description 0.0 uribl_blocked administrator notice: the query to uribl was blocked. see wiki.apache.org/spamassassin/dnsblocklistsdnsbl-block for more information. uris: 3utilities.com 0.4 invalid_date invalid date: header not rfc 2822 -0.0 spf_helo_pass spf: helo matches spf record -0.0 spf_passspf: sender matches spf record 0.0 html_message body: html included in message 0.0 html_font_face_bad body: html font face is not a word 0.1 dkim_signedmessage has a dkim or dk signature, not necessarily valid -0.1 dkim_valid message has at least one valid dkim or dk signature 1.3 rcvd_in_validity_rpbl rbl: relay in validity rpbl, senderscore.org/blocklistlookup/ 89.223.69.206 listed in l.score.senderscore.com 0.0 from_excess_base64 from: base64 encoded unnecessarily -0.0 t_scc_body_text_lineno description available. x-spam-flag: no The data for workers.dev_scam is collected using Zifsoft Aggressor. Zifsoft Aggressor is a diagnostic system that is an add-in for email clients. Unlike current spam software which just sents the spam to a spam box, Zifsoft Aggressor analyzes the spam, investigating the mime header, email content and the links. Zifsoft Aggressor uses its database to determine the type of attack. Once the analysis is done, the software informs the host admin. There’s an inbuilt escalation process where if the spam continues, the registrar of the attacker is informed. |
The header reveals that the spam is from China. The email is spoofed in a specific way like the spoofing method use by a Hong Kong spammer, Smart Wong. Smart Wong makes a living from selling emails, spamming thousands of emails per day and runs a hacking network. The spoofing method hasn’t change since we started analyzing spam mail from this criminal whom we call emaileadscammer. This scammer is a west263 reseller. The criminal Smart Wong’s spam system uses an expired domain to initiate a smtp HELO. This is the first instance use to hide the origin of the email. The Helo connects to a scam domain like yahoo.com.cn which is owned by Smart Wong. He has negotiated mail services that his scam domain can access. The connection interfaces with mail services provided by timeweb.ru, hostwinds.com; nttpc.co.jp and many more. Workers.Dev_scam has also infiltrated 25 domains on 101domain.com which are also use to spam. This data collected of 8 weeks shows the end spam deliverer.
| Row Labels | Count of ip |
| (blank) | |
| tencent.com | 1 |
| tier.net | 1 |
| mod.gov.uk (via a compromsed account) | 1 |
| timeweb.ru | 1 |
| service.aliyun.com | 1 |
| dreamscapenetworks.com | 1 |
| chinaunicom.cn | 1 |
| datashack.net | 1 |
| hostzealot.com | 1 |
| lguplus.co.kr | 1 |
| servermania.com | 1 |
| virmach.com | 2 |
| hostwinds.com | 2 |
| amazon.com | 2 |
| webdock.io | 2 |
| microsoft.com | 5 |
| web.com | 5 |
| colocrossing.com | 5 |
| cloudflare.com | 10 |
| nttpc.co.jp | 11 |
| myhostadmin.net (hosting yahoo.com.cn) | 12 |
| google.com | 15 |
| 101domain.com | 28 |
| Grand Total | 110 |
| An example of the japanese template message these scammers sent. |
original mail: 日頃より「えきねっと」をご利用いただきありがとうございます。「えきねっと」は 2022 年 8 月 24 日水にサービスをリニューアルいたしました。これ に伴い、「えきねっと」利用規約・会員規約を変更し、最後にログインをした日より起算し て2年以上「えきねっと」のご利用(ログイン)が確認できない「えきねっと」アカウント は、自動的に退会処理させていただくことといたしました。なお、対象アカウントの自動退 会処理を、本規約に基づき、2022 年 8 月 24 日水より順次、実施させていただきます。2年以上ログインしていないお客さまで、今後も「えきねっと」をご利用いただける場合 は、2022 年 9 月 01 日木よりも前に、一度ログイン操作をお願いいたします。< eki-netop.3utilities.com/> ⇒ログインはこちら < ek1-nep.3utilities.com/> ※このメールは「えきねっと」より自動配信されています。 お問い合わせ先 jr東日本サポートセンター tel 050-2016-5000 受付時間 8時00分~22時00分 サイト運営・管理 「えきねっと」ステーション なお、アカウントが退会処理された場合も、新たにアカウント登録(無料登録)していた だくことですぐに「えきねっと」をご利用いただくことができますので、今後もご愛顧いた だけますようよろしくお願いいたします。頂いたご意見・ご要望にすべて回答をさしあげられない場合がございますので、ご了承ください。 ご不明な点のある方は、「えきねっと」サポートセンターまでご連絡ください。 copyright © jr east net station co.,ltd. all rights reserved. |
The links in the message are bounce links that brings the victim to a phish page hidden in a subdomain of a compromised website.
Conclusion: the workers.dev_scam is easy to spot. Same Japanese worded scam template with bounce links to phish pages. What can you do? If you use Zifsoft Aggressor, the system attempts to shut every avenue the scammer uses to deliver the spam and reports the phish page to the registrar. If you don’t use Zifsoft Aggressor, you can click the spam buttom so that the workers.dev_scam is your spam bin.
The data is collected using Zifsoft Aggressor which is an add-in module for email clients. It does a deep analysis of email. With almost a million attack patterns, it is able to categorize a scam email with six sigma accuracy. Attack patterns comprise of correlated spams and hacks (brute force attacks, malware upload).
