Attachments with malicious links redirecting users to phony adult dating sites are being used in a new phishing campaign. A few of the links will send a user to replicated Ashley Madison pages. The username behind these messages is Gell, who is using info@reeedirect[.]ru to blast them out. Random names are being used in the subject line of the emails. At the end of the email is where the PDF attachment is located and if the user clicks on it, it will take them to the adult sites through a series of redirects. While redirecting, a URL http://r2[.]red123[.]ru/ is visited and it contains the message “follow the white rabbit” which ultimately sends the user to the replicated Ashley Madison page. Seven different IP’s were used to send users to over 4,000 different spam domains. The main IP’s listed were 34.194.20[.]115, 52.211.95[.]198, 34.210.90[.]78,52.32.148[.]184, 52.27.20[.]17, 52.5.47[.]11, and 52.30.14[.]56.
Analyst Notes
Users should stay on the lookout for this campaign, and not open mail from suspicious sources before it is verified–especially if the email contains an attachment. If a user finds that they have been targeted by this campaign, they should inform network administrators to enable the proper responses to this incident.
