From Russia with … exploited websites?

Just like millions of other men and women worldwide I keep seeing letters that appear to come from some lonely Russian girls. The amount of spam of this nature have seemed to increase significantly in the last few days.

Hello :) I'm unmarried girl from Russia and look for contacts. My name is Endgel and I'm 31 y.o.

See my image at my home page. Need you! ;)

I realize that “Endgel” couldn’t possibly know that I am already married to a Russian girl… I’m also not going to question her spelling, even though “Endgel” is hardly a good name for a lady. But I do not appreciate the fact that Endgel’s “home page” is hidden behind a number of compromised web servers around the world. So, I decided to take a closer look at what is behind the scenes.

The link in the e-mail took me to a site owned by some manufacturing representatives for military and commercial electronics. Only this time it was “owned” by “Endgel’s representatives”, who planted a new page there that redirects you to a dating site:

dating.png

The website is hosted in China. I was also not surprised to find out that the link to unsubscribe did not take me anywhere…

This website is just a traffic generator for an online dating agency called TopLop. It’s easy to understand how this scheme works by visiting their “Affiliates” section:

toplop.png

So, we all receive spam advertising this agency, but the agency itself is not responsible for it. At least not directly. They just pay the “highest commission” to the spammers. Tricky…

But lets go back a bit… If you go to the root page of the compromised site linked to spam, you’ll see a little JS code added to the bottom home page. The code is heavily obfuscated, but when it runs it sends the following to your browser:

js1.jpg

The above site sends you yet another piece of heavily obfuscated JS code:

js2.jpg

With this content behind:

js3.jpg

I believe that all this redirection scripting was set so that the spammer could count the website visitors and record their IPs.