[ Sharing ] Where’s Wally! – Tracking where did victims come from.

I’ve written about shortened urls for 4 times. Twice in this blog and twice in an older website that i didn’t maintained anymore.

I have seen recently that a lot of people still blindly click on shortened URL that they see in FaceBook, forums or “familiar names” on their smartphones.
Today, i will do a quick short post about 2 recent shortened URLs, what’s the purposes and where did the victims come from.

[ Case Study #1 ]
The 1st link here is where : https://bitly[.]com/1TVH4va will lead to : http://onedayonemillion[.]com/postdk[.]apk
This .apk file is actually MazarBot.

You can read more about MazarBot here:

As alot had been written about MazarBot, we also want to know more about the Bit.ly url and the following Bit.ly url will show the statistics of where did victims come from.

As you can see from the image below, there are 5, 037 clicks on this shortened url since 25th May 2016.
4,569 clicks on 25th May 2016 alone.

8 of the clicks were coming from FaceBook and 15 clicks were from forums, mobile, etc. The rest are direct, meaning click on this shortened url. Possibly via sms, WhatsApp, etc.

We can also see the Geographical distribution of the victims who clicked on this shortened url.

Basd on the image above, it seems like most of the people were from Denmark and some parts of Europe.
One thing that puzzled me and got me curious…. why is the author of MazarBot targeting Danish people?


[ Case Study #2 ]
The next shortened url which we will be looking at is https://bitly[.]com/22kQ0Am

Again, let’s check the statistics and where is the final url by appending “+” without the double quotes as shown here: https://bitly.com/22kQ0Am+
h–ps://bitly[.]com/22kQ0Am will redirect to h–p://dl[.]dropboxusercontent[.]com/s/rlqrbc1211quanl/accountinvoice.htm

Nice, the link is on DropBox. Let’s download the page using wget or anything that you prefer.
I decided to use wget as i already have it on this particular machine.

I just did a quick wget to check what is inside this accountinvoice.htm and i got back the following:

You can change document.write to console.log or alert to get back the unescape string. But for the benefit of non-technical users, you can just go to http://meyerweb.com/eric/tools/dencoder/
and paste the escaped string and decode it.
You should get back the following:

Great, it’s doing a redirect. Let’s do a base64 decode and we should get back this.

Hmmmm…seems like it’s a Phishing link more than an ExploitKit link since the title is “Sign In“.

As i don’t want to alert the phisherman too much, i tweak my wget as followed:

After i grab the page, we can see that it’s indeed a “Google Drive” phishing page.

I hope this short post will serve as a good reminder to all not to blindly click on shortened urls unless you totally trust the source or verify it yourself.

Happy Reversing
Jacob Soo