Tap Link For More Information
So, it’s the middle of the day, I’m trying to focus on efficiently procrastinating when I get a text from a number I don’t recognize:
Amazon: Access attempt from Principe, Not approved. Tap link for more information.
There’s a link below, as promised. It’s not going to an amazon domain. Ok, obvious scam, but I really want to know where this is going. I won’t list the full URL here because it does not seem like it has been flagged yet, and I don’t want to be responsible for anyone (all three people who stumble across this blog per year) to accidentally get compromised. However, I think it’s fair to at least show the domain, especially since there are some interesting developments with it.
So, the text directed me here (partially censored): https://sigmaocantis.com.ar/XXX/amz-us-viewusserart.php. First off, what exactly is this page returning?
root@kali:~# curl https://sigmaoctantis.com.ar/XXX/amz-us-viewusserart.php | tidy -i
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 9260 0 9260 0 0 14701 0 --:--:-- --:--:-- --:--:-- 14721
line 23 column 4243 - Warning: inserting implicit <p>
line 23 column 1386 - Warning: <img> attribute "height" has invalid value "auto"
line 23 column 4243 - Warning: trimming empty <p>
line 23 column 400 - Warning: <table> attribute "align" not allowed for HTML5
line 23 column 1061 - Warning: <td> attribute "align" not allowed for HTML5
line 23 column 2043 - Warning: <table> attribute "align" not allowed for HTML5
line 23 column 2724 - Warning: <td> attribute "align" not allowed for HTML5
line 23 column 3235 - Warning: <td> attribute "align" not allowed for HTML5
line 23 column 5754 - Warning: <td> attribute "align" not allowed for HTML5
line 23 column 6416 - Warning: <table> attribute "align" not allowed for HTML5
line 23 column 7161 - Warning: <td> attribute "align" not allowed for HTML5
Info: Document content looks like HTML5
Tidy found 11 warnings and 0 errors!
<!DOCTYPE html>
<html>
<head>
<meta name="generator" content=
"HTML Tidy for HTML5 for Linux version 5.6.0">
<title>Notice</title><!--[if !mso]><!-->
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<!--<![endif]-->
<meta http-equiv="Content-Type" content=
"text/html; charset=utf-8">
<meta name="viewport" content=
"width=device-width,initial-scale=1">
<style type="text/css">
#outlook a { padding:0; }
body { margin:0;padding:0;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%; }
table, td { border-collapse:collapse;mso-table-lspace:0pt;mso-table-rspace:0pt; }
img { border:0;height:auto;line-height:100%; outline:none;text-decoration:none;-ms-interpolation-mode:bicubic; }
p { display:block;margin:13px 0; }
</style><!--[if mso]>
<noscript>
<xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
<o:PixelsPerInch>96</o:PixelsPerInch>
</o:OfficeDocumentSettings>
</xml>
</noscript>
<![endif]--><!--[if lte mso 11]>
<style type="text/css">
.mj-outlook-group-fix { width:100% !important; }
</style>
<![endif]-->
<style type="text/css">
@media only screen and (min-width:480px) {
.mj-column-per-100 { width:100% !important; max-width: 100%; }
}
</style>
<style media="screen and (min-width:480px)">
.moz-text-html .mj-column-per-100 { width:100% !important; max-width: 100%; }
</style>
<style type="text/css">
[owa] .mj-column-per-100 { width:100% !important; max-width: 100%; }
</style>
<style type="text/css">
@media only screen and (max-width:480px) {
table.mj-full-width-mobile { width: 100% !important; }
td.mj-full-width-mobile { width: auto !important; }
}
</style>
</head>
<body style="word-spacing:normal;background-color:#F4F4F4;">
<div style="background-color:#F4F4F4;">
<!--[if mso | IE]><table align="center" border="0" cellpadding="0" cellspacing="0" class="" role="presentation" style="width:600px;" width="600" ><tr><td style="line-height:0px;font-size:0px;mso-line-height-rule:exactly;"><![endif]-->
<div style="margin:0px auto;max-width:600px;">
<table align="center" border="0" cellpadding="0" cellspacing=
"0" role="presentation" style="width:100%;">
<tbody>
<tr>
<td style=
"direction:ltr;font-size:0px;padding:20px 0;padding-bottom:0px;padding-top:0px;text-align:center;">
<!--[if mso | IE]><table role="presentation" border="0" cellpadding="0" cellspacing="0"><tr><td class="" style="vertical-align:top;width:600px;" ><![endif]-->
<div class="mj-column-per-100 mj-outlook-group-fix"
style=
"font-size:0px;text-align:left;direction:ltr;display:inline-block;vertical-align:top;width:100%;">
<table border="0" cellpadding="0" cellspacing="0"
role="presentation" style="vertical-align:top;"
width="100%">
<tbody>
<tr>
<td align="center" style=
"font-size:0px;padding:30px 21px 10px 21px;padding-top:30px;padding-right:21px;padding-bottom:10px;padding-left:21px;word-break:break-word;">
<table border="0" cellpadding="0"
cellspacing="0" role="presentation" style=
"border-collapse:collapse;border-spacing:0px;">
<tbody>
<tr>
<td style="width:190px;"><img alt=""
height="auto" src="amz.png" style=
"border:none;display:block;outline:none;text-decoration:none;height:auto;width:100%;font-size:13px;"
width="190"></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
<!--[if mso | IE]></td></tr></table><![endif]-->
</td>
</tr>
</tbody>
</table>
</div>
<!--[if mso | IE]></td></tr></table><table align="center" border="0" cellpadding="0" cellspacing="0" class="" role="presentation" style="width:600px;" width="600" bgcolor="#ffffff" ><tr><td style="line-height:0px;font-size:0px;mso-line-height-rule:exactly;"><![endif]-->
<div style=
"background:#ffffff;background-color:#ffffff;margin:0px auto;max-width:600px;">
<table align="center" border="0" cellpadding="0" cellspacing=
"0" role="presentation" style=
"background:#ffffff;background-color:#ffffff;width:100%;">
<tbody>
<tr>
<td style=
"direction:ltr;font-size:0px;padding:20px 0px 20px 0px;text-align:center;">
<!--[if mso | IE]><table role="presentation" border="0" cellpadding="0" cellspacing="0"><tr><td class="" style="vertical-align:top;width:600px;" ><![endif]-->
<div class="mj-column-per-100 mj-outlook-group-fix"
style=
"font-size:0px;text-align:left;direction:ltr;display:inline-block;vertical-align:top;width:100%;">
<table border="0" cellpadding="0" cellspacing="0"
role="presentation" style="vertical-align:top;"
width="100%">
<tbody>
<tr>
<td align="left" style=
"font-size:0px;padding:0px 25px 0px 25px;padding-top:0px;padding-bottom:0px;word-break:break-word;">
<div style=
"font-family:Arial, sans-serif;font-size:13px;letter-spacing:normal;line-height:1;text-align:left;color:#000000;">
<p class="text-build-content"
data-testid="OygNnWQOKIJ" style=
"margin: 10px 0; margin-top: 10px; margin-bottom: 10px;">
<span style=
"color:#55575d;font-family:Verdana;font-size:20px;line-height:22px;">
<b>Unusual activity
detected</b></span></p>
</div>
</td>
</tr>
<tr>
<td align="left" style=
"font-size:0px;padding:0px 25px 0px 25px;padding-top:0px;padding-bottom:0px;word-break:break-word;">
<div style=
"font-family:Arial, sans-serif;font-size:16px;letter-spacing:normal;line-height:1;text-align:left;color:#000000;">
<p class="text-build-content"
data-testid="rICMxIB8ypp" style=
"margin: 10px 0; margin-top: 10px;">
</p>
<p class="text-build-content"
data-testid="rICMxIB8ypp" style=
"margin: 10px 0;"><span style=
"font-size:16px;">Device : iPhon
SE</span></p>
<p class="text-build-content"
data-testid="rICMxIB8ypp" style=
"margin: 10px 0;"></p>
<p class="text-build-content"
data-testid="rICMxIB8ypp" style=
"margin: 10px 0;">IP Address :
(215.231.34.145)</p>
<p class="text-build-content"
data-testid="rICMxIB8ypp" style=
"margin: 10px 0;"> </p>
<p class="text-build-content"
data-testid="rICMxIB8ypp" style=
"margin: 10px 0;"><span style=
"font-size:16px;">your account has been
suspended</span></p><br>
<span style="font-size:16px;">Don't
recognize this activity ?</span>
<p class="text-build-content"
data-testid="rICMxIB8ypp" style=
"margin: 10px 0;">Of this wasn't you,
Please comp<span style=
"font-size:0px;">sffuxxr</span>lete your
account infor<span style=
"font-size:0px;">sffuxxr</span>mation.
</p>
<p class="text-build-content"
data-testid="rICMxIB8ypp" style=
"margin: 10px 0;">Visit the recovery
center here</p>
<p class="text-build-content"
data-testid="rICMxIB8ypp" style=
"margin: 10px 0; margin-bottom: 10px;">
<a class="link-build-content" style=
"color:inherit;; text-decoration: none;"
target="_blank" href=
"https://dejavusportswear.com/wp-content/XXX/XyDDiUl">
<span style=
"background-color:#ffffff;color:#1130de;font-family:Arial;font-size:17px;line-height:22px;">
<u>https://am<span style=
"font-size:0px;">sffuxxr</span>az<span style="font-size:0px;">sffuxxr</span>on.com/a/c/r/code6674336</u></span></a></p>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<!--[if mso | IE]></td></tr></table><![endif]-->
</td>
</tr>
</tbody>
</table>
</div>
<!--[if mso | IE]></td></tr></table><table align="center" border="0" cellpadding="0" cellspacing="0" class="" role="presentation" style="width:600px;" width="600" ><tr><td style="line-height:0px;font-size:0px;mso-line-height-rule:exactly;"><![endif]-->
<div class="mj-column-per-100 mj-outlook-group-fix" style=
"font-size:0px;text-align:left;direction:ltr;display:inline-block;vertical-align:top;width:100%;">
<table border="0" cellpadding="0" cellspacing="0" role=
"presentation" style="vertical-align:top;" width="100%">
<tbody>
<tr>
<td align="left" style=
"font-size:0px;padding:0px 20px 0px 20px;padding-top:0px;padding-bottom:0px;word-break:break-word;">
<div style=
"font-family:Arial, sans-serif;font-size:13px;letter-spacing:normal;line-height:1;text-align:left;color:#000000;">
<h1 class="text-build-content" style=
"text-align:center;; margin-top: 10px; margin-bottom: 10px; font-weight: normal;"
data-testid="5WTJo9xoJjeq"><span style=
"color:#55575d;font-family:Arial, Helvetica, sans-serif;font-size:13px;line-height:22px;">
<b>Contact Us | Privacy | Legal | Policy
Updates | Worldwide</b></span></h1>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<div style="margin:0px auto;max-width:600px;">
<table align="center" border="0" cellpadding="0" cellspacing=
"0" role="presentation" style="width:100%;">
<tbody>
<tr>
<td style=
"direction:ltr;font-size:0px;padding:20px 0px 20px 0px;text-align:center;">
<!--[if mso | IE]><table role="presentation" border="0" cellpadding="0" cellspacing="0"><tr><td class="" style="vertical-align:top;width:600px;" ><![endif]-->
<div class="mj-column-per-100 mj-outlook-group-fix"
style=
"font-size:0px;text-align:left;direction:ltr;display:inline-block;vertical-align:top;width:100%;">
<table border="0" cellpadding="0" cellspacing="0"
role="presentation" width="100%">
<tbody>
<tr>
<td style="vertical-align:top;padding:0;">
<table border="0" cellpadding="0"
cellspacing="0" role="presentation" width=
"100%">
<tbody>
<tr>
<td align="center" style=
"font-size:0px;padding:10px 25px;padding-top:0px;padding-bottom:0px;word-break:break-word;">
<div style=
"font-family:Arial, sans-serif;font-size:11px;letter-spacing:normal;line-height:22px;text-align:center;color:#000000;">
</div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
<!--[if mso | IE]></td></tr></table><![endif]-->
</td>
</tr>
</tbody>
</table>
</div><!--[if mso | IE]></td></tr></table><![endif]-->
</div>
</body>
</html>
I ran the output through tidy to help with readability. If you’re curious as to what this looks like when it’s rendered:
So, as far as phishing pages go, this one is not particularly well done. Typos abound, suspicous links, poor overall presentation. This is one of the first things that’s baffling to me. I’m not a phishing expert, but I have to imagine that your goal when social engineering someone is to make them jump through as few hoops as possible. You already have to get them to click on the link in the initial text, now you have to get them to click a second link? Why not include a fake login form here to make it easier for the user to surrender their info? At this point, the user might already be starting to get a weird feeling, maybe they’re starting to get nervous. Doesn’t it seem likely that they’d be bailing out right about now?
It should surprise no one that the link on this page does not go to amazon: https://dejavusportswear.com/XXX/XyDDiUl. Like the first URL, this one has been censored to remove some components of the path.
The other weird thing I noticed is these spans that aren’t displayed: <span style="font-size:0px;">sffuxxr</span>az<span style="font-size:0px;">sffuxxr</span>. What is the point of this? The font size stops the text from being rendered. It’s not part of the URL, so it can’t be something we’re sending to the next server. The text itself appears to be nonsense. Utterly bizarre.
These styles also caught my eye:
<style type="text/css">
#outlook a { padding:0; }
body { margin:0;padding:0;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%; }
table, td { border-collapse:collapse;mso-table-lspace:0pt;mso-table-rspace:0pt; }
img { border:0;height:auto;line-height:100%; outline:none;text-decoration:none;-ms-interpolation-mode:bicubic; }
p { display:block;margin:13px 0; }
</style><!--[if mso]>
<noscript>
<xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
<o:PixelsPerInch>96</o:PixelsPerInch>
</o:OfficeDocumentSettings>
</xml>
</noscript>
<![endif]--><!--[if lte mso 11]>
<style type="text/css">
.mj-outlook-group-fix { width:100% !important; }
</style>
<![endif]-->
Maybe this is common practice, but it seems odd to me that we have styles seemingly targetted explicitly at Outlook. Maybe this page has been repurposed and can also function as a typical email scam. This might explain why it doesn’t seem to fit the mobile approach. If this was originally a phishing email, opening the message would (for me at least) have me less on guard than first getting a strange text, clicking on link and then being asked to click on another.
One interesting thing: the ip address that has supposedly tried to access my amazon account is 215.231.34.145
└─$ whois 215.231.34.145
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2022, American Registry for Internet Numbers, Ltd.
#
NetRange: 215.0.0.0 - 215.255.255.255
CIDR: 215.0.0.0/8
NetName: DNIC-NET-215
NetHandle: NET-215-0-0-0-1
Parent: ()
NetType: Direct Allocation
OriginAS:
Organization: DoD Network Information Center (DNIC)
RegDate: 1998-06-05
Updated: 2021-12-14
Ref: https://rdap.arin.net/registry/ip/215.0.0.0
OrgName: DoD Network Information Center
OrgId: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
RegDate:
Updated: 2011-08-17
Ref: https://rdap.arin.net/registry/entity/DNIC
OrgAbuseHandle: REGIS10-ARIN
OrgAbuseName: Registration
OrgAbusePhone: +1-844-347-2457
OrgAbuseEmail: [email protected]
OrgAbuseRef: https://rdap.arin.net/registry/entity/REGIS10-ARIN
OrgTechHandle: REGIS10-ARIN
OrgTechName: Registration
OrgTechPhone: +1-844-347-2457
OrgTechEmail: [email protected]
OrgTechRef: https://rdap.arin.net/registry/entity/REGIS10-ARIN
OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: +1-844-347-2457
OrgTechEmail: [email protected]
OrgTechRef: https://rdap.arin.net/registry/entity/MIL-HSTMST-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2022, American Registry for Internet Numbers, Ltd.
#
Apparently, the Department of Defense is trying to hack my amazon account. I had no idea I was this important. Maybe the number of energy drinks I’ve ordered has tripped some kind of analytics and now I’m on their radar. 💀
$> Whoarethey
So, whatever this scam is, it appears to invovle multiple fronts/compromised sites. Lets look at the first domain we visited, the one that’s displaying the terrible “suspicious activity” page.
$ whois sigmaoctantis.com.ar
% La información a la que estás accediendo se provee exclusivamente para
% fines relacionados con operaciones sobre nombres de dominios y DNS,
% quedando absolutamente prohibido su uso para otros fines.
%
% La DIRECCIÓN NACIONAL DEL REGISTRO DE DOMINIOS DE INTERNET es depositaria
% de la información que los usuarios declaran con la sola finalidad de
% registrar nombres de dominio en ‘.ar’, para ser publicada en el sitio web
% de NIC Argentina.
%
% La información personal que consta en la base de datos generada a partir
% del sistema de registro de nombres de dominios se encuentra amparada por
% la Ley N° 25326 “Protección de Datos Personales” y el Decreto
% Reglamentario 1558/01.
domain: sigmaoctantis.com.ar
registrant: 20207099598
registrar: nicar
registered: 2005-08-09 00:00:00
changed: 2021-07-12 12:07:17.749065
expire: 2022-08-09 00:00:00
contact: XXX
name: XXX
registrar: nicar
created: 2013-12-27 00:00:00
changed: 2022-05-09 12:21:59.501661
nserver: ns1.godns.net ()
nserver: ns2.godns.net ()
registrar: nicar
created: 2016-07-01 01:06:11.967485
I know this public info, but I went ahead and remove the contact and name. We can at least see from this that the site has been registered for quite some time. If we try to visit the site directly, it seems like it is experiencing technical issues.
I am guessing this site has been compromised and the malicious actors have installed the fake “suspicious activity” page. I’m curious, how long has this page been like this? Lets take a trip to the wayback machine. After entering the URL and searching back through their records, the first time I could find a crawl that did not show the same error message was in early 2019. It appears to be something dedicated to astronomy. I can’t really verify the content since it’s not my native language, but the content seems to be pretty legit.
Lets also try a quick Google and see what comes up.
There are a few PDFs that appear to be reachable. More astronomy content as far as I can tell, looks real.
Step two
Alright, so we aren’t really getting much from the first link other than that it’s probably just someone unlucky enough to have their site hijacked for nerfarious purposes. Where does the suspicious “amazon” link go?
$ whois dejavusportswear.com
Domain Name: DEJAVUSPORTSWEAR.COM
Registry Domain ID: 2661924980_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.nicproxy.com
Registrar URL: http://https://nicproxy.com/
Updated Date: 2022-01-21T09:40:57Z
Creation Date: 2021-12-15T19:42:52Z
Registry Expiry Date: 2022-12-15T19:42:52Z
Registrar: Nics Telekomunikasyon A.S.
Registrar IANA ID: 1454
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +90 212 213 2963
Domain Status: ok https://icann.org/epp#ok
Name Server: NS10.HOSTLAB.NET.TR
Name Server: NS9.HOSTLAB.NET.TR
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2022-05-28T18:19:45Z <<<
The nameservers appear to be from a turkish domain. The default landing page for the domain appears to be a wordpres site that has absolutely no data. It’s just a default install of a generic clothing shop, complete with some sections of the site still using lorem ipsum for text content.
This is just the top level domain though, what about the full path of the malicous link. Weirdly, it redirects me to Amazon… To a page that doesn’t seem to exist.
root@kali:~# curl -vv https://dejavusportswear.com/XXX/XyDDiUl* Trying 116.202.49.200:443...
* Connected to dejavusportswear.com (116.202.49.200) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: CN=dejavusportswear.com
* start date: May 23 11:08:44 2022 GMT
* expire date: Aug 21 11:08:43 2022 GMT
* subjectAltName: host "dejavusportswear.com" matched cert's "dejavusportswear.com"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* h2h3 [:method: GET]
* h2h3 [:path: /XXX/XyDDiUl]
* h2h3 [:scheme: https]
* h2h3 [:authority: dejavusportswear.com]
* h2h3 [user-agent: curl/7.83.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55a4ce127610)
> GET /XXX/XyDDiUl HTTP/2
> Host: dejavusportswear.com
> user-agent: curl/7.83.0
> accept: */*
>
< HTTP/2 302
< location: https://www.amazon.com/ap/signin
< content-type: text/html; charset=UTF-8
< content-length: 0
< date: Sat, 28 May 2022 18:26:51 GMT
< server: LiteSpeed
< cache-control: no-cache, no-store, must-revalidate, max-age=0
< alt-svc: quic=":443"; ma=2592000; v="39,43,46", h3-Q039=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-23=":443"; ma=2592000, h3-24=":443"; ma=2592000
<
* Connection #0 to host dejavusportswear.com left intact
We can see that when we attempt to access the URL, we get redirected to https://www.amazon.com/ap/signin. Trying to access this will get a 404.
root@kali:~# curl -vv --output - https://www.amazon.com/ap/signin
...snip...
> GET /ap/signin HTTP/2
> Host: www.amazon.com
> user-agent: curl/7.83.0
> accept: */*
>
< HTTP/2 404
< server: Server
< content-type: text/html;charset=UTF-8
< x-amz-rid: 2Z8Z035QF3FSHP5KTW92
< x-xss-protection: 1
< x-content-type-options: nosniff
< x-ua-compatible: IE=edge
< pragma: No-cache
< cache-control: max-age=0, no-cache, no-store, must-revalidate
< expires: Thu, 01 Jan 1970 00:00:00 GMT
< strict-transport-security: max-age=47474747; includeSubDomains; preload
< vary: Content-Type,Accept-Encoding,X-Amzn-CDN-Cache,X-Amzn-AX-Treatment,User-Agent
< p3p: policyref="http://www.amazon.com/w3c/p3p.xml",CP="CAO DSP LAW CUR ADM IVAo IVDo CONo OTPo OUR DELi PUBi OTRi BUS PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA HEA PRE LOC GOV OTC "
< x-frame-options: SAMEORIGIN
< permissions-policy: interest-cohort=()
< nel: { "report_to": "nel", "max_age": 3600, "success_fraction": 0.0, "failure_fraction": 1.0 }
< report-to: {"group": "nel", "max_age": 3600, "endpoints": [{ "url": "https://primary.prod.flex.frontier.a2z.com/nel"}, { "url": "https://secondary.prod.flex.frontier.a2z.com/nel"}]}
< date: Sat, 28 May 2022 18:31:14 GMT
< content-length: 1944
<
This threw me initially, but the last time I tried to analyze a phishing scam it seemed like the backend tried to hide itself by reidrecting to a legitimate site when it did not recognize the user agent of the client. However, I have attempted to fetch page using many different UA strings, from windows, linux, mobile, Chrome, Firefox, Safari… You name a browser, I probably have tried some variation of the UA, but still, I continue to get the redirect back to the amazon page.
I don’t have a nice conclusion for this one. Seems like a lot of odd things going on here and it feels a bit like a fish hook stuck in my brain. I’ve been keeping an eye on the dejavusportswear.com url for several days, checking the URL at different times and with variations in the header content to see if I can get a different response, but no new behavior has been observed. In the event I do stumble across additional info, I’ll update the blog accordingly. No doubt in 6 months or more.