Just received a scam message from what appeared to be Qantas (as the same number had legitimate boarding messages from previous flights). The message read:
, you’ve won our mystery box this week – please use the link to schedule the delivery. http://www.b7.ai/s/2xl0lc/4uf BBL.
Using a tool that sniffs these sorts of links to see if they are harmful before actually clicking on them results in a number of re-directions and finally a page that asks you to do a survey first which requires entering your details.
WARNING: If it’s really Qantas, they already know who you are. Why do they need any of your details again for the survey? DONT PARTICIPATE!
Anyway here is the log of where it goes along with the contents of the file it finally downloads.
log showing what it does
--2018-11-07 11:56:53-- http://www.b7.ai/s/2xl0lc/4uf Resolving www.b7.ai (www.b7.ai)... 109.207.77.88 Connecting to www.b7.ai (www.b7.ai)|109.207.77.88|:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://go.batophor.com/ts3089-sms-qantas-au-5 [following] --2018-11-07 11:56:54-- http://go.batophor.com/ts3089-sms-qantas-au-5 Resolving go.batophor.com (go.batophor.com)... 198.13.62.193 Connecting to go.batophor.com (go.batophor.com)|198.13.62.193|:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://go.batophor.com/ts3089-sms-qantas-revs-au [following] --2018-11-07 11:56:54-- http://go.batophor.com/ts3089-sms-qantas-revs-au Connecting to go.batophor.com (go.batophor.com)|198.13.62.193|:80... connected. HTTP request sent, awaiting response... 302 Found Location: https://x.newsmouse.club/go/f65a8fd5-383d-47dc-8ed0-59450453dbb5?cpv=&clickid=1541554015.53-153741405-24909&camp=XX684&keyword=ts3089-sms-qantas-revs-au&category=&systarget=ts3089-sms-qantas-revs-au&sid=153741405&cid=&geo=AU&source=HT-EC [following] --2018-11-07 11:56:55-- https://x.newsmouse.club/go/f65a8fd5-383d-47dc-8ed0-59450453dbb5?cpv=&clickid=1541554015.53-153741405-24909&camp=XX684&keyword=ts3089-sms-qantas-revs-au&category=&systarget=ts3089-sms-qantas-revs-au&sid=153741405&cid=&geo=AU&source=HT-EC Resolving x.newsmouse.club (x.newsmouse.club)... 104.27.166.1, 104.27.167.1, 2606:4700:30::681b:a601, ... Connecting to x.newsmouse.club (x.newsmouse.club)|104.27.166.1|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://talongo.com/go/run-gojs.php?url=https://talongo.com/in-v8-au-bem-go.php&tracker=x.newsmouse.club&keyword=ts3089-sms-qantas-revs-au®ion=&carrier=%7Bcarrier%7D&model=%7Bmodel%7D&brand=%7Bbrand%7D&camp=XX684&cc=au&wid=genx01-au&sound=silent&xid=eyJ0aW1lc3RhbXAiOiIxNTQxNTU0MDE3IiwiaGFzaCI6IjdlMzVmY2IzM2NkNDVkMDY1OTMyZGViMTBhOTEzN2NjMjE5ZmU1NmQifQ%3D%3D&bemobdata=c%3Df65a8fd5-383d-47dc-8ed0-59450453dbb5..f%3D14fde457-a775-4548-b5e1-bd449e0afc95..a%3D0..b%3D0..e%3D1541554015.53-153741405-24909..c1%3DXX684..c2%3Dts3089-sms-qantas-revs-au..c4%3Dts3089-sms-qantas-revs-au..c5%3D153741405..c7%3DAU..c8%3DHT-EC..c10%3Dx.newsmouse.club [following] --2018-11-07 11:56:57-- https://talongo.com/go/run-gojs.php?url=https://talongo.com/in-v8-au-bem-go.php&tracker=x.newsmouse.club&keyword=ts3089-sms-qantas-revs-au®ion=&carrier=%7Bcarrier%7D&model=%7Bmodel%7D&brand=%7Bbrand%7D&camp=XX684&cc=au&wid=genx01-au&sound=silent&xid=eyJ0aW1lc3RhbXAiOiIxNTQxNTU0MDE3IiwiaGFzaCI6IjdlMzVmY2IzM2NkNDVkMDY1OTMyZGViMTBhOTEzN2NjMjE5ZmU1NmQifQ%3D%3D&bemobdata=c%3Df65a8fd5-383d-47dc-8ed0-59450453dbb5..f%3D14fde457-a775-4548-b5e1-bd449e0afc95..a%3D0..b%3D0..e%3D1541554015.53-153741405-24909..c1%3DXX684..c2%3Dts3089-sms-qantas-revs-au..c4%3Dts3089-sms-qantas-revs-au..c5%3D153741405..c7%3DAU..c8%3DHT-EC..c10%3Dx.newsmouse.club Resolving talongo.com (talongo.com)... 104.24.119.246, 104.24.118.246, 2606:4700:30::6818:76f6, ... Connecting to talongo.com (talongo.com)|104.24.119.246|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘4uf’ 4uf [ <=> ] 1.13K --.-KB/s in 0s 2018-11-07 11:56:58 (3.94 MB/s) - ‘4uf’ saved [1154]
Contents of the file ‘4uf’:
<head> <script type='text/javascript'> function forward(){ window.location.replace('https://talongo.com/in-v8-au-bem-go.php?eps=8mgsTi6ekAuQ70TL7yZEd7dc6BxvuGCISTUX9vp0%2BqX2PSdhDuk4koSXd%2FHX4h9luAH%2BvvaKHmwAE1Je2%2BxWrB4ors1vKP%2F95MZhdgsQDvbSFG66C8%2BQgi27V76YW9qZbrcRJHgb1ywOhR1A2xU%2F5%2FxzYIni7EqFJ7eW0Pbe22TEpCPCIysOhDz8d3u4dUpDIQpCJ%2FSJX%2FmKCQJJ0lbyhgzix%2FpHXzYcRlwx9AaWOmAX1hv1XRYRoce5288Kh9kfjY5THMCexvncqYNGiABXNcrPEPvJtivFrhm956MBGwMQro%2B905SGjRkNfmR42QfnoTVp9SrqHQUm2%2BLnMR9llKivTAVbyVMdi9QLBw18fHrK5IRSRKDsyftDZWCVuCypqxbtTL0lmB3XEquKarGGU28qW%2F36boQu7T2EJg0XEJ9EsG%2FwCqJ2t0GPPljsuv4RFDIqVsiNvrHSZ08m9DWUg4oH4n2%2FTTVcteEXd0BgZkyB3S06Y%2FoIzrEj6CG4%2FhwZkWX7nNoTtZjTSjyqHQx2uSoW6fyzD8g2%2BGWqLJRxRhBVC2qRtPfy8NoCd2LhxwG6%2B2W6PTaPsqJxmWGMsCGfv5%2BowXbez9f%2Bca4f4q6tbNhb2nNvJltUmC%2FFGeaf1JcLPJGT0T12c1dkMYoyAISIxBo%2FFj0NRcqA6o9r0mZEFsPUPTurWW7bYyCtvuuvGzJZN2YEq2fO7IhmMmgITNdz%2FARKd16N3puAGmUXLCWSnb%2BWdESTpcdd6h0eBz6ARPBcH3m9QYYfOZVoyBiXwVQQtOzxCtxVmD1igyChXOR2SU%2B3IybUx0sU6UYdcl7ONYBKgRGUeBJTEPKwuJYSKqrOQM3S%2FVBFgs%2F6CEyRNCDBojM9olfSjn6dYqlNfMYGHSBd'); } </script> </head> <body onload='setTimeout(forward, 0);'> </body>