• The spam emails contained PDF attachments with links that redirect to fake adult dating sites.
  • One of the redirects showed a mysterious message “follow the white rabbit”, a famous reference in pop culture.

An unusual form of spam campaign has surfaced in the cyberspace. In this phishing campaign, the spam email contains attachments with links that redirect to fake adult dating sites. Some links also impersonate the popular dating site Ashley Madison with their own fraudulent version.

Security site Bleeping Computer reported details of the spam mails observed in this campaign. A sample received by the site shows that the email comes from a user named Gell with an address info@reeedirect[.]ru. Subject lines in the mail consist of random names.

At the bottom of the email, there is an attachment in PDF form. If users click on the links present in the PDF attachment, it initiates a series of redirects which ultimately takes them to a fake adult dating site.

Following the white rabbit

Among these redirects is an URL ‘http://r2[.]red123[.]ru/’ that shows the mysterious message ‘follow the white rabbit’. This URL actually redirects to the Ashley Madison website that looks almost legitimate, but of course it is a fake.

Similarly, users are directed to other fake adult dating sites. All of this is done to steal information from users.

7 malicious IP addresses

Cybersecurity expert Daniel Gallagher analyzed this campaign and listed 7 main IP addresses that link to more than 4000 spam domains. These IP addresses are as follows.

  • 34.194.20[.]115
  • 52.211.95[.]198
  • 34.210.90[.]78
  • 52.32.148[.]184
  • 52.27.20[.]17
  • 52.5.47[.]11
  • 52.30.14[.]56

It is recommended for all users to remain vigilant and avoid opening any suspicious emails and the attachments in them, especially when the email comes from an unknown source.

Cyware Publisher