Wednesday, September 28, 2011

Phishing Phindings

Today I received a phishing email trying to get my mail username and password. The attacker was assuming several things, including that I use webmail to check my email.

Let's take a look at this attack and see what we can find out from this email.

First, we are going to look at the full headers of the email. The headers give us information about the sender, the route, and the recipient of the email.



<original message>

Return-path: <shenningdong@96818.com.cn> <-- The return path is from a Chinese domain

Delivery-date: Tue, 27 Sep 2011 01:07:44 -0400

Received: from vhosting2.netsite.com.br (189-112-034-215.static.netsite.com.br [189.112.34.215]) <-- The host that is being used to relay this phishing attempt is in Brazil

by mx.xxxx.xxx (node=mxus1) with ESMTP (Nemesis) id 0LfDKC-1QolSp32eO-00pH6z for user@taget_domain.com; Tue, 27 Sep 2011 01:07:44 -0400

Received: from vhosting2.netsite.com.br (unknown [127.0.0.1]) by vhosting2.netsite.com.br (Postfix) <- The relay is using Postfix

with ESMTP id EB964EC1D7; Tue, 27 Sep 2011 01:32:11 +0000 (UTC)
Received-spf: none (no valid SPF record)

Received: from User (unknown [151.83.78.83]) <- IP originates from Milan, Italy
by vhosting2.netsite.com.br (Postfix) with ESMTP; Tue, 27 Sep 2011 01:32:11 +0000 (UTC)

Reply-to: <switchwebmail@webname.com> <- Registered to World Media in New Jersey and is NOT my hosting provider.

From: Webmaster <shenningdong@96818.com.cn> <- Chinese domain
Subject: Email Shutdown Notice
Date: Tue, 27 Sep 2011 03:32:10 +0200 (09/26/2011 08:32:10 PM)
Mime-version: 1.0
Content-type: text/plain; charset="Windows-1251"
Content-transfer-encoding: 7bit
X-priority: 3
X-msmail-priority: Normal

X-mailer: Microsoft Outlook Express 6.00.2600.0000 <- The attacker runs Windows

X-mimeole: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-id: <20110927013211.EB964EC1D7@vhosting2.netsite.com.br> <- Again, Brazil

To: undisclosed-recipients : ;
Envelope-to: user@target_domain.com
X-evolution-source: imap://user%40target_domain.com@imap.target_domain.com/

Now, let's dig through the body of the message to see what we can find...

Dear Webmail User,


This message is from the Webmail Support team to all email users. We are currently carrying out an upgrade on our system, hence it has come to our notice that one of our subscribers Infected our Network with a worm like virus and it is affecting Our database.


Apparently the "Webmail Support team" is different from the email team, although it would seem that the Webmail team speaks for both. Right off the bat, this email appears disjointed.

Capital letters of place ("Infected", "Network" and "Our")

Upgrades don't let you know that you have a virus, per se.

There is a "worm like virus and it is affecting Our database."  This sentence alone raises a red flag due to it's structure.

We are also having congestions due to the anonymous registration of email accounts, so we are shutting down email accounts deemed to be inactive. Your email account is listed among those requiring update.

Misspellings and improper grammar are signs that an email is not legitimate (ie: having "congestions" and "requiring update."). 

Why the mention of anonymous email accounts? If they offer a service like Gmail, etc. then all of their clientèle would be anonymous. A pay service would typically not host anonymous accounts. My server is hosted by a company that I pay to host it. There are no anonymous accounts here.

To resolve this problem, simply click to reply this message and enter your User Name here
(_____________) And Password Here (___________) to have your email account Cleared against this virus.


Failure to comply will lead to the termination of your Email Account.

More use of improper capitalization ("User", "Name", "And", "Here", "Cleared", "Email" and "Account")

It should be noted that again, careful reading of the mail raises red flags as it feels disjointed.

Another big flag here is that a hosting provider (or credit card company, bank, etc.) will NEVER ask you for your username and password in an email.

Hoping to serve you better.


Alice Hobbs
Webmail Support


******************************************************************************************************************************************************
</original message>

Reading this all and putting it together brings me to the following conclusion; If I give then my user name and password, my anonymous account will be cleared of the virus that is affecting their database.

Takeaways:
  • Full email headers can provide a lot of valuable information as to the source and path of the message that you just received.

  • There are often little nuances, such as spelling, grammatical or capitalization errors that can tip you off that the email that you are reading isn't legitimate. 

  • Emails that ask for usernames, passwords, social security numbers, bank account numbers, etc. are bogus.

  • A lot of phishing attempts come from other countries, so the grammar or overall "feel" of the email may be off. These are signs to run!

One can avoid becoming the victim of a phishing attack if you take the time to look at emails carefully, especially those that ask for specific information or those that send you a link to verify "something".

No comments:

Post a Comment