Halkyn Security Blog
Specialist Security & Risk Management Consultants

Phishing and Malware – FedEx missed delivery

It seems that every day, new script kiddies discover the likes of the Social Engineering Toolkit or Metasploit and launch a new wave of phishing attacks. Unfortunately it seems that this time the attackers are too lazy to even try.

FedEx Delivery Phishing Email - there is no reason ANYONE should ever open this attachment.

FedEx Delivery Phishing Email

Today’s email – screenshot on the right – is a reasonably straight forward phishing attempt. The idea is to convince the victim that the attachment is interesting enough to open. When it is opened, bad things happen.

Normally, a phishing attack will put at least a bit of effort in, but not this time.

As you can see, the text itself is very short. This may be an attempt to avoid spam filters but it also has the effect of making this email look like almost NO other commercial email. As an example, When was the last time you got an official email without a pointless disclaimer somewhere?

Secondly it ticks every box in the “anti-Phishing” awareness lessons:

  • The from address name doesnt relate to the displayed address.
  • It doesnt mention me by name.
  • The English doesnt make sense.
  • The dates are the wrong way round (for British people!)
  • Having an email address of @tauntsociety.com just seems designed to raise suspiciouns.
  • It makes no sense to send a shipping label by email, let alone have it in a zip file.

None of this is encouraging me to open the file. Hopefully no one reading this would open the file either. However, sadly, there are enough people who will, to make the attacks continue.

Newbie Phishing or did it get some things right?

Amazingly some parts of this attack are effective, but I dont think that is a result of the phishing source. Its more a case of chance.

  • The email arrived into Exchange today and was not detected as malicious by two web based mail scanners.
  • The email was delivered to the client machine and not detected as malicious by the local AV (Avast) or Windows Defender. (This is unusual as a check on the hashvalue at Virus Total says Microsoft detects it as malware)
  • The payload is detected by Sophos as a ransomware trojan dropper so any unwitting home users who have run this are likely to either lose all their data or pay the ransom.

Ransomware is very big business so it is surprising that the attackers here have gone to the trouble of finding malware less than half the AV clients will detect (and most only with very recent database updates), but spoiled the phishing attack with terrible execution.

Surprising and fortunate for a lot of people really.

Phishing is here to stay

The main take-away lesson here is that phishing attacks will never go away. Some will get through every technological defence you have so it is critically important that you secure the human.

There is no escaping this. If your users are not security aware, you will lose data to these attacks as long as you are on the internet.

Techie Bits – The Phishing Attack Path

Looking at the message headers, it looks like this attack has been launched by someone using a form t0 email script on either a site they manage, or one with very weak controls.

Below is the list of message headers, and I’ve marked in bold the interesting bits. (And yes, I’ve redacted a couple of bits because it shows some internal data I dont want webscrapers to pull out of the text, no other reason).

Received: from [REDACTED] ([REDACTED]) by mx.kundenserver.de
(mxeue106) with ESMTPS (Nemesis) id 0LbeXr-1YonOk26NH-00lDRc for
<REDACTED>; Tue, 08 Sep 2015 07:01:13 +0200
Received: from gateway36.websitewelcome.com ([50.116.126.2]) by
mx.kundenserver.de (mxeue106) with ESMTPS (Nemesis) id
0Lo4jI-1Z2KB721JA-00fwNj for <REDACTED>; Tue, 08 Sep 2015
07:01:13 +0200
Received: by gateway36.websitewelcome.com (Postfix, from userid 1000)
id 079D6A7914FD7; Tue, 8 Sep 2015 00:01:12 -0500 (CDT)
Received: from sheridan.websitewelcome.com (sheridan.websitewelcome.com [192.185.83.170])
by gateway36.websitewelcome.com (Postfix) with ESMTP id 02213A7916142
for <REDACTED>; Tue, 8 Sep 2015 00:01:12 -0500 (CDT)
Received: from valence by sheridan.websitewelcome.com with local (Exim 4.85)
(envelope-from <[email protected]>)
id 1ZZB1r-000SER-Po
for REDACTED; Tue, 08 Sep 2015 00:01:11 -0500
To: REDACTED
Subject: Shipment delivery problem #00963055
X-PHP-Script: tauntsociety.com/post.php for 195.228.155.205
Date: Tue, 8 Sep 2015 00:01:11 -0500
From: “FedEx 2Day” <[email protected]>
Reply-To: “FedEx 2Day” <[email protected]>
Message-ID: <[email protected]>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”b1_4ea1c7b3b292b76548671d11a5513ac6″
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – sheridan.websitewelcome.com
X-AntiAbuse: Original Domain – halkynconsulting.co.uk
X-AntiAbuse: Originator/Caller UID/GID – [2477 32007] / [47 12]
X-AntiAbuse: Sender Address Domain – sheridan.websitewelcome.com
X-BWhitelist: no
X-Source-IP:
X-Exim-ID: 1ZZB1r-000SER-Po
X-Source: /opt/php54/bin/php-cgi
X-Source-Args: /opt/php54/bin/php-cgi /home/valence/public_html/tauntsociety.com/post.php
X-Source-Dir: valencestreet.com:/public_html/tauntsociety.com
X-Source-Sender:
X-Source-Auth: valence
X-Email-Count: 2
X-Source-Cap: dmFsZW5jZTt2YWxlbmNlO3NoZXJpZGFuLndlYnNpdGV3ZWxjb21lLmNvbQ==
Content-Transfer-Encoding: 7bit
Envelope-To: <REDACTED>
X-UI-Filterresults: notjunk:1;V01:K0:qdxaUM074Do=:ERu/AyiRUwE+dkIYUTry1QLuld
RiwUfU76tsxGWh3tj7pO8+nRn2+93rW0rJF/SYfshLWPyLBZTtkmTI5nPp1KlrYWjeqls+5tM
2Yii7RrJuUdm1835qim6c9yqTBiwuL+ite7F2RDuJzaAKUS4TppyZc/CZyV09CcSOA4hN8It/
7weuLi/lsI9Ni90Bpj2l2UJdkCOSblgS/wfSVYc7/VUgT64ibY5VWmRGIlyNEeOuR8KSpdHp0
JKgGwUvHOXR9vSOP6lNhwgeJNWbKWBDnDmqud4C9h3uJUq/Nf5AcmGG3sVjFrIiMGPAssglbe
OgFpYDplFUOyrRyVqnMf2WrqmbChGruU8RgW7fD9limqkBwAXq8bO0iSjg/c48W0rnyqwaHZR
zlc4PWu98IDpXgkOllcXAOyZHIoimL7JW8xdXaZCsYkiRMvebQFWG7rYVX2j5gG1KeYR1PdMG
amFuVrQL1D5nCpCByoOXIMfIk8dEsH81B+whRv2rUUC3w1rHiIgOMv9NQNRp+7Vp/aL6xaw6b
pVt39gmDo6kF/OnWxL+pY7tdkrz96aILPs6Smz29I+dDFJ0i0GZtcKMFCdjnfWe+GTkf6TNAp
yJp3xIPCOABU9oauWLaPib3ZFY8rLmxwdrG3lHoceq85oVx0rId4Hm0jgu581hV5dF36T1w62
Ud2qputDDhD4Wsmy3Km8tp7x31LkimF3q9VLVPjuBewfHClw1EK1xmvhKyXXm+oKh33NDbm+N
8pFKxmx6xhWz1KxT6cWyzc8nYAGQpESX6w==
X-Antivirus: avast! (VPS 150907-1, 07/09/2015), Inbound message
X-Antivirus-Status: Clean

This appears to show a couple of things:

  • The attack was launched from a post.php script on tauntsociety.com
  • The from and reply-to addresses are completely untrustworthy as this is a phishing attack designed to get the victim to open a payload, not reply. This means there is no reason to assume they point to a valid mailbox. However in this instance, they point to one on tauntsociety.com.
  • The mail went via websitewelcome.com’s email server using an account called [email protected]
  • Websitewelcome.com appears to provided to resellers by HostGator and it appears that sheridan.websitewelcome.com hosts a CPanel portal for webmail.
  • Both valencestreet.com and tauntsociety.com are registered by the same person at 2400 Valence Street, New Orleans. This appears to be a residential address and the owner has used a gmail account to sign up.
  • The tauntsociety website looks like it hasn’t been cared for in a while although there is an associated twitter feed which is very active.
  • The header data here does not give us any better insight into the source of the phishing attack than it came from “valence”.

Based on the totality of information here, the most likely attack path is that a malicious party has used the script on tauntsociety to send an email. It is also likely that the script is hardcoded to present the [email protected] account credentials.

While this instance has been a private individual, who may or may not have the knowledge to properly secure a website, similar attacks happen using corporate servers every day.

At Halkyn Consulting we research this out of curiousity, but some attack victims will be reporting it to the police. It may be possible for them to be more accurate than the “Valence” account but this is very much a gamble and it is just as likely that websitewelcome.com don’t store any more details than the credentials used.

As a result, if your company owns sites with scripts that fall out of good management, you will find yourself liable for the misuse. And you really dont want that.

Similar posts
  • UOC – Cybersecurity Conference ... Cybersecurity is big news with governments and businesses suffering at the hands of cyber attacks. As a result of this, the University of Chester (UoC) STEMs society is hosting a Cybersecurity Conference on the 28th March 2017. The primary aim is to raise awareness of Cybersecurity. In addition, it will provide an opportunity to build professional networks and encourage career [...]
  • Dashboards vs Security – are th... Metrics, Dashboards and Security Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a [...]
  • Security Incident Response Really Doe... Incident response is one of those things you really hope you’ll never have to use, but know you will. Or at least you should know! Even with the best security, there will come a day when you are up to your eyes in chaos. Either a live security incident or, worse still, picking up the pieces [...]
  • Ransomware: Don’t panic –... Since Cryptolocker appeared in late 2013, it seems hardly a day can go by without some ransomware attack hitting the news. The variations all have entertaining names like Teslacrypt, Locky, PayCrypt (etc). The impact on the victims can be monumental. Tracking sites show new versions appearing several times a day – much faster than most [...]
  • 3 essential elements of any Infosec f... As the news often shows, Information Security (infosec) is a big part of any organisation. From the small business with just a couple of computers to the global enterprise, infosec wraps around what you do, keeping you safe. Infosec is the function which keeps you servicing your customers. It protects your data. It ensures that [...]

4 Comments

  1. Iqbal Iqbal
    1 October 2015    

    Hi team,
    Can i get the unprotected version of ISO 27001:2013 compliance checklist.

    Thanks & Regards

    Syed Iqbal

  2. Pavan Kumar Pavan Kumar
    26 November 2015    
  3. Pavan Kumar Pavan Kumar
    26 November 2015    
  4. Rama Ramachandran Rama Ramachandran
    16 February 2016    

    Hi,

    Request you to share an unprotected version of the ISO 27001:2013 compliance checklist.

    Many thanks
    Rama Ramachandran

Recent Tweets Recent Tweets