It seems that every day, new script kiddies discover the likes of the Social Engineering Toolkit or Metasploit and launch a new wave of phishing attacks. Unfortunately it seems that this time the attackers are too lazy to even try.
Today’s email – screenshot on the right – is a reasonably straight forward phishing attempt. The idea is to convince the victim that the attachment is interesting enough to open. When it is opened, bad things happen.
Normally, a phishing attack will put at least a bit of effort in, but not this time.
As you can see, the text itself is very short. This may be an attempt to avoid spam filters but it also has the effect of making this email look like almost NO other commercial email. As an example, When was the last time you got an official email without a pointless disclaimer somewhere?
Secondly it ticks every box in the “anti-Phishing” awareness lessons:
- The from address name doesnt relate to the displayed address.
- It doesnt mention me by name.
- The English doesnt make sense.
- The dates are the wrong way round (for British people!)
- Having an email address of @tauntsociety.com just seems designed to raise suspiciouns.
- It makes no sense to send a shipping label by email, let alone have it in a zip file.
None of this is encouraging me to open the file. Hopefully no one reading this would open the file either. However, sadly, there are enough people who will, to make the attacks continue.
Newbie Phishing or did it get some things right?
Amazingly some parts of this attack are effective, but I dont think that is a result of the phishing source. Its more a case of chance.
- The email arrived into Exchange today and was not detected as malicious by two web based mail scanners.
- The email was delivered to the client machine and not detected as malicious by the local AV (Avast) or Windows Defender. (This is unusual as a check on the hashvalue at Virus Total says Microsoft detects it as malware)
- The payload is detected by Sophos as a ransomware trojan dropper so any unwitting home users who have run this are likely to either lose all their data or pay the ransom.
Ransomware is very big business so it is surprising that the attackers here have gone to the trouble of finding malware less than half the AV clients will detect (and most only with very recent database updates), but spoiled the phishing attack with terrible execution.
Surprising and fortunate for a lot of people really.
Phishing is here to stay
The main take-away lesson here is that phishing attacks will never go away. Some will get through every technological defence you have so it is critically important that you secure the human.
There is no escaping this. If your users are not security aware, you will lose data to these attacks as long as you are on the internet.
Techie Bits – The Phishing Attack Path
Looking at the message headers, it looks like this attack has been launched by someone using a form t0 email script on either a site they manage, or one with very weak controls.
Below is the list of message headers, and I’ve marked in bold the interesting bits. (And yes, I’ve redacted a couple of bits because it shows some internal data I dont want webscrapers to pull out of the text, no other reason).
Received: from [REDACTED] ([REDACTED]) by mx.kundenserver.de
(mxeue106) with ESMTPS (Nemesis) id 0LbeXr-1YonOk26NH-00lDRc for
<REDACTED>; Tue, 08 Sep 2015 07:01:13 +0200
Received: from gateway36.websitewelcome.com ([188.8.131.52]) by
mx.kundenserver.de (mxeue106) with ESMTPS (Nemesis) id
0Lo4jI-1Z2KB721JA-00fwNj for <REDACTED>; Tue, 08 Sep 2015
Received: by gateway36.websitewelcome.com (Postfix, from userid 1000)
id 079D6A7914FD7; Tue, 8 Sep 2015 00:01:12 -0500 (CDT)
Received: from sheridan.websitewelcome.com (sheridan.websitewelcome.com [184.108.40.206])
by gateway36.websitewelcome.com (Postfix) with ESMTP id 02213A7916142
for <REDACTED>; Tue, 8 Sep 2015 00:01:12 -0500 (CDT)
Received: from valence by sheridan.websitewelcome.com with local (Exim 4.85)
(envelope-from <[email protected]sheridan.websitewelcome.com>)
for REDACTED; Tue, 08 Sep 2015 00:01:11 -0500
Subject: Shipment delivery problem #00963055
X-PHP-Script: tauntsociety.com/post.php for 220.127.116.11
Date: Tue, 8 Sep 2015 00:01:11 -0500
From: “FedEx 2Day” <[email protected]>
Reply-To: “FedEx 2Day” <[email protected]>
Message-ID: <[email protected]>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – sheridan.websitewelcome.com
X-AntiAbuse: Original Domain – halkynconsulting.co.uk
X-AntiAbuse: Originator/Caller UID/GID – [2477 32007] / [47 12]
X-AntiAbuse: Sender Address Domain – sheridan.websitewelcome.com
X-Source-Args: /opt/php54/bin/php-cgi /home/valence/public_html/tauntsociety.com/post.php
X-Antivirus: avast! (VPS 150907-1, 07/09/2015), Inbound message
This appears to show a couple of things:
- The attack was launched from a post.php script on tauntsociety.com
- The from and reply-to addresses are completely untrustworthy as this is a phishing attack designed to get the victim to open a payload, not reply. This means there is no reason to assume they point to a valid mailbox. However in this instance, they point to one on tauntsociety.com.
- The mail went via websitewelcome.com’s email server using an account called [email protected]
- Websitewelcome.com appears to provided to resellers by HostGator and it appears that sheridan.websitewelcome.com hosts a CPanel portal for webmail.
- Both valencestreet.com and tauntsociety.com are registered by the same person at 2400 Valence Street, New Orleans. This appears to be a residential address and the owner has used a gmail account to sign up.
- The tauntsociety website looks like it hasn’t been cared for in a while although there is an associated twitter feed which is very active.
- The header data here does not give us any better insight into the source of the phishing attack than it came from “valence”.
Based on the totality of information here, the most likely attack path is that a malicious party has used the script on tauntsociety to send an email. It is also likely that the script is hardcoded to present the [email protected] account credentials.
While this instance has been a private individual, who may or may not have the knowledge to properly secure a website, similar attacks happen using corporate servers every day.
At Halkyn Consulting we research this out of curiousity, but some attack victims will be reporting it to the police. It may be possible for them to be more accurate than the “Valence” account but this is very much a gamble and it is just as likely that websitewelcome.com don’t store any more details than the credentials used.
As a result, if your company owns sites with scripts that fall out of good management, you will find yourself liable for the misuse. And you really dont want that.