As most internet users know, phishing attacks are very common. The term itself dates back to 1995 (e.g. AOHell) and social engineering (which is basically what phishing is) goes back as long as we have had societies.
At a basic level, phishing is an attempt by a malicious party to get the recipient (victim) to carry out an action. Over the years this has ranged from giving up sensitive details (passwords, credit card details etc) to simply opening a malicious file.
Following on from the success of these attacks, banks and credit card companies have taken significant steps to combat fraud so, now, the majority of phishing attacks look to get you to open a file. Examples include documents such as “invoice.xlsx” or “payment.pdf” type files. These are normally “trojans” which, when opened, will carry out attacks on your operating system directly.
Most of the time, these phishing messages are generated by scripts across multiple languages. Frequently this results in the awkward English which alerts the recipient and forms the brunt of most anti-phishing awareness training.
However, the attackers are always evolving and today our email systems started getting this message:
I am trying to call you on phone now to explain to you about the amendment of the invoice as discussed on tuesday but your number is not connecting. regards to our phone call on tuesday afternoon, i have attached to you the profoma invoice for the new order.
You have to know that attached is the amended proforma invoice and design for our shipment, because price in invoice was not our agreement after the confirmation of the order. please you have to confirm that the stated prices are correct.
We expect to receive the shipment of goods within the specified time on this order. kindly give me your confirmation and your profoma for payment arrangement.
Any questions, kindly let me know.
Business Empire International
Marketing, Trading, Consulting
Suite # 15, 2nd Floor, Rehmat Center,
I-8 Markaz Islamabad, Pakistan.
Tel: +9251 4138116, 4938119
Cell: +92 865 506 6191
Fax: +9211 4861 376
URL: www.empireinternational.com [email protected]
* This is a system generated document and does not require signature.
As you can see, there is a massive element of legitimacy around the content here, it is able to get through lots of spam filters and it is likely to be convincing enough for a lot of people to open the attached RAR file. (The attached file contains a trojan downloader which can flood the target machine with lots of unwanted additional software).
The bad news here is that the attackers are becoming more advanced in their trickery.
The good news is that they are still quite obvious when you know what to look for and this phishing provides lots of examples to use in your awareness training packages.
Using this email, we can list the key indicators which should make any recipient suspicious enough to look into things further. Some are more technical than others, but all internet users should be aware enough to at least consider there.
- The email is unexpected. We have never done business with this organisation, have never given them a phone number, never had a phone call with this organisation and never made an order. Note: the attackers are trying to take advantage of people who might assume someone else in the organisation has made an order. Don’t fall for this.
- The email is vague. There are no specifics. The recipient name isn’t used. There is no indication as to what the goods might be. Note: the attackers have to be vague because they don’t know what the target organisation is likely to sell. This is a good clue it is phishing.
- The language used is awkward. This is harder for non-native English speakers and should only be a weak indicator of phishing. However, for native English speakers, the grammar and language is very unusual. The first sentence of the middle paragraph is trying to get the recipient to open the attachment, but the language used is unfathomable. Note: Attackers tend to use scripts to generate phishing messages which leads to this weird use of language.
- The recipients are hidden. The attacker has used a mailing list of targets but the content implies this should be a very one to one message. It seems unlikely that they would have had the same phone problems with multiple organisations so it makes no sense for this message not to be to a named person. Note: the attackers are trying to mask the size of their mailing list. Any message which is to a hidden list should be treated as suspicous and is almost certainly spam.
- The from address doesn’t match the company name. As you can see in the screenshot above, the message appears to come from [email protected] but the signature line is empireinternational.com. This is unusual and should make any reader wary of the content. Note: Attackers often have to use hijacked mail relays or compromised accounts which is why the recipient address is often unusual. Always check it.
- The URL is wrong. Business Empire International has a web presence and the postal address matches the details given in the email – however it’s website is http://bei.com.pk/ not www.empireinternational.com (which at the time of writing appears to not be in use). This indicates that the scammers may have been gearing up to create a “backstory” website to give credibility, but a google search indicates the correct URL to visit. Note: Phishing counts on people not checking the details, so make sure you do check any emails you are suspicious of.
- Finally, a technical check indicates that none of the information presented in the email headers is trustworthy, making the entire message suspicious. Note: it is probably not worth checking every email but learn how to check file headers in your chosen mail client.
The technical details mentioned above are the internet headers (file – > properties in MS Outlook). For this message the key bits were:
The initial mail header reads:
Received: from [18.104.22.168] (port=50012 helo=[10.116.134.14]) by cpanel.puninar.com with esmtpa (Exim 4.85) (envelope-from <[email protected]>) id 1Ylw02-000758-81; Sat, 25 Apr 2015 16:03:51 +0700
This tells us where the message originated and from this, it looks like the phishers had access to a Dedicated Server account hosted in Sweden. It is likely that they have actually compromised a workstation and are using this connection rather than a direct attack on the servers.
Next we look at the from and reply-to fields:
From: "Ishmel Zahab "<[email protected]>
Date: Sat, 25 Apr 2015 17:03:05 +0800
Reply-To: [email protected]
This is a very good indicator of phishing – the from account is a different domain to the reply-to. Attackers often use this to make sure any curious reply messages are captured by them, rather than the person they are impersonating.
Lastly, with this message, we have some useful headers the mail transport agent have added to assist in tracking down malicious use:
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cpanel.puninar.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - generalemballage.com
X-Get-Message-Sender-Via: cpanel.puninar.com: authenticated_id: [email protected]
Here we have some useful information.
- The compromised service appears to be cpanel.puniar.com but this doesn’t exist as a web address.
- The sender domain claims to be generalemballage.com – which exists but appears to be located in Algeria and Tunisia.
- The User ID apparently associated with the outbound email is [email protected] This email address is associated with a lot of job adverts in Indonesia.
All of this gives us some useful background into the phishing message. We can, with reasonable confidence, conclude that the [email protected] email account has been compromised (probably by malware) and is being used to spread more malware via some open mail relays and possibly a compromised mail account owned by generalemballage.com.
It also gives us utmost confidence in deleting the message without ever reading the attachment.
As there are a couple of other organisations who already appear to be compromised by this email, it would be good practice to notify them – however this may be difficult if they don’t have public “abuse” or technical support contacts. As an example, puninaryusen.com doesn’t have a functioning site so may not have any one to respond to the phishing report.
So, in summary, phishing is likely to remain with us as long as people interact with other people. It is important to make sure you (and your employees etc.) remain far enough ahead of what the attackers do that you can spot their methods and understand your systems well enough to realise when someone is trying to trick you.
If they get past your defences, then it is time to roll out the incident response but that is for another day.