Tuesday, August 11, 2015

Comments on a better than average Phishing Expedition

I take quite a few of you have received phishing emails. You know, some email that tries to compel the reader to click on a link to a site where for whatever reason they enter all their information so their identity, and credit card, can be stolen. And, maybe also get infected with a trojan in the process.

Some, with all respect, are rather lame. By that I mean the authors could not be bothered to

  1. Spell and grammar check the letter. Yes, I know that those phishers might not speak natively the language of their target audience, but can't you be bothered to find someone to check it out for you?
  2. Read it and make sure it make sense. I have received some that I read it 10 times and cannot figure out what is the point. There is nothing relating the text in the paragraphs and the reason to click on the link.
  3. Take a few moments to study the target. Chances are our phisher phriend wants to hit a corporation or someone who is using a corporate service like facebook or microsoft or gmail. If you are trying to impersonate them, why not try to find out what the real letter you are trying to fake looks like?

Come on! I know it is harder than run the "EZ-Phisher" program and hit a button, but please try to make me feel pleased to see the phishing email instead of insulted. The fact those badly crafted phishing attacks work tells more about the target than the phisher, and what it tells is not pretty. If it comes as a shock to you that I

So this morning I received an impressive-looking phishing email that claimed to be from google. You probably want to know how it looks like, so I did a screen capture and put it here to the left. Don't panic, it is safe: you can click on it until you get a sore finger and it will not take you anywhere.

Now, this one I think is much better than your everyday phishing email. I mean, it is in a totally different timezone. Let's examine the phishing email and see what they did right and wrong:

What went right

  1. Got the corporate colours right. The email claims to be coming from google, so they took the time to get the google icons and colours and even layout close enough to look credible.

  2. Used knowledge of the official corporate website to hide their real url. If you hover the button, it would show the following link (am allowing it to overflow):

    Note they crafted their link so it is hidden after a few proper -- from the company they claim the email is coming from, google -- links. The link is long since our phisher phriends hope the real link will fall off the screen. Also, the last link, the one the probably points to their fake site, is behind a goo.gl link: you would need to click on it to first see what the link is, and then you are attacked. Specially if you use Internet Explorer a browser that does like to be cross site scripting vulnerable.

  3. Hid the return email behind corporate-looking address. I like to see the source of the email, what gmail would call "Show Original". That usually is the 4th item from the bottom:

    When I tried to open it, the return address overwhelmed the menu bar, hiding all other options:

    Note that also worked when the email showed the return address (first picture on this article). That is good for a phishing email as it would make most users to not bother examining the email. Since we know what is the location of the option -- Show Original -- we want, we can use it regardless.

  4. Avoided whenever possible relaying emails across too many non-corporate sites. The email looks like this:
    Delivered-To: phishing-victim@gmail.com
    Received: by 10.112.204.33 with SMTP id kv1csp2118911lbc;
            Tue, 11 Aug 2015 01:35:33 -0700 (PDT)
    X-Received: by 10.180.108.35 with SMTP id hh3mr31922715wib.48.1439282133631;
            Tue, 11 Aug 2015 01:35:33 -0700 (PDT)
    Return-Path: <perry_rhodan@interplanetary.edu>
    Received: from mail-wi0-f194.google.com (mail-wi0-f194.google.com. [209.85.212.194])
            by mx.google.com with ESMTPS id bl10si2265464wib.9.2015.08.11.01.35.33
            for <phishing-victim@gmail.com>
            (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
            Tue, 11 Aug 2015 01:35:33 -0700 (PDT)
    Received-SPF: pass (google.com: domain of perry_rhodan@interplanetary.edu designates 209.85.212.194 as permitted sender) client-ip=209.85.212.194;
    Authentication-Results: mx.google.com;
           spf=pass (google.com: domain of perry_rhodan@interplanetary.edu designates 209.85.212.194 as permitted sender) smtp.mailfrom=perry_rhodan@interplanetary.edu
    Received: by mail-wi0-f194.google.com with SMTP id p15so26093395wij.0
            for <phishing-victim@gmail.com>; Tue, 11 Aug 2015 01:35:33 -0700 (PDT)
    X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
            d=1e100.net; s=20130820;
            h=x-gm-message-state:mime-version:from:date:message-id:subject:to
             :content-type;
            bh=LsemyedQTWVhfKEpSMfhlXsF9zPIYwDrlKawPrrmsog=;
            b=XAxoOiKIC3vJ4RIxmejkhdVXXBox3/I4nQYeu5Ml9F8Rq0Sjh+QKaY5M26FkPjX0fa
             Fu/v9fj+a451Aoc5AijUjqtrLEL8vH3Rhx7Kln7m6XrDo1P17HRVSDQCpoc7PlLZicSQ
             Mrnh6AFmYJ7PDCf1RuiJ8ACBZZ7+RwLLYtyEHnwxphUkCglVnJn75Vd8GDEBBv+G/BZw
             PISTui9PGA/jET733HHcLyA1FdYmYjJfWnOkM7oQBQv2/uR/xx9N06k21hbXKvYdOkkN
             oUafnLsuWnI8yBzJUaw2YpCr2HB2vw+ap9kTa4EkCzRntOhuBlpwzg60ukF6J+bdvbVf
             TpgQ==
    X-Gm-Message-State: ALoCoQmFD3lES/88ZcNCZQPJfj+ifiEDNpX5k0tRWJ0tphpzP282BDg6hmsHzb7Cf5n0u26AsTME
    X-Received: by 10.180.84.72 with SMTP id w8mr23619994wiy.71.1439282133247;
     Tue, 11 Aug 2015 01:35:33 -0700 (PDT)
    MIME-Version: 1.0
    Received: by 10.28.48.198 with HTTP; Tue, 11 Aug 2015 01:35:13 -0700 (PDT)
    From: "Google <no-reply@accounts.google.com> Google<no-reply@accounts.google.com> Google<no-reply@ac..." <perry_rhodan@interplanetary.edu>
    Date: Tue, 11 Aug 2015 09:35:13 +0100
    Message-ID: 
    Subject: Our Final Report
    To: undisclosed-recipients:;
    Content-Type: multipart/alternative; boundary=f46d044403ba48b9da051d04fc2f
    Bcc: phishing-victim@gmail.com
    
    --f46d044403ba48b9da051d04fc2f
    Content-Type: text/plain; charset=UTF-8
    Content-Transfer-Encoding: quoted-printable
    
    =E2=80=8B
    One of the classic telltales that an email is scam or phishing is found in by following the Received: headers. So, this email pretends to be from Google. A lousily put together phishing one might have the last hop on google, but then the previous hops would bounce all over the place. This one, however, came from Google. We even know it was submitted directly to a google SMTP server and when.
    Received: from mail-wi0-f194.google.com (mail-wi0-f194.google.com. [209.85.212.194])
            by mx.google.com with ESMTPS id bl10si2265464wib.9.2015.08.11.01.35.33
            for <phishing-victim@gmail.com>
            (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
            Tue, 11 Aug 2015 01:35:33 -0700 (PDT)
    And we know who supposedly submitted it:
    Received-SPF: pass (google.com: domain of perry_rhodan@interplanetary.edu designates 209.85.212.194 as permitted sender) client-ip=209.85.212.194;
    It was someone from an university. Now, why would this person use gmail from SMTP? Well, let's ask the university itself:
    bash-3.2$ dig interplanetary.edu MX
    
    ; <<>> DiG 9.8.5-P1 <<>> interplanetary.edu MX
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21325
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 6, ADDITIONAL: 7
    
    ;; QUESTION SECTION:
    ;interplanetary.edu.                     IN      MX
    
    ;; ANSWER SECTION:
    interplanetary.edu.     3077    IN      MX      5 alt2.aspmx.l.google.com.
    interplanetary.edu.     3077    IN      MX      5 alt1.aspmx.l.google.com.
    interplanetary.edu.     3077    IN      MX      1 aspmx.l.google.com.
    interplanetary.edu.     3077    IN      MX      10 alt4.aspmx.l.google.com.
    interplanetary.edu.     3077    IN      MX      10 alt3.aspmx.l.google.com.
    
    ;; AUTHORITY SECTION:
    edu.                    46983   IN      NS      a.edu-servers.net.
    edu.                    46983   IN      NS      c.edu-servers.net.
    edu.                    46983   IN      NS      f.edu-servers.net.
    edu.                    46983   IN      NS      d.edu-servers.net.
    edu.                    46983   IN      NS      g.edu-servers.net.
    edu.                    46983   IN      NS      l.edu-servers.net.
    
    ;; ADDITIONAL SECTION:
    a.edu-servers.net.      46983   IN      A       192.5.6.30
    c.edu-servers.net.      46983   IN      A       192.26.92.30
    d.edu-servers.net.      46983   IN      A       192.31.80.30
    f.edu-servers.net.      46983   IN      A       192.35.51.30
    g.edu-servers.net.      46983   IN      A       192.42.93.30
    g.edu-servers.net.      46983   IN      AAAA    2001:503:cc2c::2:36
    l.edu-servers.net.      46983   IN      A       192.41.162.30
    
    ;; Query time: 34 msec
    ;; SERVER: 10.0.0.10#53(10.0.0.10)
    ;; WHEN: Tue Aug 11 08:55:08 EDT 2015
    ;; MSG SIZE  rcvd: 380
    
    bash-3.2$
    So, this university uses gmail to send its emails. I guess that means it decided to move to the cloud by outsourcing its emails. I know a lot of people who are rabbid avocates to pushing as much of the IT infrastructure to be hosted by commercial vendors in the cloud. I wonder how many did the due diligence, but I digress. The upshot is that it makes it easier for a careful phisher to do research on targets: instead of having to go to many different sites, the eggs of many business are now literally being held in few baskets. For instance, if the target companies are, say, using the Microsoft cloud, a Microsoft-looking email to all the users in the target corportations would look legit. And that allows phishers and other hackers with criminal intents to concentrate their efforts.
  5. Email passed DKIM and SPF, which adds to its legit feel.

What went Wrong

Unfortunatley this phishing email was not perfect. The issues are few and far between but are there.
  1. Grammar. It is not horrible, but it does made me stop too long to see it was spam/phishing. The We always protect you and Our Final Report did sound a bit odd. The first one was close to what Google might have written but no cigar. Still, since it does not have the usual chicken little warning messages bad phishing uses, I honestly passed through it without noticing much. And besides, We always protect you gives a warm and fuzzy feeling, not as much as a box of kittens but you get my point.

    The first paragraph is a different story. It does not sound like what a native English speaker would say -- it is too wordy and convoluted -- and Google would have spent the money to put their message in nice clear 8th grade English. The second paragraph started with a lowercase; don't know any language that has upper and lower cases that would do so.

  2. No spaces between paragraphs. The paragraphs are short as they would in a Google announcement -- keep it simple and fast so user won't lose interest -- but because of the lack of spaces between them they look too cluttered. Still from a distance it looks clean and pleasant.

Overall I would give it a 7/10: good effort, better than average delivery, and took some time to know target. But, this phishing attempt could be better.

Keep up with the good work!

No comments: