Introduction The ISC handlers email distro gets plenty of spam and phishing emails on a daily basis. Most of these are filtered so they never make it to the inbox; however, every once in a while one gets through. Today's diary reviews an example of a phishing email from our inbox on Tuesday 2021-02-09.
The email As shown in the previous image, the sending address had been spoofed to look like it came from administrator@sans.isc.edu. But the message actually came to our mail server from 165.232.128[.]118. That much we can confirm, because it was the most recent Received: from line before it hit our mail server. Anything else can be spoofed. Based on the only other Received: from line, this message might have originated from 69.12.85[.]209, but that line could have been added to confuse analysts.
The phishing message has a URL to hxxps://soberlab[.]ca/sl.html?email=[phishing recipient's email address]. The domain oberlab[.]ca seems like it is hosting a legitimate website, and that legitimate website may have been compromised to host the phishing URL.
Phishing traffic
The HTTPS link from the email redirects to a phishing page at hxxp://aromatee[.]com[.]au/inc/mail.php. Like the previous URL, this one looks like it's hosted on a legitimate domain using a server that's been compromised to host a phishing URL. I entered a fake password, and the data was sent over HTTP back to the server.
Final words These types of emails are all too common, and they're remarkably cost-effective. While most of you wouldn't fall for it, people are fooled by similar messages. Therefore, phishing will remain a viable social engineering technique. A sanitized version of the email shown in this diary, along with a pcap of traffic to the associated phishing page, can be found here. --- |
Brad 435 Posts ISC Handler Feb 10th 2021 |
Thread locked Subscribe |
Feb 10th 2021 1 year ago |
Thanks for doing these Brad. Even though they might seem repetitive for those of us that work them every day, for others, it's their first time reading or following along. Good work :).
|
Chris Wilhelm 2 Posts |
Quote |
Feb 10th 2021 1 year ago |
Thanks for the write up Brad.
For handlers of mail gateways: I've applied two additional checks on the From:-Header to stop such spoofed mails at our gateway. Referring to Brads example, 1. check for "our" Domain: "*@isc.sans.edu" 2. check for active user names "IT .AND. support" The second is to stop mails from "IT support isc.sans.edu <someone@otherdomain.tld>" The user names list is created with a simple powershell script from active AD users and imported once a month on the gateway. Btw. Please check your SPF entry, I guess there went something wrong: $ dig +short isc.sans.edu txt "v=spf1 include:isc.sans.edu._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all" |
Ron 17 Posts |
Quote |
Feb 13th 2021 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!