Hello. Today, I received this email:
This is a basic phishing campaign, but if they still run them, it means that they are efficient.
For a lot of people, this scam is obvious. But unexperienced users, like older people, can fall for this.
The mail app says "From: Apple", and the mail was sent to "email@example.com".
Of course, if you click on Apple, this is the address the mail was sent from: firstname.lastname@example.org.
This is the first step of a phishing campaign: trust. The scammers establish trust by editing the mail headers in order to make the mail seem legit. It's called email spoofing. Of course, there is a lot of enormous french mistakes in the text, but we're going to focus on the technical side of this scam.
So, how does email spoofing works? Basically, by editing the SMTP headers and tricking the mail client. In this case, the email is not displayed, but the name "Apple".
The header of the email is accesible here.
As we can see, the sender is "Apple" "email@example.com", and the recipient is "firstname.lastname@example.org".
Of course, there is no DKIM signature. They trick the client (in this case, my iPhone) into showing that the mail was destined to the mail.apple.com email by editing the "To" field of the mail header: "To: email@example.com", where my actual email is in the "For" field.
Another interesting this the header tells us, is the sender IP address: 220.127.116.11. A quick lookup tells us that this email belongs to a google mail server. The domain name is certainly registered by google. Lets check out the whois record of hayangawin.com
Domain Name: HAYANGAWIN.COM Registry Domain ID: 2411222910_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.google.com Registrar URL: http://domains.google Updated Date: 2019-07-25T20:01:10Z Creation Date: 2019-07-10T07:07:25Z Registry Expiry Date: 2020-07-10T07:07:25Z Registrar: Google LLC Registrar IANA ID: 895 Registrar Abuse Contact Email: firstname.lastname@example.org Registrar Abuse Contact Phone: +1.8772376466 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: NS-CLOUD-E1.GOOGLEDOMAINS.COM Name Server: NS-CLOUD-E2.GOOGLEDOMAINS.COM Name Server: NS-CLOUD-E3.GOOGLEDOMAINS.COM Name Server: NS-CLOUD-E4.GOOGLEDOMAINS.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
The registrar of the domain is Google, and the domain was created 20 days ago. This campaign has been running for a maximum of twenty days. Let's check out the actual website the mail wants us to go to. Here is the link, don't click is if your computer is not safe.
This is the link:
This is a classic obfuscated link. This link redirects to https://log-verifyaccntlckd.serveirc.com/?page=signin&appIdKey=2841c6daaa2b4a04a858ca823dc5949b727b7f41&locale=fr_FR
Unfortunately, the website was taken down before I could go further in my analysis :(