Hello. Today, I received this email:


This is a basic phishing campaign, but if they still run them, it means that they are efficient.
For a lot of people, this scam is obvious. But unexperienced users, like older people, can fall for this.

The mail app says "From: Apple", and the mail was sent to "no-reply-user@mail.apple.com".
Of course, if you click on Apple, this is the address the mail was sent from: dmc45dbnv9o@hayangawin.com.

This is the first step of a phishing campaign: trust. The scammers establish trust by editing the mail headers in order to make the mail seem legit. It's called email spoofing. Of course, there is a lot of enormous french mistakes in the text, but we're going to focus on the technical side of this scam.
So, how does email spoofing works? Basically, by editing the SMTP headers and tricking the mail client. In this case, the email is not displayed, but the name "Apple".

The header of the email is accesible here.
As we can see, the sender is "Apple" "mc45dbnv9o@hayangawin.com", and the recipient is "no-reply-user@mail.apple.com".
Of course, there is no DKIM signature. They trick the client (in this case, my iPhone) into showing that the mail was destined to the mail.apple.com email by editing the "To" field of the mail header: "To: no-reply-user@mail.apple.com", where my actual email is in the "For" field.

Another interesting this the header tells us, is the sender IP address: 209.85.217.68. A quick lookup tells us that this email belongs to a google mail server. The domain name is certainly registered by google. Lets check out the whois record of hayangawin.com

whois record:

Domain Name: HAYANGAWIN.COM
Registry Domain ID: 2411222910_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.google.com
Registrar URL: http://domains.google
Updated Date: 2019-07-25T20:01:10Z
Creation Date: 2019-07-10T07:07:25Z
Registry Expiry Date: 2020-07-10T07:07:25Z
Registrar: Google LLC
Registrar IANA ID: 895
Registrar Abuse Contact Email: registrar-abuse@google.com
Registrar Abuse Contact Phone: +1.8772376466
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: NS-CLOUD-E1.GOOGLEDOMAINS.COM
Name Server: NS-CLOUD-E2.GOOGLEDOMAINS.COM
Name Server: NS-CLOUD-E3.GOOGLEDOMAINS.COM
Name Server: NS-CLOUD-E4.GOOGLEDOMAINS.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

The registrar of the domain is Google, and the domain was created 20 days ago. This campaign has been running for a maximum of twenty days. Let's check out the actual website the mail wants us to go to. Here is the link, don't click is if your computer is not safe.

This is the link:

https://t.umblr.com/redirect?z=https%3A%2F%2Fwww.localcommute.com%2Fwp-includes%2F751277721.php&t=MGQ5ZDk0MzVlNjdkOWZlM2FhM2M1NDYyMzU3NDRjY2Q1MDMwYjg2MyxZQ1hZT053TQ%3D%3D&b=t%3AiftJMrJSRAsmp1ImDvQevQ&p=https%3A%2F%2Flecaks.tumblr.com%2Fpost%2F186654229023%2Fhttpswwwlocalcommutecomwp-includes751277721&m=1?=SHSGEHVRMN

This is a classic obfuscated link. This link redirects to https://log-verifyaccntlckd.serveirc.com/?page=signin&appIdKey=2841c6daaa2b4a04a858ca823dc5949b727b7f41&locale=fr_FR

Unfortunately, the website was taken down before I could go further in my analysis :(

Blog Comments powered by Disqus.