Final-Connect-Image.jpg

Holiday Phishing

Posted by Michael Vien   |   December 8, 2015

phishing_alert.jpgThe North Pole has announced a breach exposing billions of children’s information from both past and present. Most importantly the naughty list was also exposed and may be for sale on the Dark Web.

Obviously, this is just a joke but it seems as if we hear of a new breach every week. Last week's Vtech breach using wireless toys as the vector is just one sad example. The holiday season is the time of the year when we think of family and a time to be generous and kind to others. Unfortunately, not everyone thinks this way. There are those for whom this is the most profitable time of year, and I am not just talking about the retailers on Black Friday. The cyber-criminals of the world are lurking and trying to take advantage of the good will and deal seekers during this season.

The average consumer is bombarded with emails from everyone and everywhere during this season. There are those they are happy about receiving, the emails from friends and family, deals from retailers, confirmations of orders for gifts purchased and on their way, etc. Then there are those they are not so happy about but which are meant to keep oneself and one’s finances safe such as fraud alerts and breach announcements. Regrettably, within these emails from those we trust or those who mean to help, there are messages meant to trick users into either giving up their personal information or simply stealing that information by means of a malicious code which is often called malware. The following screenshots are of similar looking emails which suggest they are protecting the user from a purchase from a computer unknown to the vendor. Can you tell the difference?

 

phisihing_email_1.png

 

phisihing_email_2.jpg

 

Both emails are HTML based and contain images however the first (the bad) email contains only an image (http://fisioterapiasantarita.com/pages/tn_364_64.jpg). It is important to note that the site which is hosting the image appears to be the unwitting accomplice to this scam. The text and all of the links are part of the image and therefore are not clickable on their own. I do like the touch of making the “link” to https://appleid.apple.com look as if it were a site you had already visited by making the color of the link purple instead of blue. The entire image is a hyperlink which will open the user’s default browser and navigate that browser to a site registered in China (http://www.crre.com.cn/LICENSE.php). The listing below is the registration information for that domain.

Domain Name: crre.com.cn

ROID: 20100806s10011s70049164-cn

Domain Status: ok

Registrant ID: hc297019973-cn

Registrant: 中铁资源地质勘查有限公司

Registrant Contact Email: chenshaoqiang@buaa.edu.cn

Sponsoring Registrar: 阿里巴巴通信技术(北京)有限公司(原万网)

Name Server: dns13.hichina.com

Name Server: dns14.hichina.com

Registration Time: 2010-08-06 15:48:47

Expiration Time: 2018-08-06 15:48:47

DNSSEC: unsigned

Once the user’s browser loads the HTML found at the URL it will be redirected via an HTML refresh or JavaScript to http://www.eventsbyjulia.com.au/post/iTunes/.

<html><head>

<meta HTTP-Equiv="refresh" content="0; URL=http://www.eventsbyjulia.com.au/post/iTunes/">

<script type="text/javascript">

echo = "http://www.eventsbyjulia.com.au/post/iTunes/"

self.location.replace(echo);

window.location = echo;

</script>

</head>

This new site also does not appear to be a malicious site but it redirects by means of an HTTP code 301 to http://www.eventsbyjulia.com.au/post/iTunes/7377e9a7877f2dd7447915d731425563/ which in turn produces the site shown in the following screenshot:

Again, it is not evident by the screenshot but the page is made up entirely of an image making every link inactive with the exception of the input fields and the “Sign In” button. The site is obviously a clone of some version of the Apple Store login page and the intention of the site is to trick unsuspecting users into handing over their Apple credentials to the bad guys.

There are some other signs that the first email screenshot is a forgery which will help to keep your personal information and credentials where they belong. From the top (of the email), the from address in the forgery is not from the apple.com domain as it is in the legitimate email. Next, the forgery email does not personally address the recipient. In the legit email, not only does the email begin by addressing me by name (although oddly intimate with the “dear”) but my email address (changed for my protection) is included as my ID.  In the final paragraph of the fraudulent email there is the passive aggressive statement threatening to block your access to further purchases. Finally, the double closing statements of “Thanks” and “Regards” would not likely have made it through the editors at Apple. 

It is crucial not only during the holiday season but year-round that users make themselves familiar with the techniques of fraudsters and other cyber attackers. While this example did not include a malware component it could easily be modified to include one. If malware was used in this fraud campaign many more accounts would be compromised as it is very easy to accidentally click on the image when just trying to perform the due diligence in determining if the email was legitimate or not. Combine this ease of accidentally or intentionally clicking on the image with the potential for either a previously unknown browser vulnerability (zero-day) or simply a browser that has not been updated recently. Either of these scenarios would lead to the malware being downloaded without any further interaction by the user.

If you do not want to be a victim it is important to know how to protect yourself. Learn how you might be attacked, learn how you might prevent from being considered a target and learn how to protect your personal information, your computer, and possibly your company's computers and data.

Topics: Cyber Security, Email Security, Email Phishing

Subscribe to Email Updates

Posts by Topic

see all