(Bad) Amazon Phishing Email

Fortunately, my wife is a smart cookie and always suspicious of weird looking email. Maybe its due to the fact she lives with a paranoid guy. In any case, she caught this phishing email, which appears to be from Amazon, and leads to a fake login page.

Introduction

Fortunately, my wife is a smart cookie and always suspicious of weird looking email. Maybe its due to the fact she lives with a paranoid guy. In any case, she caught this phishing email, which appears to be from Amazon, and leads to a fake login page.

Contents

The phishing email comes from “amazon@iservice.co.org.il” with the terribly spelled subject “your accounnt information need to be updated” and the content is a screenshot of an authentic Amazon email, thus bypassing filters. However, the attacker succeed in misspelling the only field he had to fill.

A fake Amazon account confirmation received which contains a single image.
A fake Amazon account confirmation received which contains a single image.

Clicking anywhere on the image will redirect the target to ‘http://bestofferz.biz/service/support/wp-admin/support/support/”, which host a fake login page as shown below:

Fake Amazon Login Page
The attacker is hosting a fake Amazon login page on HostGator

So by looking under the hood, we can see that the entire page is actually a single javascript function call to decrypt a long Base64 encoded string.

The encryption key used is stored in the hea2p variable and the HTML code. The entire code can be analyzed here and using the AES Javascript code here. If the target enters his emails and password, he will then be forwards to a fake account creation page asking for his address.

Fake Amazon Account Creation Page
Fake Amazon account creation page.

And of course, it will then ask you for your credit card information, which is possibly the end goal of the phisher.

Fake Credit Card Information Request Page
Fake Credit Card Information Request Page

All the pages are encrypted using the same key. Only after entering this information to the target get redirected to the real Amazon website.

Successful Phishing Operation Page
Successful Phishing Operation Page

Conclusion

Remember to always check the URL and the from email address !

Possible Phishing Campaign Against Academic Institutions

On 26 and 27 April 15, multiple colleagues from my department received a phishing email from legitimate, but likely compromised emails from Indian-based academic institutions. The objective was likely an attempt at stealing email credentials from the target.

Introduction

On 26 and 27 April 15, multiple colleagues from my department received a phishing email from legitimate, but likely compromised emails from Indian-based academic institutions. The objective was likely an attempt at stealing email credentials from the target.

Analysis

The details of the one of the email received are included below:

The email was sent with “Low Importance”, probably as a way to attract additional attention as some people often ignore the “Urgent” flag, since they receive so many of them. Emails with the “Low Importance” flag and icon are more uncommon. Because users don’t see low importance emails often, they tend to open it before the urgent ones.

While the message was caught as SPAM by Symantec, this is clearly more than an attempt at SPAM and attempts to lure the target to a ContactMe page in order to receive an upgrade to their webmail applications. The “Contact Me” page requests information about the user and its credentials. Of note, many of the characters on the page are accentuated for some reason – possibly as to bypass restrictions of the service:

Phishing ContactMe webpage send to my email account.
Phishing ContactMe webpage send to my email account.

Once the target filled the information and click “Send Message”, a thank you note is displayed. The use of the ContactMe website prevents the operator from having to stand up a web server and buy/register a domain, which leaves a lot of traces but ultimately may look more convincing, as it will not have any content restrictions.

The sender’s email is pprusti@immt.res.in, which based on the suffix, is an email from the Institute of Minerals and Materials Technology, an advanced research institute in the field of mineralogy to materials engineering, established in Bhubaneswar, Odisha. A contact page on the website links the email address to Ms. Pallishree Prusti, from the Mineral Department. Therefore, this is a legitimate email address, which more than likely has been compromised.

Email of Ms. Pallishree Prusti from the Website of the IMMT
Email of Ms. Pallishree Prusti from the Website of the IMMT

Similar emails from a different sender, systemadmin.net@muhas.ac.tz, was reported as well. This time, this email is associated with the Muhimbili University of Health and Allied Sciences (MUHAS)in Tanzania.

In this operation, emails targeted were academic addresses. It appears that the operator may be targeting academic personnel by sending fake email upgrade notifications. It is unclear were the adversarial operator found the target email addresses. While ths operations does not appears advanced or sophisticated in any kind, it is very targeted. The adversary in this case may only be some student phishing for papers he can sell online or use for his own degree.

Indicators (for signatures)

  • http://www.contactme.com/553d4f488ed40c000300bde2

Conclusion

This phishing email may just be another one amongst many others and does not appear to be from a highly skilled operators. While the campaign appears targeted at academic institutions, it does not appear to target a specific field of activity. If you have encounter this email, please leave a comment with some information that would help determine if this specific operation is targeted or just another large campaign from a criminal group or a botnet.

The Past, Present and Future of Chinese Cyber Operations

China, as one of many alleged actors on the frontier of cyber espionage, is best understood by briefly examining the past century, how it influences contemporary cyber operations attributed to Chinese-based actors, and how they could be used against the Canadian Armed Forces in a potential Southeast Asian conflict.

Out of nowhere, here’s an article I wrote for the Canadian Military Journal. China,  as one of many alleged actors on the frontier of cyber espionage, is best understood by briefly examining the past century, how it influences contemporary cyber operations attributed to Chinese-based actors, and how they could be used against the Canadian Armed Forces in a potential Southeast Asian conflict.

See the full article here: https://www.academia.edu/7633668/The_Past_Present_and_Future_of_Chinese_Cyber_Operations; or

here: http://www.journal.forces.gc.ca/vol14/no3/PDF/CMJ143Ep26.pdf

 

Malware Authors Loves Obama Too

The Register reports that malware creators are already using Mr. Obama’s popularity to distribute the Papras Trojan using spam, social engineering and Google Ads[1].

Users usually receive an email from what seems a legitimate news sources such as CNN and BBC, inviting users to see the speech of Barack Obama on their website. The content of the email is the following[2]:

Barack Obama Elected 44th President of United States

Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!

Proceed to the election results news page>>

2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.

And senders are usually:

  • news@cnn.com
    news@usatoday.com
    news@online.com
    news@c18-ss-1-lb.cnet.com
    news@president.com
    news@unitedstates.com
    news@bbc.com

The email contains a link to a fake website, which prompts the users to update their Flash player in order to see the speech. Of course, the update is actually a Trojan.

Screen shots of the email and fake website, from F-Secure[3]:

 

Papras is an information stealing Trojan, trying to get a hold of logins and passwords among others. This Trojan is detected by only 14 of the 36 major anti-virus programs.


[1] “Obama-themed malware mauls world+dog”, Dan Goodin, The Register, November 5, 2008, http://www.theregister.co.uk/2008/11/05/obama_malware_attacks/ (accessed November 6, 2008)

[2] “Computer Virus masquerades as Obama Acceptance Speech Video”, Gary Warner, CyberCrime & Doing Time, November 5, 2008, http://garwarner.blogspot.com/2008/11/computer-virus-masquerades-as-obama.html (accessed on November 6, 2008)

[3] “US Presidential Malware”, F-Secure, November 5, 2008, http://www.f-secure.com/weblog/archives/00001530.html (accessed on November 6, 2008)