2013-10-24 - ANOTHER PHISHING EMAIL

On Thursday 2013-10-24, a phishing email was sent to one of my Yahoo email addresses.  It was a fake Western Union message.

 

A CLOSER LOOK

Normally, I just delete these; however, I wanted to look at another phishing email for this blog...  Let's find the email headers, as show below.

 

This gives us header information, which I'll copy and paste into a text file to examine more closely.

 

Based on the full header information shown below, the email came to the Yahoo mail servers from toroondcmxzomta02-srv.bellnexxia.net at 67.69.168.81.  That much is fairly certain.  However, if you look at the message ID header and the "Received:" lines, it looks like the message originated fromtoroon63-1176242568.sdsl.bell.ca at 70.28.9.136 which is a Canadian IP address.  Either way, it's not from Western Union.

 

Hovering the mouse over the link for "Click here to resolve the problem" shows the following URL: http://www.sqpvc.com/weest/pirac.html.  If we put this URL in a browser on a vulnerable VM, we get a warning screen stating bibilicicas.com has been reported as unsafe.

 

Why do we get that message?  Because a URL for bibilicicas.com/a/click.php is embedded within an iframe in the HTML for that web page, as shown below:

 

Here's the traffic that's generated when you run the link in a web browser that doesn't have any protective settings enabled:

The domain sqpvc.com was created on 2011-02-28 and is registered to a Chinese organization, with a POC email contact ending in 163.com.  Emails using 163.com have been associated with actors related to China cyber espionage, as noted most recently in Mandiant's APT1 report.

The domain bibilicicas.com was created on 2013-10-05 less than 3 weeks before this email.  The registrant is supposedly a person named Lyne Tremblay from Canada.

Monitoring the traffic with Security Onion, I got the following two alerts:

As seen below, these alerts both triggered on 208.91.197.241, which is the IP address bibilicicas.com is using.  I think there's some overlap in the list of IP addresses, so this should probably only be one signature, not two.

alert udp $HOME_NET any -> [199.79.63.102,2.133.128.98,202.29.230.198,203.170.193.23,204.188.238.141,204.188.238.142,204.93.211.115,208.117.43.74,
208.73.211.28,208.84.134.132,208.91.197.241] any (msg:"ET CNC Zeus Tracker Reported CnC Server UDP (group 11)"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404171; rev:3259;)

alert tcp $HOME_NET any -> [208.84.134.132,208.91.197.241,208.91.198.194,209.59.216.46,210.211.108.215,212.225.213.253,213.57.77.220,216.107.154.205,
216.176.100.240,216.215.112.149,31.148.219.85] any (msg:"ET CNC Zeus Tracker Reported CnC Server TCP (group 12)"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404172; rev:3259;)

These signatures trigger on IP addresses related to command and control (CnC) servers for Zues-infected hosts, which is for computers that are already infected and calling back to a CnC server.  In this case, these alerts are a false positive, because we're looking at HTTP traffic that was generated when purposefully viewing a website.

 

FINAL NOTES

I couldn't find anything actully harmful in the link, although the traffic is extremely suspicious.  My previous examination of phishing email in July 2013 revealed some actual malware, but not so in this case.

Click here to return to the main page.