SecOps - Apple Purchase Phishing mail Analysis - Part 2

Phishing mail analysis - Part 2

This is a SecOPS post. It will contain some technical content. This is the 3rd post about a Apple purchase phishing and SecOps part 2.

In Fast Analysis we did some basic questions that can be helpful to the most users.
In Part 1 we discussed about the web site and its suspicious functions and did some specific analysis about the domain like date of creation and reputation. This last part we will check the email message and do a analysis on the message body and header.

As we know that the email is a phishing email, lets analyze the email to identify a possibility cause that it was not identified as spam by the anti-spam protections. 

First, we need the original message with the header. Some ways how to get the header is shown here. One important header part is the Authentication-Results, as shown in the picture. We can see the real sender of the email: resolutioncenterapplesforms-billing.info and IP address:  209.85.214.100. 

Header information

As we did on Part 1, using whois let's check the domain. 

Email Sender domain information.

It's a pretty new domain too and it was created some days before the domain verifyouridentity.com. As told, new domains are suspicious and new domains from well know companies are more suspicious. Checking the original message, a little more, we see that the message is encoded with base64.

Encoding information

We should be able to read the email with the original message. Since it's encoded with base64 we can't find the body of the email. The information is that we have a txt/html encoded with base64. After "MIME-Version: 1.0" we see the Base64 data, which end with "==". Base64 it's used to send binary data as clear text over text-only transfer. Base64 it's used sometimes like when we need to send an attachment or when we add a picture directly at message body, but sending the body message as a base64 isn't a good thing. You can see the pictures and the end with "==". This base64 contains around 400 lines on notepad++.

Email body encoded (base64)

There are many ways to decode base64, I like the plugin with Notepad++ software. On pictures, we can see the real message (phrases, links,..) after the decode process.

Decoded email body.

And here the detail of the suspicious link.

Email link.

First thing to notice is that the link is different from the website link that we checked on Part 1, Also its a shorten URL website. This is common to use to bypass the anti-spam analysis. Why this works? Let's check the domain 

Virus total analysis.

So, the URL was not suspicious on last analysis day. This is one of the reasons that anti-spam would allow this file. So there is a big difference between mail URL (mysp.ac/4AQG6) and final web site (verifyyouridentity.com). One of the ways to check the redirection is using wget command on Linux systems. (you can use Developer tools from your browser too.)

wget result

If you check the wget result, you will see that there are a lot of redirects. Each 302 result is a redirect. It shows the verifyyouridentity.com website on 3rd result. On this test the verifyyouridentity redirects to another web site, this could be a protection from malicious website after identify the connection was from a wget command. If you have questions about user agent go to this post.

Here all the URLs from the result.

hxxps://mysp.ac/4AQG6
hxxp://www.bungamawaruntuktmu.igg.biz
hxxps://appleid.apple.verifyouridentity.com/?16shop
hxxps://href.li/?https://store.lilbub.com;Url

Possible root cause: The message body was encoded with base64 bypassing the anti-spam analysis. Also it had many redirects. So the email was considered clean.

IOCs to block or watch on your network:

Type	Data	Suspicious?
Email Address	REDJANG-DANCE959@APPLE.COM	Yes
IP Address	209.85.214.100	Neutral
IP Address	63.135.90.71	Yes
IP Address	78.46.211.158	Yes
IP Address	188.40.116.114	Yes
Source mail Domain	resolutioncenterapplesforms-billing.info	Yes
URL	hxxps://mysp.ac/4AQG6	Yes
URL (base64)	aHR0cHM6Ly9teXNwLmFjLzRBUUc2	Yes
URL	hxxp://www.bungamawaruntuktmu.igg.biz	Yes
URL	hxxps://appleid.apple.verifyouridentity.com/?16shop	Yes
URL	hxxps://href.li/?https://store.lilbub.com	Yes

Some useful links:

• Debugging an empty spam email
• Filtering base64 encoded spam
• About SPF,DKIM e DMARC
• Email Header Analysis
• Tool to decode base64

SecOps - Apple Purchase Phishing mail Analysis - Part 1

Phishing mail analysis - Part 1

This is a SecOPS post. It will contain some technical content. 

On this post we concluded that the bellow email is a phishing mail.

Phishing email 

So you can delete it.

 

Question: As important web mail platforms Microsoft, Google, Yahoo,.. should have great anti-spam filters. I have some free accounts and I got really few spam emails on it. So getting an phishing mail is weird, let's do some analysis on e-mail.

1. Let’s access the available links on email. 

All links are the same: hxxps://mysp.ac/4AQG6.

Going to the page, we see a page that looks like Apple website. It asks for username and password. An important detail is that the page tries to show as a secure page, it shows the locker (cryptography) close to the address. So, it's important to remember that the secure locker is to show that the information between your computer and the server where the page is hosted are protected, this doesn't mean that the page is safe and secure. Details on the picture bellow: 

Web site link from email

HTTPS detail, not so safe...

You can see that the page looks like Apple page. If you check the locker on the page, you will see that the page is using HTTPs, so this means that the traffic is encrypted.

On some computers, may a warning message can be shown, like this one:

Browser warning

The website asks for your Apple ID and the password. After entering with username and password a new error is shown. Now it tells that our account is blocked, but we have a button to unlock. Let's click on it.

New error after credential input

"Unlock Account" button redirect us to a new page. A form to fill with information like name, address and some credit card data. Again, after filling all the fields, it shows another error message.

Malicious form

Payment error message

If you input your information on this site the attacker will have your data and can buy some stuff with your credit card. Now we have two theories: 

• It's a good site and we typed wrong the data. Or it is a temporally error.
• The page is trying to get more credit cards from us.

We still believe that the website is malicious. Although It is good to have more reasons to classify the email as a phishing. Sometimes someone will ask for more proof, even if we believe that it's just a way to get more credit cards numbers. So another valid tip is about the site domain. We can use the tool called whois to get some info about the domain. The address that is shown at browser is:

     https://appleid.apple.verifyouridentity.com/?16shop, we only need the red part to check the domain.

Whois result

 

Reading the creation date (some tools can show as registration date), we can infer that this is a pretty new domain, this isn't a good signal. Apple isn't a new company (if you curious enough, check the whois info about apple.com). This first analysis concluded the same: the email is malicious. Also with the analysis we can infer that the purpose of the email is to get some personal and credit card data.

- URL: verifyyouridentity.com

New things get old. What you can do if you are seen this post after some time. 6 months later, or 1 year later or even more. You should check the reputation of the domain. For example, check virus total web site and add the domain. This is the result of this domain. 

Virustotal result

Next post. we will do the email analysis.