This is a SecOPS post. It will contain some technical content. This is the 3rd post about a Apple purchase phishing and SecOps part 2.
In Part 1 we discussed about the web site and its suspicious functions and did some specific analysis about the domain like date of creation and reputation. This last part we will check the email message and do a analysis on the message body and header.
As we know that the email is a phishing email, lets analyze the email to identify a possibility cause that it was not identified as spam by the anti-spam protections.
First, we need the original message with the header. Some ways how to get the header is shown here. One important header part is the Authentication-Results, as shown in the picture. We can see the real sender of the email: resolutioncenterapplesforms-billing.info and IP address: 209.85.214.100.
 |
| Header information |
As we did on Part 1, using whois let's check the domain.
 |
| Email Sender domain information. |
It's a pretty new domain too and it was created some days before the domain verifyouridentity.com. As told, new domains are suspicious and new domains from well know companies are more suspicious. Checking the original message, a little more, we see that the message is encoded with base64.
 |
| Encoding information |
We should be able to read the email with the original message. Since it's encoded with base64 we can't find the body of the email. The information is that we have a txt/html encoded with base64. After "MIME-Version: 1.0" we see the Base64 data, which end with "==". Base64 it's used to send binary data as clear text over text-only transfer. Base64 it's used sometimes like when we need to send an attachment or when we add a picture directly at message body, but sending the body message as a base64 isn't a good thing. You can see the pictures and the end with "==". This base64 contains around 400 lines on notepad++.
 |
| Email body encoded (base64) |
There are many ways to decode base64, I like the plugin with
Notepad++
software. On pictures, we can see the real message (phrases, links,..) after
the decode process.
 |
| Decoded email body. |
 |
| Email link. |
 |
| Virus total analysis. |
 |
| wget result |
hxxps://mysp.ac/4AQG6
hxxp://www.bungamawaruntuktmu.igg.biz
hxxps://appleid.apple.verifyouridentity.com/?16shop
hxxps://href.li/?https://store.lilbub.com;Url
|
Type |
Data |
Suspicious? |
|
Email
Address |
REDJANG-DANCE959@APPLE.COM |
Yes |
|
IP
Address |
209.85.214.100 |
Neutral |
|
IP
Address |
63.135.90.71 |
Yes |
|
IP
Address |
78.46.211.158 |
Yes |
|
IP
Address |
188.40.116.114 |
Yes |
|
Source mail
Domain |
resolutioncenterapplesforms-billing.info |
Yes |
|
URL |
hxxps://mysp.ac/4AQG6 |
Yes |
|
URL
(base64) |
aHR0cHM6Ly9teXNwLmFjLzRBUUc2 |
Yes |
|
URL |
hxxp://www.bungamawaruntuktmu.igg.biz |
Yes |
|
URL |
hxxps://appleid.apple.verifyouridentity.com/?16shop |
Yes |
|
URL |
hxxps://href.li/?https://store.lilbub.com |
Yes |
Some useful links:
- Debugging an empty spam email
- Filtering base64 encoded spam
- About SPF,DKIM e DMARC
- Email Header
Analysis
- Tool to
decode base64
No comments:
Post a Comment