Phishing mail analysis - Part 1
This is a SecOPS post. It will contain some technical content.
On this post we concluded that the bellow email is a phishing mail.
|Phishing email |
Question: As important web mail platforms Microsoft, Google, Yahoo,.. should have great anti-spam filters. I have some free accounts and I got really few spam emails on it. So getting an phishing mail is weird, let's do some analysis on e-mail.
1. Let’s access the available links on email.
All links are the same: hxxps://mysp.ac/4AQG6.
Going to the page, we see a page that looks like Apple website. It asks for username and password. An important detail is that the page tries to show as a secure page, it shows the locker (cryptography) close to the address. So, it's important to remember that the secure locker is to show that the information between your computer and the server where the page is hosted are protected, this doesn't mean that the page is safe and secure. Details on the picture bellow:
|Web site link from email|
|HTTPS detail, not so safe...|
|New error after credential input|
|Payment error message|
- It's a good site and we typed wrong the data. Or it is a temporally error.
- The page is trying to get more credit cards from us.
We still believe that the website is malicious. Although It is good to have more reasons to classify the email as a phishing. Sometimes someone will ask for more proof, even if we believe that it's just a way to get more credit cards numbers. So another valid tip is about the site domain. We can use the tool called whois to get some info about the domain. The address that is shown at browser is:
https://appleid.apple.verifyouridentity.com/?16shop, we only need the red part to check the domain.
Reading the creation date (some tools can show as registration date), we can infer that this is a pretty new domain, this isn't a good signal. Apple isn't a new company (if you curious enough, check the whois info about apple.com). This first analysis concluded the same: the email is malicious. Also with the analysis we can infer that the purpose of the email is to get some personal and credit card data.
- URL: verifyyouridentity.com
New things get old. What you can do if you are seen this post after some time. 6 months later, or 1 year later or even more. You should check the reputation of the domain. For example, check virus total web site and add the domain. This is the result of this domain.
Next post. we will do the email analysis.