Thursday, July 5, 2018

SecOps - Apple Purchase Phishing mail Analysis - Part 1

Phishing mail analysis - Part 1

This is a SecOPS post. It will contain some technical content. 

On this post we concluded that the bellow email is a phishing mail.

Phishing email 
So you can delete it.


Question: As important web mail platforms Microsoft, Google, Yahoo,.. should have great anti-spam filters. I have some free accounts and I got really few spam emails on it. So getting an phishing mail is weird, let's do some analysis on e-mail.

1. Let’s access the available links on email. 

All links are the same: hxxps://

Going to the page, we see a page that looks like Apple website. It asks for username and password. An important detail is that the page tries to show as a secure page, it shows the locker (cryptography) close to the address. So, it's important to remember that the secure locker is to show that the information between your computer and the server where the page is hosted are protected, this doesn't mean that the page is safe and secure. Details on the picture bellow: 

Web site link from email
HTTPS detail, not so safe...

You can see that the page looks like Apple page. If you check the locker on the page, you will see that the page is using HTTPs, so this means that the traffic is encrypted.

On some computers, may a warning message can be shown, like this one:
Browser warning

The website asks for your Apple ID and the password. After entering with username and password a new error is shown. Now it tells that our account is blocked, but we have a button to unlock. Let's click on it.
New error after credential input

"Unlock Account" button redirect us to a new page. A form to fill with information like name, address and some credit card data. Again, after filling all the fields, it shows another error message.
Malicious form
Payment error message

If you input your information on this site the attacker will have your data and can buy some stuff with your credit card. Now we have two theories: 
  • It's a good site and we typed wrong the data. Or it is a temporally error.
  • The page is trying to get more credit cards from us.

We still believe that the website is malicious. Although It is good to have more reasons to classify the email as a phishing. Sometimes someone will ask for more proof, even if we believe that it's just a way to get more credit cards numbers. So another valid tip is about the site domain. We can use the tool called whois to get some info about the domain. The address that is shown at browser is:, we only need the red part to check the domain.

Whois result

Reading the creation date (some tools can show as registration date), we can infer that this is a pretty new domain, this isn't a good signal. Apple isn't a new company (if you curious enough, check the whois info about This first analysis concluded the same: the email is malicious. Also with the analysis we can infer that the purpose of the email is to get some personal and credit card data.

- URL:

New things get old. What you can do if you are seen this post after some time. 6 months later, or 1 year later or even more. You should check the reputation of the domain. For example, check virus total web site and add the domain. This is the result of this domain. 

Virustotal result

Next post. we will do the email analysis.

No comments: