tag:blogger.com,1999:blog-46258599603933809632024-02-20T22:24:25.348-03:00NetSecOps.InfoNetwork Security And Operations
A blog to share how-tos, information, and more about network, security and operations.Igor Maxhttp://www.blogger.com/profile/04756562717218746346noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-4625859960393380963.post-34701737935076005832020-07-19T16:20:00.008-03:002022-08-19T15:05:07.482-03:00Secops - User Agents e o user agent spoofing (PT-BR)<br /><div><p class="MsoNormal" style="line-height: normal; margin: 0in 0in 0in 0.5in; text-align: justify; text-indent: -0.5in;"><span lang="pt" style="font-size: 24pt; mso-ansi-language: #0016;">User Agents... agentes, mas não tão usuários.</span><span lang="" style="font-family: "times new roman", serif; font-size: 12pt; mso-ansi-language: PT-BR; mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span lang="" style="font-family: "times new roman", serif; font-size: 12pt; mso-ansi-language: PT-BR; mso-fareast-font-family: "Times New Roman";"><o:p> </o:p></span><span lang="pt" style="font-size: 12pt;">(</span><a href="http://netsecopsinfo.blogspot.com/2020/07/en/secops-user-agent-information.html"><span lang="pt" style="font-size: 12pt; mso-ansi-language: #0016;">EN-US</span></a><span lang="pt" style="font-size: 12pt;">) </span><span style="font-size: 16px;">Veja os testes realizados neste post no <a href="https://youtu.be/Oqvyh1h5VCo">vídeo</a></span><span style="font-size: 16px;">.</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span lang="pt" style="font-size: 12pt;">Uma das informações disponíveis em registros de servidores web e
registros de aplicativos do servidor web é o Agente do Usuário.</span><span style="font-family: "times new roman", serif; font-size: 12pt;"> </span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span lang="pt" style="font-size: 12pt; mso-ansi-language: #0016;">O <i>user agent</i> é o software responsável pelo envio das requisições web do cliente para o servidor web. Esta</span><span lang="pt" style="mso-ansi-language: #0016;"> </span><span lang="pt" style="font-size: 12pt; mso-ansi-language: #0016;">informação
que diz ao servidor qual software o usuário (ou não) está usando para acessar a
página da Web. </span><span face="calibri, sans-serif" style="font-size: 12pt; text-align: left;">Esta
informação é visualizada no log de acesso do servidor, quando configurado. </span><span style="font-size: 12pt; text-align: left;">Aqui um simples nome de agente de usuário:</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span style="font-size: 12pt;">"Mozilla/5.0 (X11; x86_64 Linux; rv:60.0) Gecko/201001 Firefox/60.0"</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span lang="pt" style="font-size: 12pt; line-height: 107%;">As informações do <i>user
agent</i> são encontradas nos registros do servidor web. Normalmente, todos os
logs do servidor web terão o agente do usuário configurado. E este é um</span><span lang="pt"> </span><span lang="pt" style="font-size: 12pt; line-height: 107%;">exemplo de um registro de log básico
do servidor web com o <i>user agent</i>.</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span lang="pt" style="font-size: 12pt; mso-ansi-language: #0016;">10.1.0.10 - [20/Jul/2018:13:38:10-0500] "GET /animatedcollapse.js
HTTP/1.1" 304 - "http://10.2.0.101/" "<u>Mozilla/5.0 (X11;
x86_64 Linux; rv:60.0) Gecko/201001 Firefox/60.0</u>"</span><span lang="pt" style="mso-ansi-language: #0016;"> </span><span lang="pt" style="font-size: 12pt; mso-ansi-language: #0016;"><span style="mso-spacerun: yes;"> </span>(Obtenha mais
informações sobre registros do servidor web </span><span lang="pt" style="mso-ansi-language: #0016;"><span style="mso-spacerun: yes;"> </span></span><span lang="pt" style="font-size: 12pt; mso-ansi-language: #0016;"><a href="http://netsecopsinfo.blogspot.com/2020/07/pt-br/secops-entendendo-um-log-de-servidor-web.html">aqui</a>)</span><span lang="pt" style="font-size: 12pt; mso-ansi-language: #0016;">.</span><span lang="" style="font-family: "times new roman", serif; font-size: 12pt; mso-ansi-language: PT-BR; mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span lang="pt" style="font-size: 12pt;">Então,</span><span lang="pt"> </span><span lang="pt" style="font-size: 12pt;"> qual é o problema dos agentes de usuário?
Nenhum. Eles funcionam e são úteis na análise de log. </span><span lang="pt" style="font-size: 12pt;">A questão é que eles podem ser alterados ou criados durante a
solicitação ao servidor web. Há muitas maneiras de fazer isso. Alterar o user agent real por outro é conhecido como "user agent spoofing". Esta é uma forma comum de evitar as regras de bloqueio básicas durante ataques.</span></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span lang="pt" style="font-size: 12pt;">Aqui eu vou mostrar </span><span lang="pt" style="font-size: 12pt;">uma</span><span lang="pt"> </span><span lang="pt" style="font-size: 12pt;"> maneira fácil</span><span lang="pt"> </span><span lang="pt" style="font-size: 12pt;">de
fazê-lo para comprovar esta teoria. Esta forma usa c</span><span lang="pt">omando L</span><span lang="pt" style="font-size: 12pt;">inux </span><span lang="pt" style="font-size: 12pt;">wget.</span><span lang="pt"> </span><span lang="pt" style="font-size: 12pt;">Neste exemplo, o nosso
Linux tem o IP: 10.1.0.10 e o servidor web tem o IP: 10.2.0.110.</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span style="font-size: 12pt;">A primeira requisição usando o wget:</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><i><span lang="pt" style="font-size: 12pt; mso-ansi-language: #0016;">$wget 10.2.0.110</span></i><i><span lang="" style="font-family: "times new roman", serif; font-size: 12pt; mso-ansi-language: PT-BR; mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></i></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span style="font-size: 12pt;">O servidor web irá mostrar este registro de log, destacado o <i>user agent</i>:</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span style="font-size: 12pt;">10.1.0.10 -
[18/Jul/2020:10:28:07 -0400] "GET / HTTP/1.1" 200 28067 "-"
"<b><u>Wget/1.20.3 (linux-gnu)</u></b>"</span><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span style="font-size: 12pt;">Vamos forçar o agente do usuário a mudar. Nosso </span><i style="font-size: 12pt;">user agent</i><span style="font-size: 12pt;"> será: </span><u style="font-size: 12pt;">i’m
a firefox browser </u><span style="font-size: 12pt;">(eu sou um navegador firefox – em tradução livre).
Verifique o comando e os registros do servidor web abaixo:</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><i><span lang="pt" style="font-size: 12pt; mso-ansi-language: #0016;">$wget -U "eu sou um navegador firefox"
10.2.0.110</span></i><i><span lang="" style="font-family: "times new roman", serif; font-size: 12pt; mso-ansi-language: PT-BR; mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></i></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span style="font-size: 12pt;">10.1.0.10 -
[18/Jul/2020:10:28:34 -0400] "GET / HTTP/1.1" 200 28067 "-"<b><u>i'm
a firefox browser</u></b>"</span><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span lang="pt" style="font-size: 12pt;">No próximo cenário usaremos um <i>user agent</i> comum nos navegadores
Firefox. Você pode encontrar uma boa lista de <i>user agents</i> </span><a href="https://developers.whatismybrowser.com/useragents/explore/"><span lang="pt" style="font-size: 12pt; mso-ansi-language: #0016;">aqui.</span></a></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><i><span style="font-size: 12pt;">$wget -U
"Mozilla/5.0 (X11; x86_64 Linux; rv:68.0) Gecko/20100101
Firefox/68.0" 10.2.0.110</span></i><i><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></i></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span style="font-size: 12pt;">10.1.0.10 -
[18/Jul/2020:10:29:39 -0400] "GET /favicon.ico HTTP/1.1" 200 3638
"-"<b>Mozilla/5.0 (X11; x86_64 Linux; rv:68.0) Gecko/20100101
Firefox/68.0</b>"</span><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span lang="pt" style="font-size: 12pt;">Este último <i>user agent</i> é o mesmo que vemos ao usar o navegador
Firefox. A diferença seria o número de requisições feitas para o servidor Web.
Wget</span><span lang="pt"> </span><span lang="pt" style="font-size: 12pt;">só executar um GET, enquanto o navegador
Firefox realizaria um GET request e tentaria baixar todo o conteúdo para
mostrar a página da Web. Para entender esta diferença olhe este post.</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span style="font-size: 12pt;">Alguns </span><i style="font-size: 12pt;">user agents</i><span style="font-size: 12pt;"> são usados por softwares conhecidos para
executar tarefas automaticamente, como varreduras de vulnerabilidade. Alguns
agentes de usuário de scanners de vulnerabilidade são:</span></p>
<p class="MsoListParagraphCxSpFirst" style="line-height: normal; margin-bottom: 0in; mso-add-space: auto; mso-list: l0 level1 lfo2; text-align: justify; text-indent: -0.25in;"><!--[if !supportLists]--><span style="font-size: 12pt; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: Calibri; mso-hansi-font-family: Calibri;"><span style="mso-list: Ignore;">-<span style="font: 7pt "times new roman";">
</span></span></span><span style="font-size: 12pt;">- Nikto:
"Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:Port Check)"<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpLast" style="line-height: normal; margin-bottom: 0in; mso-add-space: auto; mso-list: l0 level1 lfo2; text-align: justify; text-indent: -0.25in;"><!--[if !supportLists]--><span lang="pt" style="font-size: 12pt; mso-ansi-language: #0016; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: Calibri; mso-hansi-font-family: Calibri;"><span style="mso-list: Ignore;">-<span style="font: 7pt "times new roman";"> </span></span></span><span lang="pt" style="font-size: 12pt; mso-ansi-language: #0016;">- OpenVas: "Mozilla/5.0 [en] (X11, U; OpenVAS-VT
11.0.0)"<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span lang="" style="font-family: "times new roman", serif; font-size: 12pt; mso-ansi-language: PT-BR; mso-fareast-font-family: "Times New Roman";"><o:p> </o:p></span><span lang="pt" style="font-size: 12pt;">Verifique este </span><a href="https://resources.infosecinstitute.com/14-popular-web-application-vulnerability-scanners/"><span lang="pt" style="font-size: 12pt; mso-ansi-language: #0016;">site</span></a><span lang="pt"> </span><span lang="pt" style="font-size: 12pt;"> para
saber mais sobre outros scanners de vulnerabilidade</span></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span style="font-size: 12pt;">Uma pergunta seria: por que alguém está escaneando minha rede?</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span lang="pt" style="font-size: 12pt; mso-ansi-language: #0016;">Times de segurança ofensiva (Red Teams) e auditores costumam automatizar
as varreduras de vulnerabilidades. Entretanto, atacantes também costuma utilizar
ferramentas para agilizar seus ataques. Então é melhor ficar atento.</span><span lang="" style="font-family: "times new roman", serif; font-size: 12pt; mso-ansi-language: PT-BR; mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span lang="pt" style="font-size: 12pt;">Quais são</span><span lang="pt"> </span><span lang="pt" style="font-size: 12pt;"> as coisas mais importantes sobre as </span><span lang="pt"> </span><span lang="pt" style="font-size: 12pt;">informações dos
agentes de usuário?</span></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span lang="" style="font-family: "times new roman", serif; font-size: 12pt; text-indent: -0.25in;"><span> </span>- </span><span lang="pt" style="font-size: 12pt; text-indent: -0.25in;">Se você detectar um <i>user agent</i> estranho, você
deve investigar. Isso é verdade porque a maioria dos usuários não usa agentes
estranhos.</span></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span lang="" style="font-family: "times new roman", serif; font-size: 12pt; text-indent: -0.25in;"><span> </span>- </span><span lang="pt" style="font-size: 12pt; text-indent: -0.25in;">Se você não detectar um <i>user agent</i> estranho,
você deve olhar para o registro cuidadosamente. Isso pode ser uma solicitação
benigna ou uma solicitação maliciosa com um falso agente de usuário.</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span lang="pt" style="font-size: 12pt;">Entender os registros durante uma investigação de incidente é realmente
importante. A investigação de aplicativos web pode usar os registros do
servidor web e o agente do usuário é uma informação importante.</span><span lang="pt"> </span><span lang="pt" style="font-size: 12pt;">Tome cuidado com suas conclusões quando vir as
informações do agente do usuário.</span></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0in; text-align: justify;"><span lang="pt" style="font-size: 12pt;">Veja os testes realizados neste post no <a href="https://youtu.be/Oqvyh1h5VCo">vídeo</a>.</span></p></div>Igor Maxhttp://www.blogger.com/profile/04756562717218746346noreply@blogger.com0tag:blogger.com,1999:blog-4625859960393380963.post-52091571584779078702020-07-19T16:08:00.017-03:002022-08-19T15:04:05.117-03:00SecOps - The user agent and user agent spoofing<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 24pt; mso-fareast-font-family: "Times New Roman";">User agents... agents but not so
user.</span><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">(<a href="http://netsecopsinfo.blogspot.com/2020/07/br/secops-user-agents-e-suas-informacoes.html">PT-BR</a>)</span><span style="font-family: "times new roman", serif; font-size: 12pt;"> </span><span style="font-family: "times new roman", serif; font-size: 12pt;">Check this </span><a href="https://youtu.be/Oqvyh1h5VCo" style="font-family: "times new roman", serif; font-size: 12pt;">video</a><span style="font-family: "times new roman", serif; font-size: 12pt;"> to see the tests used to create this post.</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">One of the information available on
web server logs is the <span style="background-color: red;"><font color="#ffffff">User Agent</font></span>. What are user agents?<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt;">User agents are the software's that make requests from the client to the web server. User agent is an information that
tells to the server which software the user (or not) is using to access the web
page. So whenever you access a web page, the server will know with software you are using to navigate. Here a simple user agent name:</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt; text-align: center;">“Mozilla/5.0
(X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0”</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt;">The user
agent information is found on web server logs. Usually all web server logs will
have user agent on configured. And this is an example of a basic web server log
with the user-agent.</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">10.1.0.10 - - [20/Jul/2018:13:38:10
-0500] "GET /animatedcollapse.js HTTP/1.1" 304 -
"http://10.2.0.101/" "<u>Mozilla/5.0 (X11; Linux x86_64;
rv:60.0) Gecko/20100101 Firefox/60.0</u>" (Get more information about
web server logs </span><a href="http://netsecopsinfo.blogspot.com/2020/07/secops/web/understanding-web-server-log.html"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">here</span></a><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">. <o:p></o:p></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt;">So, what is the problem of user
agents? None. They work and are useful on log analysis.</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">The point is that they can be faked or crafted during the web request. There are many ways to do it. Changing the real user agent for some other is called "user agent spoofing". This is a common way to avoid basic attack detections. Here I will
show an easy way to do it. It uses Linux wget command. In this example. our Linux
machine has the IP 10.1.0.10 and the web server has the IP: 10.2.0.110. <o:p></o:p></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt;">The first wget request:</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><i><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">$wget 10.2.0.110<o:p></o:p></span></i></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt;">The web server will show this log and the user agent from the request:</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">10.1.0.10 - - [18/Jul/2020:10:28:07
-0400] "GET / HTTP/1.1" 200 28067 "-" "<b><u>Wget/1.20.3
(linux-gnu)</u></b>"<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt;">Let’s force the user agent to change.
Our user agent will be: </span><u style="font-family: "times new roman", serif; font-size: 12pt;">i’m a firefox browser</u><span style="font-family: "times new roman", serif; font-size: 12pt;">. Check the command and the
web server logs bellow.</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><i><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">$wget -U "i'm a firefox
browser" 10.2.0.110<o:p></o:p></span></i></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">10.1.0.10 - - [18/Jul/2020:10:28:34
-0400] "GET / HTTP/1.1" 200 28067 "-" "<b><u>i'm a
firefox browser</u></b>"<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt;">The next scenario we will use a user
agent that is common on Firefox browsers. You can find a good list of user
agents </span><a href="https://developers.whatismybrowser.com/useragents/explore/" style="font-family: "times new roman", serif; font-size: 12pt;">here.</a></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><i><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">$wget -U "Mozilla/5.0 (X11;
Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0" 10.2.0.110<o:p></o:p></span></i></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">10.1.0.10 - - [18/Jul/2020:10:29:39
-0400] "GET /favicon.ico HTTP/1.1" 200 3638 "-" "<b>Mozilla/5.0
(X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0</b>"<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt;">This last user agent is the same of
the one that we saw if using the Firefox browser. The difference would be the
number of requests. Wget only perform a GET, while Firefox browser would
perform a GET Request and try to download all content to show the web page. You
can see this on this video.</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">Some user agents are used by well-known
software’s to perform automatically tasks like vulnerability scan. Some user
agents from vulnerability scanners are:<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpFirst" style="line-height: normal; margin: 0in 0in 0in 0.75in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -0.25in;"><!--[if !supportLists]--><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">-<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">Nikto: "Mozilla/5.00
(Nikto/2.1.6) (Evasions:None) (Test:Port Check)"<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpLast" style="line-height: normal; margin: 0in 0in 0in 0.75in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -0.25in;"><!--[if !supportLists]--><span lang="" style="font-family: "times new roman", serif; font-size: 12pt; mso-ansi-language: PT-BR; mso-fareast-font-family: "Times New Roman";">-<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span lang="" style="font-family: "times new roman", serif; font-size: 12pt; mso-ansi-language: PT-BR; mso-fareast-font-family: "Times New Roman";">OpenVas: "Mozilla/5.0 [en] (X11, U; OpenVAS-VT
11.0.0)"<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt;">Check this web </span><a href="https://resources.infosecinstitute.com/14-popular-web-application-vulnerability-scanners/" style="font-family: "times new roman", serif; font-size: 12pt;">site</a><span style="font-family: "times new roman", serif; font-size: 12pt;">
to learn about others vulnerability scanners</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt;">The question would be: Why someone
is scanning my network? Red Teams, security auditors usually scan the web pages. Also attacker do it too. So, its better to identify. </span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt;">What are the most important things about
user agent information?</span></p>
<p class="MsoListParagraphCxSpFirst" style="line-height: normal; margin: 0in 0in 0in 0.75in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -0.25in;"><!--[if !supportLists]--><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">-<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">If you see a weird user agent, you
should investigate. This is true because mostly users will not use weird agents.
<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpLast" style="line-height: normal; margin: 0in 0in 0in 0.75in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -0.25in;"><!--[if !supportLists]--><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">-<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">If you do not see a weird agent, you
should look to the log carefully. This can be a benign request or a malicious
request with a fake user agent.</span></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">Understand the logs during an incident
investigation is really important. Web application investigation can use the
web server logs and user agent is an important information. Take care about
your conclusions when you see the user agent information.</span></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">Check this <a href="https://youtu.be/Oqvyh1h5VCo">video</a> to see the tests used to create this post.</span></p>Igor Maxhttp://www.blogger.com/profile/04756562717218746346noreply@blogger.com0tag:blogger.com,1999:blog-4625859960393380963.post-64303971880366747852018-07-19T12:17:00.002-03:002020-07-19T19:29:55.346-03:00SecOps - Apple Purchase Phishing mail Analysis - Part 2<div><br /></div><span style="background-color: white; color: rgba(0, 0, 0, 0.52); font-family: roboto, robotodraft, helvetica, arial, sans-serif; font-size: 14px; line-height: 1;"><div><span style="color: black; font-family: "times new roman"; font-size: xx-large;">Phishing mail analysis - Part 2</span></div><div style="line-height: 1;"><span style="background-color: white; color: rgba(0, 0, 0, 0.52); font-family: roboto, robotodraft, helvetica, arial, sans-serif; font-size: 14px; line-height: 1;"><p style="color: black; font-family: "times new roman"; font-size: medium; line-height: 1;">This is a SecOPS post. It will contain some technical content. This is the 3rd post about a Apple purchase phishing and SecOps part 2.</p></span></div></span><div style="line-height: 1;"><span style="line-height: 1;">In <a href="https://www.blogger.com/#" style="line-height: 1;">Fast Analysis</a> we did some basic questions that can be helpful to the most users. <br />In <a href="https://www.blogger.com/#">Part 1</a> we discussed about the web site and its suspicious functions and did some specific analysis about the domain like date of creation and reputation. This last part we will check the email message and do a analysis on the message body and header<font color="" face=""><span style="background-color: white; font-size: 14px;">.</span></font></span></div><div><span><font color="" face=""><span style="background-color: white; font-size: 14px;"><br /></span></font></span></div><div><p>As we know that the email is a phishing email, lets analyze the email to identify a possibility cause that it was not identified as spam by the anti-spam protections. </p><p>First, we need the original message with the header. Some ways how to get
the header is shown <a href="https://mxtoolbox.com/public/content/emailheaders/" target="_blank">here</a>. One important header part is the
Authentication-Results, as shown in the picture. We can see the real sender of
the email: <span style="color: red; font-style: italic; font-weight: bold; mso-fareast-font-family: "Times New Roman"; mso-fareast-theme-font: major-fareast;">resolutioncenterapplesforms-billing.info</span><span style="mso-fareast-font-family: "Times New Roman"; mso-fareast-theme-font: major-fareast;"> and IP address: </span><span style="color: red; font-style: italic; font-weight: bold; mso-fareast-font-family: "Times New Roman"; mso-fareast-theme-font: major-fareast;"> 209.85.214.100</span><span style="font-style: italic; font-weight: bold; mso-fareast-font-family: "Times New Roman"; mso-fareast-theme-font: major-fareast;">. </span></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidjlUXkPNHB5l0BH_xu1SUPhq7SvwqCUizccnO3yq1I2ZCQ3lqpNYK1eckwWxpjpLdEQ9JVE2pAhtrS84kR9sudwkgZC5RS_GgeO3ncKCKj55PAYNG_eSn7KCB29iAZfoq4c6hqTlWuSw/s567/header2.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="76" data-original-width="567" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidjlUXkPNHB5l0BH_xu1SUPhq7SvwqCUizccnO3yq1I2ZCQ3lqpNYK1eckwWxpjpLdEQ9JVE2pAhtrS84kR9sudwkgZC5RS_GgeO3ncKCKj55PAYNG_eSn7KCB29iAZfoq4c6hqTlWuSw/s320/header2.png" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Header information<br /></td></tr></tbody></table><br /><o:p></o:p><p></p><p>As we did on <a href="https://www.blogger.com/#">Part 1</a>, using whois let's check the domain. </p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEid2WeKGnzIhQNIK9aIpIqLzaZM3wRoGWtq2jAvw7S4OJqI5GAGK6FU_wQhyphenhyphenvg2StQ754wXrE8tw4HeJ__4TqlNewiVx6RG5kNqZnnL-Unt5NqetXWAxNztcxQWXMiQVsjcLLjeVYBdIdw/s466/domain3.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="184" data-original-width="466" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEid2WeKGnzIhQNIK9aIpIqLzaZM3wRoGWtq2jAvw7S4OJqI5GAGK6FU_wQhyphenhyphenvg2StQ754wXrE8tw4HeJ__4TqlNewiVx6RG5kNqZnnL-Unt5NqetXWAxNztcxQWXMiQVsjcLLjeVYBdIdw/s320/domain3.png" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Email Sender domain information.<br /></td></tr></tbody></table><p><br /></p><p><br /></p><p>It's a pretty new domain too and
it was created some days before the domain<em> verifyouridentity.com</em>.
As told, new domains are suspicious and new domains from well know companies
are more suspicious. Checking the original message, a little more, we see that
the message is encoded with base64.</p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1XfBf8lpCKX3n_l2UNJ8o8waw0O8qRJTwUdbnSuu4BkR30EW_MhJwsvIJvjCnrQ_xjUvJBqsYsSVF6AjXE06N8LHZyN-2G1bQlNRfNEZy_gSbpNH6tiEZflkbY1cqEMbXGkRrwM1y1os/s404/header3.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="48" data-original-width="404" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1XfBf8lpCKX3n_l2UNJ8o8waw0O8qRJTwUdbnSuu4BkR30EW_MhJwsvIJvjCnrQ_xjUvJBqsYsSVF6AjXE06N8LHZyN-2G1bQlNRfNEZy_gSbpNH6tiEZflkbY1cqEMbXGkRrwM1y1os/s320/header3.png" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Encoding information</td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both;"><p class="MsoNormal" style="text-align: justify;">We should be able to read the email with the original
message. Since it's encoded with base64 we can't find the body of the email.
The information is that we have a txt/html encoded with base64. After
"MIME-Version: 1.0" we see the Base64 data, which end with
"==". Base64 it's used to send binary data as clear text over
text-only transfer. Base64 it's used sometimes like when we need to send an
attachment or when we add a picture directly at message body, but sending the
body message as a base64 isn't a good thing. You can see the pictures and the
end with "==". This base64 contains around 400 lines on notepad++.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3x4yCeiJWJXqJ3Xxx1V2KeZLfkjw43FqIr-gAXQuQfjjgjshVP2B6m170UKjjfkt7kjnnj_7UkAseKCZwVezqiRyxTbg2ws33oEP60Mf8D4RF55Mfukl5kq0xjO_3kNgrT3Ne4r1NV_s/s567/base64_1+-+Copy.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="346" data-original-width="567" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3x4yCeiJWJXqJ3Xxx1V2KeZLfkjw43FqIr-gAXQuQfjjgjshVP2B6m170UKjjfkt7kjnnj_7UkAseKCZwVezqiRyxTbg2ws33oEP60Mf8D4RF55Mfukl5kq0xjO_3kNgrT3Ne4r1NV_s/s320/base64_1+-+Copy.png" width="320" /></a></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><img border="0" data-original-height="356" data-original-width="567" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwwyij0oNPPfYsdoY-yZYY67k4pUT6NjPcvqQJ-4vl9t_4x91BJTwnxys_1IBVeR-p4YfVWcNlQKF4LXoIVxQPQDZHCGVJ9HOgHwhyHBxoRdJsXuY5HDnkaTacH8OqoVwDvwVQ_ImPg54/s320/base64_2+-+Copy.png" style="margin-left: auto; margin-right: auto;" width="320" /></td></tr><tr><td class="tr-caption" style="text-align: center;">Email body encoded (base64)<br /></td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: justify;"><p class="MsoNormal">There are many ways to decode base64, I like the plugin with
<a href="https://notepad-plus-plus.org/" target="_blank">Notepad++</a>
software. On pictures, we can see the real message (phrases, links,..) after
the decode process.<o:p></o:p></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1UYH-o-2_HpmX-IiWbkfcBtJIW3ETHAwlOsiBiyM5buIade4l1ZDnY3WL5d-yUYyBK8w8VM4i-xKaMQg4wQzmRiFuMzU7O0FIKmiED-D1sEXoufWR0gBHXVCT_LzWnkpGwJ69_-AOSqk/s567/decoded1.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="289" data-original-width="567" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1UYH-o-2_HpmX-IiWbkfcBtJIW3ETHAwlOsiBiyM5buIade4l1ZDnY3WL5d-yUYyBK8w8VM4i-xKaMQg4wQzmRiFuMzU7O0FIKmiED-D1sEXoufWR0gBHXVCT_LzWnkpGwJ69_-AOSqk/s320/decoded1.png" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Decoded email body.<br /></td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;">And here the detail of the suspicious link.</div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFLSYgAc6pc0XhSOfuadvhdYftsKnVBGvEYK3RhVZ0k2sb9eTK_oUHfvC7WnImXBRCv4G33kfixa-XWokGCmMIAKg6A-69bf8YRdETYCjpI-gbjaOT2AGVxofS8VDyMcpg7b108kLnDjo/s1722/decoded2.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="123" data-original-width="1722" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFLSYgAc6pc0XhSOfuadvhdYftsKnVBGvEYK3RhVZ0k2sb9eTK_oUHfvC7WnImXBRCv4G33kfixa-XWokGCmMIAKg6A-69bf8YRdETYCjpI-gbjaOT2AGVxofS8VDyMcpg7b108kLnDjo/s320/decoded2.png" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Email link.<br /></td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: justify;">First thing to notice is that the link is different from the website link that we checked on <a href="https://www.blogger.com/#" style="text-align: left;">Part 1</a><span style="text-align: left;">, Also its a shorten URL website. This is common to use to bypass the anti-spam analysis. Why this works? Let's check the domain </span></div><div class="separator" style="clear: both;"><span style="text-align: left;"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjW3TdmiSHFewA0ZYE6Dim5KenNlCquki0RFcTEb1hOXLsy4Dsa49bNMNWtKPcmpFEYJgZfSOFce8fumipTn9ssdTmdH6JywTsYdASwsXyG2ETk7nBxiFt_wEHXzIOicNh4eIpBLXBS1Ic/s442/virustotal1.PNG" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="178" data-original-width="442" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjW3TdmiSHFewA0ZYE6Dim5KenNlCquki0RFcTEb1hOXLsy4Dsa49bNMNWtKPcmpFEYJgZfSOFce8fumipTn9ssdTmdH6JywTsYdASwsXyG2ETk7nBxiFt_wEHXzIOicNh4eIpBLXBS1Ic/s320/virustotal1.PNG" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Virus total analysis.<br /></td></tr></tbody></table><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">So, the URL was not suspicious on last analysis day. This is one of the reasons that anti-spam would allow this file. So there is a big difference between mail URL (mysp.ac/4AQG6) and final web site (verifyyouridentity.com). One of the ways to check the redirection is using wget command on Linux systems. (you can use Developer tools from your browser too.)</div><div class="separator" style="clear: both; text-align: left;"><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSDdeudxHhH-Ie-1WpFqi6UIIL9WNYagfcDkYQYwv2PYRhwBlbx7mpVqVqKjWP88u-L89xU5EDTLjdC7hoh-sDQklR64zI1zZXm8iyyOII5Mup4ithDQUiRCeDEwWcYCOQVd_uiD57qY8/s1424/wget2.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="605" data-original-width="1424" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSDdeudxHhH-Ie-1WpFqi6UIIL9WNYagfcDkYQYwv2PYRhwBlbx7mpVqVqKjWP88u-L89xU5EDTLjdC7hoh-sDQklR64zI1zZXm8iyyOII5Mup4ithDQUiRCeDEwWcYCOQVd_uiD57qY8/s320/wget2.png" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">wget result<br /></td></tr></tbody></table><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: justify;">If you check the wget result, you will see that there are a lot of redirects. Each 302 result is a redirect. It shows the verifyyouridentity.com website on 3rd result. On this test the verifyyouridentity redirects to another web site, this could be a protection from malicious website after identify the connection was from a wget command. If you have questions about user agent go to this <a href="http://netsecopsinfo.blogspot.com/2020/07/secops-user-agent-information.html" target="_blank">post</a>.</div><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: justify;">Here all the URLs from the result.</div><br />hxxps://mysp.ac/4AQG6 <br />hxxp://www.bungamawaruntuktmu.igg.biz <br />hxxps://appleid.apple.verifyouridentity.com/?16shop <br />hxxps://href.li/?https://store.lilbub.com;Url</span></div><div class="separator" style="clear: both;"><div style="text-align: left;"><br /></div><span style="text-align: left;"><div class="separator" style="clear: both; text-align: left;"><br /></div></span></div></div><b><u>Possible root cause: </u>The message body was encoded with base64 bypassing the anti-spam analysis. Also it had many redirects. So the email was considered clean.</b></div><div class="separator" style="clear: both;"><b><br /></b></div><div class="separator" style="clear: both;">IOCs to block or watch on your network:</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;"><table border="1" cellpadding="0" class="MsoNormalTable" style="text-align: center;">
<thead>
<tr>
<td style="background: rgb(204, 204, 204); padding: 0.75pt; width: 60.35pt;" width="80">
<p class="MsoNormal" style="text-align: center;"><b>Type<o:p></o:p></b></p>
</td>
<td style="background: rgb(204, 204, 204); padding: 0.75pt; width: 165pt;" width="220">
<p class="MsoNormal" style="text-align: center;"><b>Data<o:p></o:p></b></p>
</td>
<td style="background: rgb(204, 204, 204); padding: 0.75pt; width: 60.75pt;" width="81">
<p class="MsoNormal" style="text-align: center;"><b>Suspicious?<o:p></o:p></b></p>
</td>
</tr>
</thead>
<tbody><tr>
<td style="background: rgb(242, 242, 242); padding: 0.75pt; width: 60.35pt;" width="80">
<p class="MsoNormal">Email
Address<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 165pt;" width="220">
<p class="MsoNormal"> REDJANG-DANCE959@APPLE.COM<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 60.75pt;" width="81">
<p class="MsoNormal">Yes<o:p></o:p></p>
</td>
</tr>
<tr>
<td style="background: rgb(242, 242, 242); padding: 0.75pt; width: 60.35pt;" width="80">
<p class="MsoNormal">IP
Address<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 165pt;" width="220">
<p class="MsoNormal">209.85.214.100<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 60.75pt;" width="81">
<p class="MsoNormal">Neutral<o:p></o:p></p>
</td>
</tr>
<tr>
<td style="background: rgb(242, 242, 242); padding: 0.75pt; width: 60.35pt;" width="80">
<p class="MsoNormal">IP
Address<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 165pt;" width="220">
<p class="MsoNormal">63.135.90.71<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 60.75pt;" width="81">
<p class="MsoNormal">Yes<o:p></o:p></p>
</td>
</tr>
<tr>
<td style="background: rgb(242, 242, 242); padding: 0.75pt; width: 60.35pt;" width="80">
<p class="MsoNormal">IP
Address<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 165pt;" width="220">
<p class="MsoNormal">78.46.211.158<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 60.75pt;" width="81">
<p class="MsoNormal">Yes<o:p></o:p></p>
</td>
</tr>
<tr>
<td style="background: rgb(242, 242, 242); padding: 0.75pt; width: 60.35pt;" width="80">
<p class="MsoNormal">IP
Address<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 165pt;" width="220">
<p class="MsoNormal">188.40.116.114<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 60.75pt;" width="81">
<p class="MsoNormal">Yes<o:p></o:p></p>
</td>
</tr>
<tr>
<td style="background: rgb(242, 242, 242); padding: 0.75pt; width: 60.35pt;" width="80">
<p class="MsoNormal">Source mail
Domain<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 165pt;" width="220">
<p class="MsoNormal">resolutioncenterapplesforms-billing.info<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 60.75pt;" width="81">
<p class="MsoNormal">Yes<o:p></o:p></p>
</td>
</tr>
<tr>
<td style="background: rgb(242, 242, 242); padding: 0.75pt; width: 60.35pt;" width="80">
<p class="MsoNormal">URL<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 165pt;" width="220">
<p class="MsoNormal">hxxps://mysp.ac/4AQG6<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 60.75pt;" width="81">
<p class="MsoNormal">Yes<o:p></o:p></p>
</td>
</tr>
<tr>
<td style="background: rgb(242, 242, 242); padding: 0.75pt; width: 60.35pt;" width="80">
<p class="MsoNormal">URL
(base64)<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 165pt;" width="220">
<p class="MsoNormal">aHR0cHM6Ly9teXNwLmFjLzRBUUc2<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 60.75pt;" width="81">
<p class="MsoNormal">Yes<o:p></o:p></p>
</td>
</tr>
<tr>
<td style="background: rgb(242, 242, 242); padding: 0.75pt; width: 60.35pt;" width="80">
<p class="MsoNormal">URL<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 165pt;" width="220">
<p class="MsoNormal">hxxp://www.bungamawaruntuktmu.igg.biz<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 60.75pt;" width="81">
<p class="MsoNormal">Yes<o:p></o:p></p>
</td>
</tr>
<tr>
<td style="background: rgb(242, 242, 242); padding: 0.75pt; width: 60.35pt;" width="80">
<p class="MsoNormal">URL<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 165pt;" width="220">
<p class="MsoNormal">hxxps://appleid.apple.verifyouridentity.com/?16shop<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 60.75pt;" width="81">
<p class="MsoNormal">Yes<o:p></o:p></p>
</td>
</tr>
<tr>
<td style="background: rgb(242, 242, 242); padding: 0.75pt; width: 60.35pt;" width="80">
<p class="MsoNormal">URL<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 165pt;" width="220">
<p class="MsoNormal">hxxps://href.li/?https://store.lilbub.com<o:p></o:p></p>
</td>
<td style="padding: 0.75pt; width: 60.75pt;" width="81">
<p class="MsoNormal">Yes<o:p></o:p></p>
</td>
</tr>
</tbody></table></div><p style="text-align: justify;">Some useful links:</p><ul type="disc">
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><a href="http://blog.petersobot.com/debugging-an-empty-spam-email" target="_blank">Debugging an empty spam email</a><o:p></o:p></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><a href="https://dropbear.xyz/2007/08/07/filtering-base64-encoded-spam/" target="_blank">Filtering base64 encoded spam</a><o:p></o:p></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><a href="https://www.microsoft.com/en-us/microsoft-365/blog/2015/01/20/enhanced-email-protection-dkim-dmarc-office-365/" target="_blank">About SPF,DKIM e DMARC</a><o:p></o:p></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><a href="https://github.com/lnxg33k/MHA" target="_blank">Email Header
Analysis</a><o:p></o:p></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><a href="https://codebeautify.org/base64-decode" target="_blank">Tool to
decode base64</a><o:p></o:p></li>
</ul><p class="MsoNormal"><o:p></o:p></p></div>Igor Maxhttp://www.blogger.com/profile/04756562717218746346noreply@blogger.com0tag:blogger.com,1999:blog-4625859960393380963.post-74534996233039373702018-07-05T10:33:00.002-03:002020-07-19T19:30:06.277-03:00SecOps - Apple Purchase Phishing mail Analysis - Part 1<p><font size="6">Phishing mail analysis - Part 1</font></p><p>This is a SecOPS post. It will contain some technical content. </p><p>On this <a href="http://netsecopsinfo.blogspot.com/2018/06/phishing-mail-analysis-apple-purchase.html" target="_blank">post </a>we concluded that the bellow email is a phishing mail.</p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-left: 1em; text-align: left;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD2rTK6S3BBJlf8PUFSK3GbRwj5cV5MzfZjT_Kb57cVN0kzFnbAu0Lybfem6kVRb0iM2zx9HhzY_QcjouKXXiX1WaPfYFLynpRdEhS-V2EpKyQYdYeSLTwKN-zl1bszWdP0Z7KroXIN0c/s764/emailUpload.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="764" data-original-width="681" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD2rTK6S3BBJlf8PUFSK3GbRwj5cV5MzfZjT_Kb57cVN0kzFnbAu0Lybfem6kVRb0iM2zx9HhzY_QcjouKXXiX1WaPfYFLynpRdEhS-V2EpKyQYdYeSLTwKN-zl1bszWdP0Z7KroXIN0c/w285-h320/emailUpload.png" width="285" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Phishing email <br /></td></tr></tbody></table>So you can delete it.<div><p style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"> </p><br /><p></p><p><strong><span style="mso-fareast-font-family: "Times New Roman"; mso-fareast-theme-font: major-fareast;"><br /></span></strong></p><p><strong><span style="mso-fareast-font-family: "Times New Roman"; mso-fareast-theme-font: major-fareast;">Question:</span></strong> As important web mail platforms
Microsoft, Google, Yahoo,.. should have great anti-spam filters. I have some
free accounts and I got really few spam emails on it. So getting an phishing
mail is weird, let's do some analysis on e-mail.<o:p></o:p></p><p><br /></p><br /><p></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p></p><h3><strong><span style="font-weight: normal; mso-fareast-font-family: "Times New Roman"; mso-fareast-theme-font: major-fareast;">1.</span></strong> Let’s access the available
links on email. </h3><h3><span style="font-weight: normal;">All links are the same: </span><i>hxxps://mysp.ac/4AQG6.</i></h3><p><o:p></o:p></p>
<p style="text-align: left;">Going to the page, we see a page that looks like Apple website. It asks for
username and password. An important detail is that the page tries to show as a
secure page, it shows the locker (cryptography) close to the address. So, it's
important to remember that the secure locker is to show that the information
between your computer and the server where the page is hosted are protected,
this doesn't mean that the page is safe and secure. Details on the picture bellow: </p><p style="text-align: left;"></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><img border="0" data-original-height="876" data-original-width="1270" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHwhGmokVeJPkh7jT7TK0UZU58N8zufNCikYjBp9LJ2lWWQsnB44vS7Vorcb1XGW48d5vLJG17Swc90NhMK8Im9dZj_EXSncrzP9OydguSSH4xt9_JISbFA-gEYFczKh7JYvvvoULDbt4/w320-h221/windows1.PNG" style="margin-left: auto; margin-right: auto;" width="320" /></td></tr><tr><td class="tr-caption" style="text-align: center;">Web site link from email<br /></td></tr></tbody></table><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><img border="0" data-original-height="181" data-original-width="321" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqg1fj7LBSVnk60ZBSxgO0YiraBOkVLVwQcZI7T5VgLJcLRMyrZY1oYFxF7MedAqi4e9GgnAiTHpHYqOm9SPdLk9tMpPg2KSRMUopyytyfYY08124sp_WxXKjs-VTSoqM8lpyatoZYo5A/s320/locker.png" style="margin-left: auto; margin-right: auto;" width="320" /></td></tr><tr><td class="tr-caption" style="text-align: center;">HTTPS detail, not so safe...</td></tr></tbody></table><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">You can see that the page looks like Apple page. If you check the locker on the page, you will see that the page is using HTTPs, so this means that the traffic is encrypted.</div></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">On some computers, may a warning message can be shown, like this one:</div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><img border="0" data-original-height="373" data-original-width="567" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi90GoSpltB9qg89WPEYek1IFITP3yiGinYUhXZDrMeZ-PPVDI3SR-vKtzfUWbC2fzVmVDqc4pL8qQxlDkP302b9W37zCfARSLRSCg2If2m8eEL9zfh7G9PmO-BAaaa1S2qAoVSKEw017w/s320/alertbrowser.png" style="margin-left: auto; margin-right: auto;" width="320" /></td></tr><tr><td class="tr-caption" style="text-align: center;">Browser warning<br /></td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both;">The website asks for your Apple ID and the password. After entering with username and password a new error is shown. Now it tells that our account is blocked, but we have a button to unlock. Let's click on it.<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8Ntxu7lqMAcR-nvHSFwF39aLGxB0HqWeaaM_wb0dmdm37JC9TSTDyO0AMz_8rXV0jy0ZPtGA-c5l-AOPLYq_tuFFxkexAvj2M4ILX0p-pbOp9TL6lQGNvkzRB-kaIZ8AbCcei5XBN_7A/s272/blockmsg.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="137" data-original-width="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8Ntxu7lqMAcR-nvHSFwF39aLGxB0HqWeaaM_wb0dmdm37JC9TSTDyO0AMz_8rXV0jy0ZPtGA-c5l-AOPLYq_tuFFxkexAvj2M4ILX0p-pbOp9TL6lQGNvkzRB-kaIZ8AbCcei5XBN_7A/" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">New error after credential input<br /></td></tr></tbody></table><div class="separator" dir="rtl" style="clear: both; text-align: center;"><br /></div></div>"Unlock Account" button redirect us to a new page. A form to fill with information like name, address and some credit card data. Again, after filling all the fields, it shows another error message.<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><img border="0" data-original-height="552" data-original-width="567" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMskTo_UfaRGgKZVkGTz57DDxfxqs7idwHV16nKU5fh64TA-Ces_L_fNG0gzaehBIVRlpYCHL_DVOPkFW4npxreEpSm6ufzP7KDU5JAM_XBsk1m8QPGBMMJKg9JQEzbuxuZIT4HqYZ-XQ/s320/form1.png" style="margin-left: auto; margin-right: auto;" width="320" /></td></tr><tr><td class="tr-caption" style="text-align: center;">Malicious form<br /></td></tr></tbody></table><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMskTo_UfaRGgKZVkGTz57DDxfxqs7idwHV16nKU5fh64TA-Ces_L_fNG0gzaehBIVRlpYCHL_DVOPkFW4npxreEpSm6ufzP7KDU5JAM_XBsk1m8QPGBMMJKg9JQEzbuxuZIT4HqYZ-XQ/s567/form1.png" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="128" data-original-width="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKFPd5hKcPiMoVabL-va4fJpInmA2KPjYye0IvmVjXBX4eA9xMLTPzsgE-xZuZswmGJXr4COnGRp58CONHshhRPgdy_MXCAK_eEN2rnPUI6KDYQgmB2CmK4kP6dch6o-V1bF_vhknTUrU/" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Payment error message<br /></td></tr></tbody></table><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">If you input your information on this site the attacker will have your data and can buy some stuff with your credit card. Now we have two theories: </div><ul><li>It's a good site and we typed wrong the data. Or it is a temporally error.</li><li>The page is trying to get more credit cards from us. </li></ul><br />We still believe that the website is malicious. Although It is good to have more reasons to classify the email as a phishing. Sometimes someone will ask for more proof, even if we believe that it's just a way to get more credit cards numbers. So another valid tip is about the site domain. We can use the tool called whois to get some info about the domain. The address that is shown at browser is:<div><br /> <span> </span><em>https://appleid.apple.</em><strong><i><span style="color: red; mso-fareast-font-family: "Times New Roman"; mso-fareast-theme-font: major-fareast;">verifyouridentity.com</span></i></strong><em>/?16shop</em>,
we only need the red part to check the domain.</div><div><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><img border="0" data-original-height="123" data-original-width="487" height="101" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYyjKM1daSil_rberizK5-5Me30aL_u8W_OBt1ywKmmMRnMCIzTFtIm0PZenCpyLtOb8jSD8oVJgB92hjZz5j-lrBtCEL5u9d92QYNMfUPHSun3pUjV9xaMuliS409JhEi4fGxso1HjU0/w400-h101/domain4.PNG" style="margin-left: auto; margin-right: auto;" width="400" /></td></tr><tr><td class="tr-caption" style="text-align: center;">Whois result<br /></td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"> </div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;"><p>Reading the creation date (some tools can show as registration date), we can
infer that this is a pretty new domain, this isn't a good signal. Apple isn't a
new company (if you curious enough, check the whois info about apple.com).
This first analysis concluded the same: the email is malicious. Also with the
analysis we can infer that the purpose of the email is to get some personal and
credit card data.<o:p></o:p></p><p>- URL: verifyyouridentity.com</p><p>New things get old. What you can do if you are seen this post after some time. 6 months later, or 1 year later or even more. You should check the reputation of the domain. For example, check virus total web site and add the domain. This is the result of this domain. </p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqktKs5ReYVqtsAy_e6F_dyMb8w0ypsTjRAW7oAQCFLYUrVhAA19STt41NoZwCNKamW7Nf0rMyaMe0owkfRRbSnG-G4djFB5QAsuypvwVYkktEHJx81IQUIISlBW54eVMwnKsAcDcX_5Y/s1103/Phishing2.PNG" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="460" data-original-width="1103" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqktKs5ReYVqtsAy_e6F_dyMb8w0ypsTjRAW7oAQCFLYUrVhAA19STt41NoZwCNKamW7Nf0rMyaMe0owkfRRbSnG-G4djFB5QAsuypvwVYkktEHJx81IQUIISlBW54eVMwnKsAcDcX_5Y/s320/Phishing2.PNG" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Virustotal result<br /></td></tr></tbody></table><p><br /></p>
<p>Next post. we will do the email analysis.</p></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div><br /></div><div><br /><p><o:p></o:p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNwG1TrGsTLp98AbR82kGX1hv41G0RjhA5cySw6KMY4P65pZU83HN_VykE7r_XbhkeSb49F3JugjGy1c7ckYJP7QhSBXGxelShyNyphfZlQJ2WcLX2LeRpdWyOF2qq0xelgisbW2kSRuQ/s1270/windows1.PNG" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><br /></a></div></div>Igor Maxhttp://www.blogger.com/profile/04756562717218746346noreply@blogger.com0tag:blogger.com,1999:blog-4625859960393380963.post-44984017058772825982018-06-28T20:00:00.005-03:002020-07-19T19:30:23.622-03:00Phishing Mail analysis. Apple purchase - Fast Analysis.<div class="separator"><p class="MsoNormal" style="line-height: normal; margin-left: 1em; margin-right: 1em;"><span style="font-family: "times new roman", serif;"><font size="6">What to do when we get an email about a purchase that we did not made?</font></span></p><p class="MsoNormal" style="line-height: normal;"><span style="font-family: "times new roman", serif; font-size: 12pt;">The focus on this post is to warn end users it is classified as Daily Questions, because it is useful to everyone. If you interested on </span><span style="font-family: "times new roman", serif;">technical</span><span style="font-family: "times new roman", serif; font-size: 12pt;"> analysis check the SecOPS posts tags.</span></p><p class="MsoNormal" style="line-height: normal;"><font face="times new roman, serif"><span style="font-size: 12pt;">We will show an example of a fake email (a phishing) that I got. The email seems to be from Apple and it has a drone purchase receipt. First thing: no purchase was made. First analysis about the email. The question that everyone should do when get an email is: Is this true? </span></font></p><p class="MsoNormal" style="line-height: normal; margin-left: 1em; margin-right: 1em;"><br /></p><p class="MsoNormal" style="line-height: normal; margin-left: 1em; margin-right: 1em;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span><img border="0" data-original-height="764" data-original-width="681" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPIdn2kQZS0INhH7IhfRLq05Ib1ZgB_BqiAAUWBrKnvN4VNm2Spw6IOiJpOzdy-6MRD8ZOYzs41dEpk_P6FYavMQGWCBc4NJsNyeND3s2wlV4SQ0LW5sO6vJxl0Ye6FRT-xVoQSt3xXNI/s320/emailUpload.png" /></p></div><p class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; mso-outline-level: 3;"><br /></p><p class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; mso-outline-level: 3;"></p><p class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">Without technical analysis, let's
enumerate some thing that can help.<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">Domain @apple.com.<span style="color: green;"> OK</span><o:p></o:p></span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">Source e-mail with a weird name: “REDJANG-DANCE959”.
Usually we expect to receive some emails like: suport@apple.com,
contact@apple.com. <span style="color: maroon;">NO-OK</span><o:p></o:p></span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">The greettins is using the same email address instead
of the correct name. <i>Dear ( email@email.com).</i> <span style="color: maroon;">NO-OK</span><o:p></o:p></span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">The name in the receipt and the name of the email owner
are different. <span style="color: maroon;">NO-OK</span><o:p></o:p></span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">No purchase was made. <span style="color: maroon;">NO-OK</span><o:p></o:p></span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">The destination address is wrong. <span style="color: maroon;">NO-OK</span><o:p></o:p></span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">Apple selling Drones. <span style="color: maroon;">NO-OK</span><o:p></o:p></span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">The email is a reply ("Re:"). <span style="color: maroon;">NO-OK</span><o:p></o:p></span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">The drone price is apparently right. <span style="color: green;">OK</span><o:p></o:p></span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">A search on internet show another user that got the
same email with few differences. </span><a href="https://communities.apple.com/pt/thread/180036632" target="_blank"><span style="color: blue; font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">Apple community site</span></a><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">. <span style="color: maroon;">NO-OK</span><o:p></o:p></span></li>
</ul><p class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;"><b><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">Conclusion:</span></b><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";"> <b>We will consider this email as a phishing, so just delete
and let's keep life going.</b> The OK/NO-OK questions were created just to help
the email classification. From 11 questions only 2 were OK. The best scenario
is when all questions results in OK. Two more things to do is check your credit
card to confirm that no purchase was made and check your Apple account.<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;"><b><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";">If you get an e-mail like this,
don't click in any of the links. If you didn't buy the item that email is talking about, so it is fake.</span></b></p><p class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;"><font face=""><b>If you want more detail about e-mail investigation click <a href="http://netsecopsinfo.blogspot.com/2020/06/secops-phishing-mail-analysis.html">here</a>. </b></font></p><p class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;"><b><span style="font-family: "times new roman", serif; font-size: 12pt; mso-fareast-font-family: "Times New Roman";"><br /></span></b></p><br /><p></p>Igor Maxhttp://www.blogger.com/profile/04756562717218746346noreply@blogger.com0