Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Phishing message to the ISC handlers email distro InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Phishing message to the ISC handlers email distro

Published: 2021-02-10
Last Updated: 2021-02-10 00:06:33 UTC
by Brad Duncan (Version: 1)
2 comment(s)

Introduction

The ISC handlers email distro gets plenty of spam and phishing emails on a daily basis.  Most of these are filtered so they never make it to the inbox; however, every once in a while one gets through.

Today's diary reviews an example of a phishing email from our inbox on Tuesday 2021-02-09.


Shown above:  Email headers from the phishing message.

The email

As shown in the previous image, the sending address had been spoofed to look like it came from administrator@sans.isc.edu.  But the message actually came to our mail server from 165.232.128[.]118.  That much we can confirm, because it was the most recent Received: from line before it hit our mail server.  Anything else can be spoofed.  Based on the only other Received: from line, this message might have originated from 69.12.85[.]209, but that line could have been added to confuse analysts.


Shown above:  Screenshot of the phishing messaged when viewed in the Thunderbird email client.

The phishing message has a URL to hxxps://soberlab[.]ca/sl.html?email=[phishing recipient's email address].  The domain oberlab[.]ca seems like it is hosting a legitimate website, and that legitimate website may have been compromised to host the phishing URL.


Shown above:  Opening link from the phishing message in a web browser.

Phishing traffic


Shown above:  Traffic from viewing the email link filtered in Wireshark.

The HTTPS link from the email redirects to a phishing page at hxxp://aromatee[.]com[.]au/inc/mail.php.  Like the previous URL, this one looks like it's hosted on a legitimate domain using a server that's been compromised to host a phishing URL.  I entered a fake password, and the data was sent over HTTP back to the server.


Shown above:  HTTP POST request with the fake password I entered.

Final words

These types of emails are all too common, and they're remarkably cost-effective.  While most of you wouldn't fall for it, people are fooled by similar messages.  Therefore, phishing will remain a viable social engineering technique.

A sanitized version of the email shown in this diary, along with a pcap of traffic to the associated phishing page, can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

Keywords: email phishing
2 comment(s)
Diary Archives