Akamai Diversity
Home > Web Security > Part 1: Reading SPAM for Research

Part 1: Reading SPAM for Research

 I recently wrote an article for Information Security Magazine where I explained how internet security researchers could use their spam folders as a resource tool.  It got me thinking about going into greater detail on what I've found in my inbox.

Phishing Sites

I noticed an increase in "free gift cards" and other e-commerce type offers in my spam email account around Black Friday the day after Thanksgiving, which didn't subside until the end of the holiday season, several weeks later. These e-mails claimed to offer me a free $50 dollar Amazon gift card. When I click the link it leads me to a bogus but almost legitimate looking Amazon login site in an attempt to nab my login credentials.  The broken TLS lock icon and odd looking URL are a dead giveaway as to suspect this site isn't legitimate.  

 

Taking a look at the URL below, the first thing I notice is the lock has a line through it.  This is an indicator that the SSL certificate isn't valid and shouldn't be trusted.  Next the word, "giftcard" is attempting to lull the victim into thinking they're going to get what they have come here for.  The part that is blurred is the name of the ecommerce site this email is targeting.  Followed by a domain that due to the nonsensical text, appears as if it were randomly generated.  As for the grape.php file name I don't see how this would help their cause, I would have gone with index.php or login.php.  The query string after the question mark is supposed to look like a unique user id and convince the user the page they're entering their credentials into is legitimate.

media-20170725 (3).jpg

 

I saw two variants of spam emails purporting to be from this large online retailer.  In order to receive my fifty dollar gift card the email below directs me towards a phishing site.

 media-20170725 (2).jpg

The domains that are serving these phishing sites can be reported to the appropriate customer's account team,  the customer can then investigate legal action against the hosting site and have that page taken down.  This is all valuable intelligence that I can use to help keep Akamai's customers secure.

media-20170725 (1).jpg

I also saw a spike in emails that would claim my order has shipped with an attached binary zipped file. The .zip file is usually some variant of ransomware or adware.  

Popular financial and ecommerce websites are a steady target for phishing.  This is all desirable data for the phisher.  What makes these websites a common target is the ability of the phisher to harvest emails, login credentials, personally identifiable information (PII) and credit card information.   

Screen Shot 2017-07-25 at 3.41.53 PM.png

Screen Shot 2017-07-25 at 4.03.59 PM 1.png

Screen Shot 2017-07-25 at 4.04.35 PM.png

 

I found that if this is  a new campaign, it hasn't been reported to https://www.phishtank.com/ yet. The phishtank.com website is a crowed sourced phishing campaign tracker.  Users of that website can add links to phishing sites to be added to their database.  If an Akamai customer is the target of a phishing site I can notify the customer account team and they can pursue legal action to have the site taken down.

Typo Squatters

Some spam emails are a bit more sophisticated where the spammer has gone through the trouble of registering a domain similar to the one they are targeting. The domain below looks like a popular weather forecasting site but it is actually a malware download redirect for an browser adware extension.  The website checks the browser's user-agent string in order to determine which executable to download, if the user-agent is curl, wget or a connection from virustotal.com the site doesn't attempt the flash player update nonsense.  If you've already loaded the site once before it stores a cookie indicating it and redirects you to a normal website.

The domain I saw is called accuwather.com and it redirects to the link below:

hxxp://updatesoftware.topeasysofttoigetalwaysfree.website/?pcl=iWeDUMYsADPnfkxVxRtMzSZEO3pCfdO9EG7MfxjKwCQ.&cid=zv30680469f70111e68b17066fbf1f576cbbc97976980f4b619a932eba350d48bd018744dea7a74de575&dom=&v_id=GYIDsA-lEo2LKLrN81csx1wderRNtYhKOhcS1J-Aulc.

Which then redirects me to the following link:

hxxp://cdn.lazymae.com/lp/?btp_h=42e73af1607b7f937aabee16607dd9ef&appid=4558&clickid=25223442222979552&dladv=mm-mac-installer&lpc=ec5e6c42&lang=auto

The url above specifies mm-mac-installer so the link below is crafted to offer me a Mac .dmg image file for download.

 

media-20170725 (4).png

 

In this case I was able to notify the accuweather.com team of the domain squatters so they can have their legal department look into it.  If you are concerned about typo squatters it could be worth your while to register domains similar to your own that might be targeted.  

For example:

Take example.com, some typo'd domains you could consider registering are below:

exmple.com

exanple.com

eample.com

Unicode Phishing Domains

Recently researchers at Wordfence have provided examples of using unicode characters to trick a users web browser URL bar into appearing as if it's visiting a legitimate site.  In actuality the site being visited had no affiliation with the address appearing in the URL bar.

https://www.epic.com/ versus https://www.xn--e1awd7f.com/

The second URL renders as the following in both firefox and chrome:

media-20170725.png

 

 

https://www.xn--80ak6aa92e.com/

http://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html

media-20170725 (2).png

Conclusion

Again, digging through my spam emails proved to be fruitful.  I was able to notify customers whose users were being targeted in a phishing campaign and of a problem where a domain squatter is using their typo'd domain to spread malware.   I hope you might be able to use some of this information to bolster your own network security. That spam isn't just a nuisance but can be a sophisticated attacker when you are the target.  My next blog post I'll take a look at all of these fake news sites we've heard about.  I'll start by examining fake sites out to turn a profit and wander out of my spam folder to examine fake news sites attempting to change people's political views.

 

 

 

 

 

Leave a comment