15 January 2023

Investigation of phishing scheme

Since November 2022 I've received several suspicious emails in mailbox. This is unusual for Gmail (I think that Gmail has best spam/virus filter ever). Therefore, I decide to investigate what is it.

Let's investigate the latest (08.01.2023).

The email

Subject of the email "Nor would he suffer any to be cruel to bird or beast" is quote from "The Star-Child" by Oscar Wilde". The body also consists of various quotes. Probably it allows pass spam filters.

Sender (Antoinette Kilman <kilmanantoinetteozdqf@gmail.com>) use also Gmail account.

All 11 recipients are also in Gmail.

Body in plain text format and UTF-8 charset. No links, just "61716.pdf" attachment.

All headers and SPF/DMARC/DKIM checks are good. There is only one interesting point:
Received: by 2002:a05:6919:60b:b0:f9:5832:6b54 with HTTP; Sat, 7 Jan 2023 20:01:13 -0800 (PST)
"with HTTP" indicates that was used web interface of Gmail.
Unfortunately, I could not find any information regarding the IPv6 address "2002:a05:6919:60b:b0:f9:5832:6b54".

The attachment

Kaspersky antivirus instantly identified this file as "HEUR:Hoax.PDF.Phish.gen" (PDF file with phishing links).
All the following actions I performed in isolated virtual machine without antivirus to analyze behavior and the scheme.


The PDF file consists of a low quality image and link only. The link leads to https://docs.google.com/drawings/d/1aRkNa***rKv28/preview#41***225  (I broke the link to avoid any issues)


The link leads to https://go.feleads.online/click?pid=***. Then it is redirected to phishing website of Gazprombank https://cork-red.com/?transaction_id=***


After submission of simple pool and contact information I got congratulation and request with my information was sent to https://api.cork-red.com. I filled out temporary email address (https://temp-mail.org) and phone number (https://receive-smss.com) to check what they send me. But I didn't get anything.



The scheme

Email → PDF → Google Docs → go.feleads.online → trx.flyaff.com → cork-red.com → api.cork-red.com

Probably, intruders will try to contact me (my fake contacts) later with hope to deceive me personally.

Simple analysis of affected domains


Interesting point: 2 of 3 domains was registered in January 2023 a few days before the email was sent.

Attention!

Do not open suspicious emails. Do not follow the suspicious links. Don't repeat these actions. Always use antivirus.

No comments:

Post a Comment