Since November 2022 I've received several suspicious emails in mailbox. This is unusual for Gmail (I think that Gmail has best spam/virus filter ever). Therefore, I decide to investigate what is it.
Let's investigate the latest (08.01.2023).
The email
Subject of the email "Nor would he suffer any to be cruel to bird or beast" is quote from "The Star-Child" by Oscar Wilde". The body also consists of various quotes. Probably it allows pass spam filters.
Sender (Antoinette Kilman <kilmanantoinetteozdqf@gmail.com>) use also Gmail account.
All 11 recipients are also in Gmail.
Body in plain text format and UTF-8 charset. No links, just "61716.pdf" attachment.
All headers and SPF/DMARC/DKIM checks are good. There is only one interesting point:
Received: by 2002:a05:6919:60b:b0:f9:5832:6b54 with HTTP; Sat, 7 Jan 2023 20:01:13 -0800 (PST)
"with HTTP" indicates that was used web interface of Gmail.Unfortunately, I could not find any information regarding the IPv6 address "2002:a05:6919:60b:b0:f9:5832:6b54".The attachment
Kaspersky antivirus instantly identified this file as "HEUR:Hoax.PDF.Phish.gen" (PDF file with phishing links).
All the following actions I performed in isolated virtual machine without antivirus to analyze behavior and the scheme.
The PDF file consists of a low quality image and link only. The link leads to https://docs.google.com/drawings/d/1aRkNa***rKv28/preview#41***225 (I broke the link to avoid any issues)
The link leads to https://go.feleads.online/click?pid=***. Then it is redirected to phishing website of Gazprombank https://cork-red.com/?transaction_id=***
The scheme
Email → PDF → Google Docs → go.feleads.online → trx.flyaff.com → cork-red.com → api.cork-red.com
Probably, intruders will try to contact me (my fake contacts) later with hope to deceive me personally.
Simple analysis of affected domains
Attention!
Do not open suspicious emails. Do not follow the suspicious links. Don't repeat these actions. Always use antivirus.
No comments:
Post a Comment