Loading...
Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

You Just Received 25k USD in Your BTC Account! A Practical Phishing Defense Tutorial

From time to time, we all receive some unexpected messages. Either through social media or email. Usually, these are harmless, meant to advertise a product or a service.

However, sometimes they can be malicious, with an intent to steal our data and eventually our money, this is a so-called “phishing” attack. People who send out these attacks, phishers, rely on several factors:

  • Lack of technical knowledge of the recipient
  • Recipient’s limited time to carefully read the message
  • Low resources within the security department of a given company or lack of security awareness training (if a specific company is the target)

The factors above are the reason why phishing attacks are so successful and are still alive to this day. Most phishing attacks are sent through email since this is the easiest way to reach a person or a company and send them a malicious link/file with an incentive to click/open it.

Below is an email I received three days ago, it basically says “we gave you cash in bitcoin, click here to confirm the transfer”, wow am I going to be rich? Let’s see:

Image001

 

Before we click to receive our 25K USD let’s check if this is legit, there are several buttons we can click inside this email, but the most obvious one is “Confirm here”, let’s just hover the mouse pointer over it and see what’s the address it wants to take us to:

Image002

 

So, the link above is our first foothold, this is where we can start analyzing what this financial gain opportunity scam is all about. We can check where the link above takes us without actually clicking it, e.g. we can use a Virustotal tool for this. First, we copy the link from the button:

Image003

Then we go to https://www.virustotal.com/gui/ and paste it:

Image004

 

After a few moments, we get the results, as we can see one anti-virus engine recognized the link as phishing. This is where we can confirm this is a phishing email so we can delete it and go about our day.

Image005

 

But since I’m curious I decided to click the “Details” tab to see where this link is being redirected to. If you’d like to delve a bit deeper into a technical analysis, I invite you to continue reading:

Image006

 

Now let’s open up this link and see what it is exactly, I opened it in an HTTP proxy tool to see exactly what’s under the hood, below we can see a “raw” HTTP request, which is a fancy way of saying I clicked the link we got above from the “Details” tab and the interceptor shows the actual content to be sent:

Image007

 

And below we can also see the raw response from the server, as we can see its contents deliver a script redirecting us to yet another address:

Image008

 

After analyzing that address, we can see that again it’s being recognized as phishing:

Image009

 

Since I have no instinct of self-preservation, I follow it anyway:

Image010

 

Another redirection, this time to the “finance-mondays.net” domain, we can see that domain in the “Location” header below:

Image011

 

Finally, we arrive at the “finance-mondays.net” domain which is the last stop before the endgame of this phishing:

Image012

Image013

 

This is how the site looks in the browser, as we can see there’s a movie clip with Bill Gates telling us how we can make cash on BTC, also in the upper right corner someone just allegedly earned 158 USD, nice, this is must be a real deal!

Image014

 

Since this looks so good, let’s fill in our data, after all, we want to change our lives today! (also, did you notice there is nothing here about the initial 25K USD we would allegedly receive? Oh well) After filling out our data we are greeted by the “congratulations” popup with yet another button with a redirect link:

Image015

 

After clicking the button, we are taken to the “lrpit.com” domain:

Image016

 

Which yet again executes another redirect script:

Image017

 

Which redirects us to “profitstrade.com” domain:

Image018

Image019

Image020

 

Quick research on the “profitstrade.com” domain tells us it’s a scam:

Image021

 

As a bonus trivia, there are more scam sites connected to this phishing campaign, one of the other attempts redirected me to the “cashier.marginelite.com” domain which asked me for my card details:

Image022

 

This site is also listed as a scam:

Image023

 

Opinions below basically say “this is a scam; I paid and lost my money”:

Image024

 

And this is the final endgame of this phishing – clicking a button from an email saying you received a large transfer of money can make you transfer a large amount of money, but to the criminals behind this scheme.

Also, we can do a bonus check whether our email address been leaked somewhere? After all, phishing/spam emails have to be sent to known email addresses, so where do criminals find them? In leaks. A leak, in this case, is where we give our data (e.g. email address) to someone, and that someone has a database breach and records from that database were disclosed to third parties. This usually happens when database access is being made public to the internet either through a service misconfiguration or an insider attack (disgruntled employee etc.).

To check whether our email address has been leaked we can use an excellent service called: https://haveibeenpwned.com/. So let’s do that on my email inbox which received phishing we just analyzed:

Image025

 

Oh no, this inbox has been leaked somewhere, let’s see which service(s) leaked my email address:

Image026

 

Not so great, time to create a new inbox, I think.

So, a few takeaways to defend yourself when you receive dubious email:

  • Check if the email content makes sense (is the grammar correct? If there are company logos, are they true to the original? Do you have a BTC account or did you order something lately?)
  • Check links from the email using Virustotal or your favorite search engine to check whether they are legitimate, before you click them.
  • If there are files attached, do not open them unless you are 100% certain the sender is legitimate, and you were expecting this message.
  • Also, it may be a good idea to ditch the old mailbox which receives lots of spam, create a new one and avoid giving out its address where unnecessary.
  • Bonus tip: In general, whenever faced with a stressful situation, take a step back, take three deep breaths, and do your best to assess the situation in a logical manner. Decisions based on emotions rarely end well.
  • Second bonus tip: if something seems too good to be true, it usually is.

And finally:

Image027

Related SpiderLabs Blogs