Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Services
Capture
Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

twi-cloud-lock-color-svg
Managed Security Services

Expand your team’s capabilities and strengthen your security posture

twi-briefcase-color-svg
Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

twi-dashboard-color-svg
Penetration Testing

Subscription- or project-based testing, delivered by global experts

twi-database-color-svg
Database Security

Get ahead of database risk, protect data and exceed compliance requirements

twi-email-color-svg
Email Security & Management

Catch email threats others miss with layered security & maximum control

twi-managed-portal-color
Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

You Just Received 25k USD in Your BTC Account! A Practical Phishing Defense Tutorial

From time to time, we all receive some unexpected messages. Either through social media or email. Usually, these are harmless, meant to advertise a product or a service.

However, sometimes they can be malicious, with an intent to steal our data and eventually our money, this is a so-called “phishing” attack. People who send out these attacks, phishers, rely on several factors:

  • Lack of technical knowledge of the recipient
  • Recipient’s limited time to carefully read the message
  • Low resources within the security department of a given company or lack of security awareness training (if a specific company is the target)

The factors above are the reason why phishing attacks are so successful and are still alive to this day. Most phishing attacks are sent through email since this is the easiest way to reach a person or a company and send them a malicious link/file with an incentive to click/open it.

Below is an email I received three days ago, it basically says “we gave you cash in bitcoin, click here to confirm the transfer”, wow am I going to be rich? Let’s see:

Image001

 

Before we click to receive our 25K USD let’s check if this is legit, there are several buttons we can click inside this email, but the most obvious one is “Confirm here”, let’s just hover the mouse pointer over it and see what’s the address it wants to take us to:

 

Image002

 

So, the link above is our first foothold, this is where we can start analyzing what this financial gain opportunity scam is all about. We can check where the link above takes us without actually clicking it, e.g. we can use a Virustotal tool for this. First, we copy the link from the button:

 

Image003

 

Then we go to https://www.virustotal.com/gui/ and paste it:

 

Image004

 

After a few moments, we get the results, as we can see one anti-virus engine recognized the link as phishing. This is where we can confirm this is a phishing email so we can delete it and go about our day.

 

Image005

 

But since I’m curious I decided to click the “Details” tab to see where this link is being redirected to. If you’d like to delve a bit deeper into a technical analysis, I invite you to continue reading:

 

Image006

 

Now let’s open up this link and see what it is exactly, I opened it in an HTTP proxy tool to see exactly what’s under the hood, below we can see a “raw” HTTP request, which is a fancy way of saying I clicked the link we got above from the “Details” tab and the interceptor shows the actual content to be sent:

 

Image007

 

And below we can also see the raw response from the server, as we can see its contents deliver a script redirecting us to yet another address:

 

Image008

 

After analyzing that address, we can see that again it’s being recognized as phishing:

 

Image009

 

Since I have no instinct of self-preservation, I follow it anyway:

 

Image010

 

Another redirection, this time to the “finance-mondays.net” domain, we can see that domain in the “Location” header below:

 

Image011

 

Finally, we arrive at the “finance-mondays.net” domain which is the last stop before the endgame of this phishing:

 

Image012

Image013

 

This is how the site looks in the browser, as we can see there’s a movie clip with Bill Gates telling us how we can make cash on BTC, also in the upper right corner someone just allegedly earned 158 USD, nice, this is must be a real deal!

 

Image014

 

Since this looks so good, let’s fill in our data, after all, we want to change our lives today! (also, did you notice there is nothing here about the initial 25K USD we would allegedly receive? Oh well) After filling out our data we are greeted by the “congratulations” popup with yet another button with a redirect link:

 

Image015

 

After clicking the button, we are taken to the “lrpit.com” domain:

 

Image016

 

Which yet again executes another redirect script:

 

Image017

 

Which redirects us to “profitstrade.com” domain:

 

Image018

Image019

Image020

 

Quick research on the “profitstrade.com” domain tells us it’s a scam:

 

Image021

 

As a bonus trivia, there are more scam sites connected to this phishing campaign, one of the other attempts redirected me to the “cashier.marginelite.com” domain which asked me for my card details:

 

Image022

 

This site is also listed as a scam:

 

Image023

 

Opinions below basically say “this is a scam; I paid and lost my money”:

 

Image024

 

And this is the final endgame of this phishing – clicking a button from an email saying you received a large transfer of money can make you transfer a large amount of money, but to the criminals behind this scheme.

Also, we can do a bonus check whether our email address been leaked somewhere? After all, phishing/spam emails have to be sent to known email addresses, so where do criminals find them? In leaks. A leak, in this case, is where we give our data (e.g. email address) to someone, and that someone has a database breach and records from that database were disclosed to third parties. This usually happens when database access is being made public to the internet either through a service misconfiguration or an insider attack (disgruntled employee etc.).

To check whether our email address has been leaked we can use an excellent service called: https://haveibeenpwned.com/. So let’s do that on my email inbox which received phishing we just analyzed:

 

Image025

 

Oh no, this inbox has been leaked somewhere, let’s see which service(s) leaked my email address:

 

Image026

 

Not so great, time to create a new inbox, I think.

So, a few takeaways to defend yourself when you receive dubious email:

  • Check if the email content makes sense (is the grammar correct? If there are company logos, are they true to the original? Do you have a BTC account or did you order something lately?)
  • Check links from the email using Virustotal or your favorite search engine to check whether they are legitimate, before you click them.
  • If there are files attached, do not open them unless you are 100% certain the sender is legitimate, and you were expecting this message.
  • Also, it may be a good idea to ditch the old mailbox which receives lots of spam, create a new one and avoid giving out its address where unnecessary.
  • Bonus tip: In general, whenever faced with a stressful situation, take a step back, take three deep breaths, and do your best to assess the situation in a logical manner. Decisions based on emotions rarely end well.
  • Second bonus tip: if something seems too good to be true, it usually is.

And finally:

Image027

Latest SpiderLabs Blogs

Trustwave SpiderLabs Report: LockBit 3.0 Ransomware Vs. the Manufacturing Sector

As the manufacturing sector continues its digital transformation, Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are becoming...

Read More

Overview of the Cyberwarfare used in Israel – Hamas War

On October 7, 2023, the Palestinian organization Hamas launched the biggest attack on Israel in years, resulting in numerous casualties and hostages taken. Israel responded with a large-scale ground...

Read More

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More