From time to time, we all receive some unexpected messages. Either through social media or email. Usually, these are harmless, meant to advertise a product or a service.
However, sometimes they can be malicious, with an intent to steal our data and eventually our money, this is a so-called “phishing” attack. People who send out these attacks, phishers, rely on several factors:
- Lack of technical knowledge of the recipient
- Recipient’s limited time to carefully read the message
- Low resources within the security department of a given company or lack of security awareness training (if a specific company is the target)
The factors above are the reason why phishing attacks are so successful and are still alive to this day. Most phishing attacks are sent through email since this is the easiest way to reach a person or a company and send them a malicious link/file with an incentive to click/open it.
Below is an email I received three days ago, it basically says “we gave you cash in bitcoin, click here to confirm the transfer”, wow am I going to be rich? Let’s see:
Before we click to receive our 25K USD let’s check if this is legit, there are several buttons we can click inside this email, but the most obvious one is “Confirm here”, let’s just hover the mouse pointer over it and see what’s the address it wants to take us to:
So, the link above is our first foothold, this is where we can start analyzing what this financial gain opportunity scam is all about. We can check where the link above takes us without actually clicking it, e.g. we can use a Virustotal tool for this. First, we copy the link from the button:
Then we go to https://www.virustotal.com/gui/ and paste it:
After a few moments, we get the results, as we can see one anti-virus engine recognized the link as phishing. This is where we can confirm this is a phishing email so we can delete it and go about our day.
But since I’m curious I decided to click the “Details” tab to see where this link is being redirected to. If you’d like to delve a bit deeper into a technical analysis, I invite you to continue reading:
Now let’s open up this link and see what it is exactly, I opened it in an HTTP proxy tool to see exactly what’s under the hood, below we can see a “raw” HTTP request, which is a fancy way of saying I clicked the link we got above from the “Details” tab and the interceptor shows the actual content to be sent:
And below we can also see the raw response from the server, as we can see its contents deliver a script redirecting us to yet another address:
After analyzing that address, we can see that again it’s being recognized as phishing:
Since I have no instinct of self-preservation, I follow it anyway:
Another redirection, this time to the “finance-mondays.net” domain, we can see that domain in the “Location” header below:
Finally, we arrive at the “finance-mondays.net” domain which is the last stop before the endgame of this phishing:
This is how the site looks in the browser, as we can see there’s a movie clip with Bill Gates telling us how we can make cash on BTC, also in the upper right corner someone just allegedly earned 158 USD, nice, this is must be a real deal!
Since this looks so good, let’s fill in our data, after all, we want to change our lives today! (also, did you notice there is nothing here about the initial 25K USD we would allegedly receive? Oh well) After filling out our data we are greeted by the “congratulations” popup with yet another button with a redirect link:
After clicking the button, we are taken to the “lrpit.com” domain:
Which yet again executes another redirect script:
Which redirects us to “profitstrade.com” domain:
Quick research on the “profitstrade.com” domain tells us it’s a scam:
As a bonus trivia, there are more scam sites connected to this phishing campaign, one of the other attempts redirected me to the “cashier.marginelite.com” domain which asked me for my card details:
This site is also listed as a scam:
Opinions below basically say “this is a scam; I paid and lost my money”:
And this is the final endgame of this phishing – clicking a button from an email saying you received a large transfer of money can make you transfer a large amount of money, but to the criminals behind this scheme.
Also, we can do a bonus check whether our email address been leaked somewhere? After all, phishing/spam emails have to be sent to known email addresses, so where do criminals find them? In leaks. A leak, in this case, is where we give our data (e.g. email address) to someone, and that someone has a database breach and records from that database were disclosed to third parties. This usually happens when database access is being made public to the internet either through a service misconfiguration or an insider attack (disgruntled employee etc.).
To check whether our email address has been leaked we can use an excellent service called: https://haveibeenpwned.com/. So let’s do that on my email inbox which received phishing we just analyzed:
Oh no, this inbox has been leaked somewhere, let’s see which service(s) leaked my email address:
Not so great, time to create a new inbox, I think.
So, a few takeaways to defend yourself when you receive dubious email:
- Check if the email content makes sense (is the grammar correct? If there are company logos, are they true to the original? Do you have a BTC account or did you order something lately?)
- Check links from the email using Virustotal or your favorite search engine to check whether they are legitimate, before you click them.
- If there are files attached, do not open them unless you are 100% certain the sender is legitimate, and you were expecting this message.
- Also, it may be a good idea to ditch the old mailbox which receives lots of spam, create a new one and avoid giving out its address where unnecessary.
- Bonus tip: In general, whenever faced with a stressful situation, take a step back, take three deep breaths, and do your best to assess the situation in a logical manner. Decisions based on emotions rarely end well.
- Second bonus tip: if something seems too good to be true, it usually is.
And finally: