From Nigerian Princes to Amazon Accounts

CyberInsights LongReads #5

In this edition of LongReads, I look at a phishing mail that I received and analyse it.

The lay readers can find ways to identify if a mail is a phishing mail and protect themselves, while the cybersecurity professionals can follow along and understand one of the many methods of analysing such mails.

---

Nigerian princes no longer offer to send us millions of dollars. Sadly, it does not mean that phishing no longer exists.

From GIPHY Website

Phishing continues. And it is getting more sophisticated by the day.

The below write up is from a phishing mail that I received. As a cybersecurity professional, I have some experience in this. Follow my path at your own peril.

I have shared all details about the phish, including urls and screenshots. To prevent readers from inadvertently clicking the link, I have replaced the periods with [dot] in some places.

Smart people no longer believe the following:

• A Nigerian prince, wanting to take all his money out of the country, wants a benefactor who can helpfully provide a bank account number to take the money out of the country. For that, he is willing to share his vast fortune with the Good Samaritan.

• There are free goodies on offer - a free iPhone being the most common one.

• There is a way that you can - increase your height, reduce your belly, have a perfect hourglass figure, have six-pack abs, grow hair, etc. - from an email

Since people have become smarter, the lure has to change.

The Bait

This is the mail that I received:

Whoa! Amazon account suspended. This is not done. I already suspected a phish. Let me open the mail.

This is what the mail contained:

Check the FROM email ID:

nom98g3n07bqecyhineh@6ryaw1txpd.gaykauaiwedding.com

I use Hey! as my mail of choice. Among other things, it shows the FROM email address right up front.

It would not have been that simple if I had checked the mail from my phone though.

The Attachment

Now that I know it is a phish, I am intrigued to explore it further. I want to know 2 things:

1. Is this spear phishing? Meaning, is it targeted only to me?

2. Is this targeted to users of Amazon Web Services (AWS)? (since that would mean more panic that users of the Amazon marketplace)

I decide to open the attachment. It is a pdf.

FOR INFOSEC PROFESSIONALS:

The SHA 256 for the file is: f25930e87ce8dad422789f885d3aaceae455ae0fff790c20dcba0828926c0e12

There is no need to check the hash of a file. You can analyse it further without recording the hash. However, it is good practice to keep a record of files and hashes, just in case.

The file is simple:

Let me explore the link:

There is only one link in the pdf. The Sign-In button has a link and it points to:

https://docs[dot]google[dot]com/drawings/d/1vdBnyA2rlzyjTwDVtsS5-o0iqGpf2ArIffLmSjYKEso/preview

Google Docs? Interesting.

The entire web page is just this:

There is an interesting gif that ticks the “I’m not a robot” to make it look more authentic. This is a Google Drawing. This points to a second link.

https://www.google.com/url?q=https://tempikbau[dot]com/&sa=D&source=editors&ust=1666162412515701&usg=AOvVaw2dZOok2JQsnwnU3EBulGbp

Phishing Domain

Hmm… it redirects to a domain tempikbau[dot]com. Can we get a little more info about this domain?

FOR INFOSEC PROFESSIONALS:

A simple whois search can reveal a lot of information. Whois.com is the simplest way to look at domain data. dnsstuff.com, mxtoolbox.com are some of the others.

The domain has just been registered. A classic indicator of a phishing domain. Most phishing domains are taken down quickly - they have a very short shelf life.

Clicking on the link in a secure system, it redirects here:

.. and as we proceed, we get an antibot notice.

FOR INFOSEC PROFESSIONALS:

Use a personal firewall that will alert you to domain redirects. This is very useful in analysing dubious domains.

Domain Blocked…

The domain was blocked. It looks like the site has already been reported.

However, I am not sure who reported it and who blocked it, or is it an automated detector that has blocked the traffic.

Let me try again.

… but wait!

Sometimes, the url works, and sometimes it does not. If you try hard enough and are worthy, you get this page:

This is the URL that it connects to:

https://onlinesatukonsong[dot]cloudns[dot]ph/3c6b174d26c6f7e73777644caa40df67/6577a1335cd9371a7bcd943d3111f780.aspx

It points to a domain in the Philippines. A little more information about that domain:

The site has a valid certificate, but the certificate does not belong to Amazon.

To check the certificate, click on the lock icon on your browser.

Taking the bait

For the sake of learning and entertainment, let’s enter some dummy data.

For some reason, the site tries to redirect to cam4[dot]com:

And Safari blocks it as it is not able to establish a secure connection.

cam4[dot]com is registered in the US, and here are the details:

and after repeatedly trying to get phished, we get this page:

After entering a dummy password, here is what we get:

https://onlinesatukonsong[dot]cloudns[dot]ph/76b60bcd5b8aaa819623a84ab55f3939/ef5dcc76435316f814d5a740fb48c107.aspx

and we finally reach the page they want us to fill:

https://onlinesatukonsong[dot]cloudns[dot]ph/76b60bcd5b8aaa819623a84ab55f3939/ef5dcc76435316f814d5a740fb48c107.aspx

and the credit card page:

After entering dummy card data, this is what I got:

I guess this phase repeats itself till they collect enough cards.

The giveaways

This link is not the best phishing link, but it is definitely better than the Nigerian prince scam.

Here are some of the things that revealed that this was a phishing mail.

1. Playing on Fear

It plays on your sense of fear, making you worry that your Amazon account might be blocked. (Read more about the different techniques used by scammers in my book, Monkey, Shakespeare, Typewriter: Cybersecurity for Everyone)

2. Generic Mailer

Go back and see the first pdf. It does not have a name. An indicator of a phishing attack (not a spear phishing one, though) is that it is targeted at many people and hence generic. There will be no reference to an individual.

3. The URL

The URL is the easiest giveaway.

Here, the URL points to a Google Drawing that has a link to another website. Then it points to another domain (tempikbau[dot]com) and then finally to actually where the phishing site is hosted - onlinesatukonsong[dot]cloudns[dot]ph.

Each URL is a dead giveaway that the site is not a genuine one.

4. The domain registration date

The domain was registered on 18th of October. I am writing this post on the 19th. The older a phishing domain gets, the harder it is for it to remain undetected. A newly registered domain name is a big red flag.

5. The certificate

While it is easy to get an SSL certificate (the certificate that gives the little green lock), you can get it only for domains you own. For example, the Amazon domain certificate would be like this:

Any other certificate means the site is questionable.

Conclusion

Phishing attacks, although getting more sophisticated, have their own Achilles’ heel. You can avoid being phished by being aware and knowing where to look.

My initial questions were answered - it was a generic phishing mail and not specifically targeted at me. It was not meant for advanced users, like users of AWS.

Share this analysis with those whom you think would benefit from reading it and fill this poll question before you go.

Loading...

---

CyberInsights LongReads is a part of CyberInsights and delves into one topic in detail each month. If you like what you are reading, you can subscribe to get LongReads in your email. Just remember to check your spam in case you do not receive these mails.

Comments

[A Friend]

Awesome analysis! Keep it up!