From time to time, we all receive some unexpected messages. Either through social media or email. Usually, these are harmless, meant to advertise a product or a service.
However, sometimes they can be malicious, with an intent to steal our data and eventually our money, this is a so-called “phishing” attack. People who send out these attacks, phishers, rely on several factors:
- Lack of technical knowledge of the recipient
- Recipient’s limited time to carefully read the message
- Low resources within the security department of a given company or lack of security awareness training (if a specific company is the target)
The factors above are the reason why phishing attacks are so successful and are still alive to this day. Most phishing attacks are sent through email since this is the easiest way to reach a person or a company and send them a malicious link/file with an incentive to click/open it.
Below is an email I received three days ago, it basically says “we gave you cash in bitcoin, click here to confirm the transfer”, wow am I going to be rich? Let’s see:
![Image001 Image001](https://npercoco.typepad.com/.a/6a0133f264aa62970b0263e9993ff8200b-800wi)
Before we click to receive our 25K USD let’s check if this is legit, there are several buttons we can click inside this email, but the most obvious one is “Confirm here”, let’s just hover the mouse pointer over it and see what’s the address it wants to take us to:
![Image002 Image002](https://npercoco.typepad.com/.a/6a0133f264aa62970b026bdec68e59200c-800wi)
So, the link above is our first foothold, this is where we can start analyzing what this financial gain opportunity scam is all about. We can check where the link above takes us without actually clicking it, e.g. we can use a Virustotal tool for this. First, we copy the link from the button:
![Image003 Image003](https://www.trustwave.com/media/17810/6a0133f264aa62970b0263e9994001200b-800wi.png?v=0.0.1)
Then we go to https://www.virustotal.com/gui/ and paste it:
![Image004 Image004](https://npercoco.typepad.com/.a/6a0133f264aa62970b026bdec68e69200c-800wi)
After a few moments, we get the results, as we can see one anti-virus engine recognized the link as phishing. This is where we can confirm this is a phishing email so we can delete it and go about our day.
![Image005 Image005](https://npercoco.typepad.com/.a/6a0133f264aa62970b026bdec68e6e200c-800wi)
But since I’m curious I decided to click the “Details” tab to see where this link is being redirected to. If you’d like to delve a bit deeper into a technical analysis, I invite you to continue reading:
![Image006 Image006](https://npercoco.typepad.com/.a/6a0133f264aa62970b0278801e76d0200d-800wi)
Now let’s open up this link and see what it is exactly, I opened it in an HTTP proxy tool to see exactly what’s under the hood, below we can see a “raw” HTTP request, which is a fancy way of saying I clicked the link we got above from the “Details” tab and the interceptor shows the actual content to be sent:
![Image007 Image007](https://npercoco.typepad.com/.a/6a0133f264aa62970b026bdec68e79200c-800wi)
And below we can also see the raw response from the server, as we can see its contents deliver a script redirecting us to yet another address:
![Image008 Image008](https://npercoco.typepad.com/.a/6a0133f264aa62970b0278801e76e3200d-800wi)
After analyzing that address, we can see that again it’s being recognized as phishing:
![Image009 Image009](https://npercoco.typepad.com/.a/6a0133f264aa62970b026bdec68e7d200c-800wi)
Since I have no instinct of self-preservation, I follow it anyway:
![Image010 Image010](https://npercoco.typepad.com/.a/6a0133f264aa62970b0263e9994031200b-800wi)
Another redirection, this time to the “finance-mondays.net” domain, we can see that domain in the “Location” header below:
![Image011 Image011](https://npercoco.typepad.com/.a/6a0133f264aa62970b026bdec68e91200c-800wi)
Finally, we arrive at the “finance-mondays.net” domain which is the last stop before the endgame of this phishing:
![Image012 Image012](https://npercoco.typepad.com/.a/6a0133f264aa62970b0263e9994041200b-800wi)
![Image013 Image013](https://npercoco.typepad.com/.a/6a0133f264aa62970b026bdec68ea5200c-800wi)
This is how the site looks in the browser, as we can see there’s a movie clip with Bill Gates telling us how we can make cash on BTC, also in the upper right corner someone just allegedly earned 158 USD, nice, this is must be a real deal!
![Image014 Image014](https://npercoco.typepad.com/.a/6a0133f264aa62970b026bdec68ead200c-800wi)
Since this looks so good, let’s fill in our data, after all, we want to change our lives today! (also, did you notice there is nothing here about the initial 25K USD we would allegedly receive? Oh well) After filling out our data we are greeted by the “congratulations” popup with yet another button with a redirect link:
![Image015 Image015](https://npercoco.typepad.com/.a/6a0133f264aa62970b0278801e7700200d-800wi)
After clicking the button, we are taken to the “lrpit.com” domain:
![Image016 Image016](https://npercoco.typepad.com/.a/6a0133f264aa62970b026bdec68eb9200c-800wi)
Which yet again executes another redirect script:
![Image017 Image017](https://npercoco.typepad.com/.a/6a0133f264aa62970b026bdec68ec5200c-800wi)
Which redirects us to “profitstrade.com” domain:
![Image018 Image018](https://npercoco.typepad.com/.a/6a0133f264aa62970b026bdec68ecd200c-800wi)
![Image019 Image019](https://npercoco.typepad.com/.a/6a0133f264aa62970b0263e9994053200b-800wi)
![Image020 Image020](https://npercoco.typepad.com/.a/6a0133f264aa62970b026bdec68edd200c-800wi)
Quick research on the “profitstrade.com” domain tells us it’s a scam:
![Image021 Image021](https://npercoco.typepad.com/.a/6a0133f264aa62970b026bdec68ee6200c-800wi)
As a bonus trivia, there are more scam sites connected to this phishing campaign, one of the other attempts redirected me to the “cashier.marginelite.com” domain which asked me for my card details:
![Image022 Image022](https://npercoco.typepad.com/.a/6a0133f264aa62970b0278801e7722200d-800wi)
This site is also listed as a scam:
![Image023 Image023](https://npercoco.typepad.com/.a/6a0133f264aa62970b026bdec68ef4200c-800wi)
Opinions below basically say “this is a scam; I paid and lost my money”:
![Image024 Image024](https://npercoco.typepad.com/.a/6a0133f264aa62970b0278801e772e200d-800wi)
And this is the final endgame of this phishing – clicking a button from an email saying you received a large transfer of money can make you transfer a large amount of money, but to the criminals behind this scheme.
Also, we can do a bonus check whether our email address been leaked somewhere? After all, phishing/spam emails have to be sent to known email addresses, so where do criminals find them? In leaks. A leak, in this case, is where we give our data (e.g. email address) to someone, and that someone has a database breach and records from that database were disclosed to third parties. This usually happens when database access is being made public to the internet either through a service misconfiguration or an insider attack (disgruntled employee etc.).
To check whether our email address has been leaked we can use an excellent service called: https://haveibeenpwned.com/. So let’s do that on my email inbox which received phishing we just analyzed:
![Image025 Image025](https://npercoco.typepad.com/.a/6a0133f264aa62970b026bdec68f0b200c-800wi)
Oh no, this inbox has been leaked somewhere, let’s see which service(s) leaked my email address:
![Image026 Image026](https://npercoco.typepad.com/.a/6a0133f264aa62970b0278801e7741200d-800wi)
Not so great, time to create a new inbox, I think.
So, a few takeaways to defend yourself when you receive dubious email:
- Check if the email content makes sense (is the grammar correct? If there are company logos, are they true to the original? Do you have a BTC account or did you order something lately?)
- Check links from the email using Virustotal or your favorite search engine to check whether they are legitimate, before you click them.
- If there are files attached, do not open them unless you are 100% certain the sender is legitimate, and you were expecting this message.
- Also, it may be a good idea to ditch the old mailbox which receives lots of spam, create a new one and avoid giving out its address where unnecessary.
- Bonus tip: In general, whenever faced with a stressful situation, take a step back, take three deep breaths, and do your best to assess the situation in a logical manner. Decisions based on emotions rarely end well.
- Second bonus tip: if something seems too good to be true, it usually is.
And finally:
![Image027 Image027](https://npercoco.typepad.com/.a/6a0133f264aa62970b0263e9994082200b-800wi)