Analysis of a Phishing email

A friend of mine received an email yesterday that alarmed them, so they asked me to take a look as they were not sure if it was legit. After all, how is one really supposed to know? While I was sure it was a standard bulk phishing mail, part of me did wonder if this could this be the one. Will I look at the computer and see the dreaded skull-and-crossbones or Jigsaw face indicative of a successful ransomware attack or worse?

The Message

Why does this work?

First, why are these messages effective? Who falls for this stuff? This article explains it well https://www.webroot.com/blog/2019/10/31/the-truth-about-phishing-the-psychology-of-why-we-click/ In this case it’s a playing on our fear of embarrassment- no malware is used or even needed. This is blackmail, dubbed sextortion in these cases. By some estimates, nearly 40 million Americans watch porn so this message has a fairly good chance of landing in the inbox of one of them. That probability is higher if the target list of email addresses came from a breach of an adult site such and made available on the dark web. A response rate as little as 1% (20 of 20,000 x $500) could yield the attackers $10,000 – not bad for about 30 minutes of work. Further, while the threat in the email might seem outlandish, there are known examples of just such screen+camera recording examples in the wild, for example: Researchers Discover Malware That Can Record the Screen of French Internet User’s Watching Porn

IOCs

Let’s pick this message apart for clues as to what Indicators of Comprimise (IOCs) or artifacts we should check for:

  • The email source address and domain. Are these known sources of maligned messages? Did the message traverse any open relays?
  • “Hidden Remote Dektop Protocol” We know RDP is real, so I’ll look for outbound RDP, Tunneled RDP, VNC, SSH, or other connections.
  • “Having a keylogger” Look for rootkits or any other TSR or in-memory malware.
  • Webcam – put a sticker on it and look for any apps that try access it.
  • Recordings – Perhaps the malware records to a local directory before calling home, so I’ll check for hidden directories and files that could be the compressed videos.
  • The bitcoin address – check the blockchain for transactions involving this address and any reports of abuse.
  • Facebook pixel – this implies their is a tracking URL embedded in the message, so I’ll review the source for any URLs.

Message Headers

From the headers we can see that the message originated (at least from the first mail servers perspective – true attribution is hard) from a client in Australia. It then bounces through relays and gmail before being delivered to the recipients domain. It appears that two of the addresses are blacklisted – so the message actually could have been dropped at this point.

Source domain information

Cisco Threat Response

A quick review with the Cisco Umbrella Investigate tool shows that the earth[.]alwayshotel[.]com domain has only existed for a few days. Also note the Risk Score of 77 for the domain which indicates that it known to be associated with malicious/unwanted traffic. From the graph we can infer that the email campaign started around 11 Jan 2020.

Local scan / log analysis

  • Netstat/host firewall logs – no connections to the alleged Facebook pixel or other tracking shown (no URLs are actually embedded in the message)
  • A full malware scan yielded no hits
  • A review of last 30 days firewall logs showed that the volume of outbound traffic from this host was not large enough to indicate that a significant amount of data was sent from this machine as alleged in the email.

Bitcoin Address

Lastly, let’s take a look at the bitcoin address in the message. We can see that the address is valid, but at of the time of my query no transactions had been recorded, meaning no one has paid the ransom. We can also see that at least 90 individuals filed abuse reports against this address, each noting the same or very similar blackmail/sextortion attempt via email.

Conclusion

With no positive IOCs, no outbound connections, no tracking URL, and a growing Bitcoin Abuse list I’m fairly certain that this is just a standard phishing email blast and not a successful comprise of the machine in question.

Categories: Blue Team

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s