In this 6 part series, we will analyze a recent phishing attempt
through an email which was sent to me. In this first post we will look at the
email and try to analyze it to see what we can learn. The text in red
represent where the hyperlink was embedded.
---- Start of email ----
From: billing.address.updates@ADP.com [billing.address.updates@ADP.com]
Sent: Wednesday, November 12, 2014 10:33 AM
Subject: ADP Past Due Invoice#91683353
Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Review your ADP past due invoice here.
Important: Please do not respond to this message. It comes from an unattended mailbox
---- End of email ----
Analysing the email
The first sign that something was wrong here was link in the
email. The embedded link was "http://thanhren.com/services/invoice1211.php".
Now if this was related to ADP, I would expect to see something actually
related to ADP. However, in this case there was absolutely nothing which
suggested this came from ADP. They could have at least put a nice signature at
the bottom :-)
Clicking the link
First I loaded up a VM running Linux and not much happened.
It simply read this page was under construction. As a result, my belief is this
is more targeted to systems running Microsoft Windows or at least browsers
emulating Windows in their User-Agent.
Next I Load up a Windows 8 VM and have Wireshark running in the background. Once I clicked the link, a message appeared stating "Please read the document". At least this malicious actor was nice, he/she said "Please" :-). Along with the message a window popped up asking to "SAVE" or "OPEN". I choose to save.
Next I Load up a Windows 8 VM and have Wireshark running in the background. Once I clicked the link, a message appeared stating "Please read the document". At least this malicious actor was nice, he/she said "Please" :-). Along with the message a window popped up asking to "SAVE" or "OPEN". I choose to save.
In post 2, we will analyze the packet capture which was running in the background.
.pcap and .zip files from my analysis. Please note, in no way am I responsible for any damage caused to your computer and or other devices as a result of using these files.
adp.pcap - 4cfd352a3c890873d20a33d35fffed25
invoice1211_pdf82.zip - 05fc7646cf11b6e7fb124782daf9fb53
No comments:
Post a Comment