Ho Ho Ho – Here comes the spam/phish

Merry Christmas and Happy New Year to all !

I thought to start the new year with a blog with regards to spam from Australian Giants – Woolworths, JB HiFi, Flight Centre, Bunnings etc.

Although, we are on holidays, attackers/hackers are not. Holiday time is in fact very good time to target organisations as most of the staff are enjoying meals at home with their families while companies work with skeleton resources. Let’s analyse the emails. Following are the screenshots :

Above screenshot shows Australian Vendors.

1. Myer – Win a Myer voucher Sender : account@zepeem.com
2. URLs in the mail

• http://tracker.mcontact.pro//View.aspx?UID=90075_1979857738_182198788 – 2.228.24.251 – Italy
• http://myer-giftcard.prizedraws-auss.com/?aid=abcpm&subid=%7BSUBID%7D&agent=1&p=841 – 185.35.138.80 – Netherlands
• Embedded URL – http://abacus.go2cloud.org/aff_i?offer_id=1274&aff_id=2074&file_id=2188 – One hit on Autoshun – malicious site

Conclusion : Suspicious and seems to be phishing sites.

1. Bunnings – Bunnings Gift Card – Bunnings0256986@relaisnautische.eu
2. Subject of the email – %$email – likely used a automated email generator but forgot to change the subject that can look real
3. mailed-by : shriek.relaisnautische.eu
4. Links on the flyer are not clickable. Only link clickable is to unsubscribe and that goes to http://pss.relaisnautische.eu/ which is not active.

Conclusion – Suspicious and seems to be phishing site

1. Woolwhorths ? – Isn’t it Woolworth – Woolwhorth8965742@ondernemingtoon.eu
2. 
3. subject: SCRATCH & WIN – this time they made it right
4. mailed-by: zoroastrian.ondernemingtoon.eu
5. Links are identified as phishing my Google.
6. Phishing link :
   • http://woolworths-new.prizedraws-aus.com/?p=841&aid=LOL&subid=36421733&pl={pl}&agent=5&scratch=1

Conclusion – Phishing website.

Senders : Should be blocked on email filters

1. Woolwhorth8965742@ondernemingtoon.eu
2. Bunnings0256986@relaisnautische.eu
3. account@zepeem.com
4. Woolwhorths8965742@monstereigenschap.eu
5. Woolwhorths8965742@netwerkenfonds.eu
6. JB2519867@realiteitgoed.eu
7. Woolwhorths0256989@bewustextreem.eu

Other links/IP addresses : Should update SIEM rules to catch any communications to these URLs. URLs can also be blocked on web filters.

1. http://bell-news.de/ga/unsubscribe/2-1624154-36-5605-11384-5923d1a4644b2b2-c9bb0e8af2/?utf8=%E2%9C%93&confirmed=1 – 213.136.91.181
2. http://balqjdvwrs.realiteitgoed.eu/ – 216.109.172.160
3. http://ww41.uvqqsagwla.monstereigenschap.eu/ – 141.8.225.60
4. http://ww41.uvqqsagwla.netwerkenfonds.eu/ – 141.8.225.60
5. http://play.mobistos.com/lpx/MayoS93HF2?aff=ck-lll&reqid=731155943&oid=7230&s1=209491|83 – 82.94.216.105
6. http://balqjdvwrsi.znhpslrnpk.bewustextreem.eu/track?e=02bj5CbpFWbnBkcv1WdohGdpdHZyVmbP&m=18764400&l=0. 63.250.4.10
7. http://uvqqsagwla.bewustextreem.eu/ –  63.250.4.10

Final words :

1. Similar links were used for other emails. Based on the HTTP objects extracted from all can only see png files. No executable or javascript noted.
2. All emails have one country in common as sender – Germany.
3. Unsubscribing goes to PO Box 1960 #22445 Wilmington, DE 19899
4. The phishing attempt seems to be generic and concentrating on just getting private information from a user especially email addresses.
5. No attempts of malware dropping identified from the links.

Understand that organisations should be on a lookout for any usage of its Brand name to deceive users to provide personal information. As users trusts these organisations, it’s organisation’s responsibility to have proper brand monitoring placed or outsourced so phishing campaigns using their names can be identified and controlled.

Security awareness for all users is also important to make sure not click on unsolicited emails.

Happy 2016!!!!