Merry Christmas and Happy New Year to all !

I thought to start the new year with a blog with regards to spam from Australian Giants – Woolworths, JB HiFi, Flight Centre, Bunnings etc.

Although, we are on holidays, attackers/hackers are not. Holiday time is in fact very good time to target organisations as most of the staff are enjoying meals at home with their families while companies work with skeleton resources. Let’s analyse the emails. Following are the screenshots :

Above screenshot shows Australian Vendors.

1. Myer – Win a Myer voucher Sender : account@zepeem.com
2. URLs in the mail

• http://tracker.mcontact.pro//View.aspx?UID=90075_1979857738_182198788 – 2.228.24.251 – Italy
• http://myer-giftcard.prizedraws-auss.com/?aid=abcpm&subid=%7BSUBID%7D&agent=1&p=841 – 185.35.138.80 – Netherlands
• Embedded URL – http://abacus.go2cloud.org/aff_i?offer_id=1274&aff_id=2074&file_id=2188 – One hit on Autoshun – malicious site

Conclusion : Suspicious and seems to be phishing sites.

1. Bunnings – Bunnings Gift Card – Bunnings0256986@relaisnautische.eu
2. Subject of the email – %$email – likely used a automated email generator but forgot to change the subject that can look real
3. mailed-by : shriek.relaisnautische.eu
4. Links on the flyer are not clickable. Only link clickable is to unsubscribe and that goes to http://pss.relaisnautische.eu/ which is not active.

Conclusion – Suspicious and seems to be phishing site

1. Woolwhorths ? – Isn’t it Woolworth – Woolwhorth8965742@ondernemingtoon.eu
2. 
3. subject: SCRATCH & WIN – this time they made it right
4. mailed-by: zoroastrian.ondernemingtoon.eu
5. Links are identified as phishing my Google.
6. Phishing link :
   • http://woolworths-new.prizedraws-aus.com/?p=841&aid=LOL&subid=36421733&pl={pl}&agent=5&scratch=1

Conclusion – Phishing website.

Senders : Should be blocked on email filters

1. Woolwhorth8965742@ondernemingtoon.eu
2. Bunnings0256986@relaisnautische.eu
3. account@zepeem.com
4. Woolwhorths8965742@monstereigenschap.eu
5. Woolwhorths8965742@netwerkenfonds.eu
6. JB2519867@realiteitgoed.eu
7. Woolwhorths0256989@bewustextreem.eu

Other links/IP addresses : Should update SIEM rules to catch any communications to these URLs. URLs can also be blocked on web filters.

1. http://bell-news.de/ga/unsubscribe/2-1624154-36-5605-11384-5923d1a4644b2b2-c9bb0e8af2/?utf8=%E2%9C%93&confirmed=1 – 213.136.91.181
2. http://balqjdvwrs.realiteitgoed.eu/ – 216.109.172.160
3. http://ww41.uvqqsagwla.monstereigenschap.eu/ – 141.8.225.60
4. http://ww41.uvqqsagwla.netwerkenfonds.eu/ – 141.8.225.60
5. http://play.mobistos.com/lpx/MayoS93HF2?aff=ck-lll&reqid=731155943&oid=7230&s1=209491|83 – 82.94.216.105
6. http://balqjdvwrsi.znhpslrnpk.bewustextreem.eu/track?e=02bj5CbpFWbnBkcv1WdohGdpdHZyVmbP&m=18764400&l=0. 63.250.4.10
7. http://uvqqsagwla.bewustextreem.eu/ –  63.250.4.10

Final words :

1. Similar links were used for other emails. Based on the HTTP objects extracted from all can only see png files. No executable or javascript noted.
2. All emails have one country in common as sender – Germany.
3. Unsubscribing goes to PO Box 1960 #22445 Wilmington, DE 19899
4. The phishing attempt seems to be generic and concentrating on just getting private information from a user especially email addresses.
5. No attempts of malware dropping identified from the links.

Understand that organisations should be on a lookout for any usage of its Brand name to deceive users to provide personal information. As users trusts these organisations, it’s organisation’s responsibility to have proper brand monitoring placed or outsourced so phishing campaigns using their names can be identified and controlled.

Security awareness for all users is also important to make sure not click on unsolicited emails.

Happy 2016!!!!

Malicious or spam emails are frequent but one of the best ways to get a system/host infected.

Recently I received an email from one of the Big 4 banks of Australia – Westpac.

Very first thing was I am not a customer so definitely it was a phishing scam.

Actual Email

Actual email is a bit unprofessional. The URL is ending with Bankingx. Email is coming from west-pac@bbodyregistry.com.
Looking at the email headers the originating IP address is 41.57.96.54. Email headers also shows the email came from IP 197.232.31.99. Geo location of both IP address is Kenya.

Virustotal results : https://www.virustotal.com/en/ip-address/41.57.96.54/information/
IP Address does have few malicious URL’s detected previously.

Clicking on the URL in the email it re-directs to http://antoniahallcommunications.com/referrer/. The site is identified as Phishing attack by Google Chrome.

 .

So disabled the phishing and Malware protection from the browser settings and access the site again. No signatures were triggered on Security Onion Snort. Received following response :

 The site resolves to 198.46.82.80 – ehub36.webhostinghub.com – a free webhosting.

The site actually belongs to Antonia Hall a publicist.

Below are the IOC’s:

197.232.31.99
41.57.96.54
bbodyregistry.com

Conclusion :

I did not find anything malicious besides this being a unsuccessful attempts for a user to click on a link. Also, the URL is not accessible anymore.

Received an email from UN@ – no email domain on the sender list and that’s why my email identified as spam.

Attachment was a doc file – ATM_CARD_1.doc – Checked various websites (malwr.com, virustotal, shodun) but no information about mentioned DOC file.

MD5 : 2134a6afb12a5a2bcdd77b09e43a8e29 – not reported.

Uploaded the file on virustotal but did not find any hits – https://www.virustotal.com/en/file/058767db41be4365c137dfd2ed857e86211c724a3037c561f7a9d0f994e6c829/analysis/1443706261/

Exiftool output

xifTool Version Number : 8.60
File Name : ATM_CARD__1_.doc
Directory : .
File Size : 86 kB
File Modification Date/Time : 2015:10:01 13:01:39+00:00
File Permissions : rw-r—–
File Type : DOC
MIME Type : application/msword
Author : FullNameHere
Template : Normal
Last Modified By : SONY
Revision Number : 2
Software : Microsoft Office Word
Total Edit Time : 2.0 minutes
Last Printed : 2010:11:24 17:52:00
Create Date : 2015:09:28 02:38:00
Modify Date : 2015:09:28 02:38:00
Pages : 1
Words : 436
Characters : 2491
Security : None
Company : OrgHome
Lines : 20
Paragraphs : 5
Char Count With Spaces : 2922
App Version : 12.0000
Scale Crop : No
Links Up To Date : No
Shared Doc : No
Hyperlinks Changed : No
Title Of Parts :
Heading Pairs : Title, 1
Code Page : Windows Latin 1 (Western European)
Hyperlinks : http://www.yahoo.com/_ylt=AkJ_84uMIDD6A0cgsAd.wbubvZx4;_ylu=X3oDMTNoamk4OG9oBGEDMTAwODE3IFNFRyBzaGluZSBpZGVudGl0eSB0aGVmdCB0BGNwb3MDMwRnA2lkLTM2MjMyBGludGwDdXMEcGtndgM4BHBvcwMxBHNlYwN0ZC1mZWF0BHNsawNpbWFnZQRzbHBvcwNGBHRlc3QDNzAx/SIG=13ip2d9rl/EXP=1282263418/**http%3A/shine.yahoo.com/event/financiallyfit/13-things-an-identity-thief-wont-tell-you-2299277/, http://www.uneca.org/istd/ict/images/UN-logo%5b2%5d.GIF, http://www.uneca.org/istd/ict/images/UN-logo%5b2%5d.GIF, http://www.uneca.org/istd/ict/images/UN-logo%5b2%5d.GIF, http://www.uneca.org/istd/ict/images/UN-logo%5b2%5d.GIF
Comp Obj User Type Len : 39
Comp Obj User Type : Microsoft Office Word 97-2003 Document

Last modified by seems interesting as it says SONY. The attachment has no links for a user to click. However, it requests personal information and informing to pay 250 K Pounds.

Email within doc : nationwbk@hotmail.com – personal email for UN 🙂
Email also had a number 0044-7010057597. Based on research the number is in london obviously but no information about a business. Likely a personal number.
http://www.searchyellowdirectory.com/reverse-phone/447010057597/

No malware found – just a social engineering attempt.

Spam are targeting most vulnerable entity in cyber world – HUMANS.