[TriLUG] Semi OT - phishing emails and spoofed domain links

Matt Flyer via TriLUG trilug at trilug.org
Thu Jul 20 16:23:30 EDT 2017 

I posted the entire message, including the headers and HTML, as text on
that site.  Link here: https://paste.pound-python.org/show/K0415Cma6bQM
oDEMsl8m/  Feel free to have a look.

Off hand, I don't see any obvious obfuscation in the link that it is
trying to get you to go to.  It does have some CSS and an ID associated
with it, but nothing looks obviously malicious in the CSS.  

It just seems odd that an NS lookup of the domain resolves to something
other than that domain, as I indicated in the OP.

I do make use of various RBL services, which do have different focuses,
when it comes to my personal mail and along with a few other tactics,
they are very effective at eliminating almost all of the spam.  I agree
that when it comes to stopping spammers, that one of the tactics is to
report the relay system that they are using and I tend to report the
few that make it through my filters.

As these are not personal messages, but come into a work domain, I am
limited on my approaches.  Consequently, I've been trying to employ a
different approach: going after them on the back end by making it
harder for them to host the site where they will attempt to harvest
data.  As I said, I've had some success in getting these sites shut
down as the hosting providers seem to take this type of activity more
seriously than spam mail.  Undoubtedly it is a "cat and mouse" game and
I will grow bored with it eventually, but it is nice to cause them some
grief.

Edit to add: another coworker sent one, the body text of the message is
here, with a link to Weebly.com, which shut someone down for this last
week and now they started up with a different sub domain.  I didn't
include the header because it was forwarded to me and only has the
internal headers.  Link: https://paste.pound-python.org/show/sNUSB569te
JiJfT5H7TY/

This one does seem to resolve based on the nslookup and whois, unlike
the first one in this message.


On Wed, 2017-07-19 at 18:12 -0400, Dewey Hylton wrote:
> you really need to look at the source; a hover link can
> be spoofed in HTML/javascript/CSS/whatever. if you post
> the source somewhere (eg. http://paste.pound-python.org/)
> i'm sure a few of us wouldn't mind taking a look at it.
> 
> 
> ----- On Jul 19, 2017, at 4:37 PM, Triangle Linux Users Group General
> Discussion trilug at trilug.org wrote:
> 
> > 
> > Yesterday I received a phishing email, one of a pattern where
> > someone
> > is trying to gain credentials and possibly other information by
> > trying
> > to get you to click on a link and enter your account information.
> >  Typically, if you hover over it, the links direct you to a page on
> > some hosted system somewhere.  I have been engaging in a practice
> > of
> > trying to make it more difficult for these "jokers" by reporting
> > them
> > to the hosting provider as a TOS violation.  I have gotten a couple
> > of
> > these sites taken down and the users banned.
> > 
> > It appears that they've gotten a little more creative and are
> > somehow
> > spoofing the links.  For example, I got one yesterday that when you
> > hover over it shows the link "upgradeaccount.sitey.me", further
> > digging
> > shows this resolves to the IP address of 107.178.211.45, which it
> > turns
> > out is NOT a server that belongs to sitey.me / sitey.com.
> >  Performing a
> > reverse DNS on this shows it potentially belonging to "google
> > domains".
> > 
> > I have heard about ways of using 'codes' to spoof the addresses
> > that
> > are shown in websites and I assume that something similar is going
> > on
> > here.  Unfortunately, I seem to have hit a potential dead end in
> > looking this one up.  Looking at the email headers shows that it
> > may
> > have originated from swosu.edu (SW Oklahoma State Univ) but then it
> > stayed in the "outlook.office365" system with valid SPF and
> > everything,
> > which could mean that some idiot was dumb enough to actually be
> > phished
> > and their account is now originating spam.
> > 
> > Does anyone have a suggestion on how to get at the real domain that
> > they seem to be trying to redirect to so that I could hopefully
> > report
> > them and cause them more angst?
> > 
> > 
> > --
> > This message was sent to: Dewey Hylton <plug at hyltown.com>
> > To unsubscribe, send a blank message to trilug-leave at trilug.org
> > from that
> > address.
> > TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilu
> > g
> > Unsubscribe or edit options on the web	:
> > https://www.trilug.org/mailman/options/trilug/plug%40hyltown.com
> > Welcome to TriLUG: http://trilug.org/welcome

More information about the TriLUG mailing list