Applying OSINT techniques to investigate a phishing email.
TLDR
- Investigated one email
- Obtained email templates from different campaigns embedded into the former email
- Utilised passive and active techniques and obtained Darkside ransomware variant information used by the actors
- Assesed the motivation and idea behind their action
Prologue
Last semester, 2nd half of 2021, I took this interesting course named ‘Cyber Threat Intelligence’. The overarching aim of the course is to provide students with critical thinking skills while investigating cyber threats and to be comfortable with challenging your own assumptions and belief. In one chapter of the course, we were taught how to use branch model and conduct investigations. Branch model itself is simple, nodes and edges connecting to each other but the value I find is that it helps with giving helicopter view of the investigative journey, allows investigator to backtrack and cover all the bases. So for this investigation I utilised this branch model tool to aid me in my baby level investigation.
Okay that is sufficient advertisment about the course, let’s get into the fun part.
Interlogue
Once in a while I like to check spam section of my email account to see what the scamming industry is up to. And I saw the following email
Kudos to whoever made this, it looks professional and if I didn’t know any better I would definitely have ‘Confirm-ASAP!’ed. 2 items stood out to me:
- At the top, ‘-This message was sent from a trusted sender’ banner
- At the bottom, ‘Hurry! The giveaway ends in: 2h 39m 37s’
The person who made this is using the banner to establish credibility of the email and countdown is an example of scarcity principle being employed. To put it in current generation word, induce FOMO and it works.
Opening the gif in an image processing application shows us all the frames and the frames stops at 60, meaning to say the count down is from 2h 39m 59s to 2h 39m 00s.
In this age, majority of emails are HTML based. HTML is used to provide structure (the layout) and semantic markup (how it look likes, the colours). I wanted to take a look at the underlying HTML of this email and went to gmail to see the original message.
After clicking on it, the following page shows up and bam! Obtained new resource for us to further investigate.
Let’s write down what the interesting resources are
- From email address: rlefoa00f72do6b86nre@retailerart.com
- SPF: 45.137.190.133
- DKIM: retailart.com
Email address is smelling like an uncooked fish, fishy. Gmail use SPF and DKIM to check if the server IP address and domain that the email originated from is legit. Gmail says NEUTRAL for SPF and PASS for DKIM.
Using URLscan.io, tool to help you visit websites on your behalf and get as much data as possible, for retailerart.com gives us the following:
‘This is the only time retailerart.com was scanned on urlscan.io!’. Yes! I am the first one to submit and check for this site, it is not much but I am proud of it HAHA.
That aside, the following information was obtained:
- retailerart.com resolves to IP address of 45.137.190.133, same as the SPF IP address
- Domain was bought from NameCheap on 28 June 2021, fairly recent
- 45.137.190.133 is owned by BITWEB, cloud provider based in Russia
Going over to the similar tab, it gave us the following:
- the domain capitall1one.com was used to point to this IP address before
- if we do a UrlScan.io for capitall1one.com the landing page is the same as retailerart.com
Nothing interesting found in redirects nor DOM (document object model, basically HTML codes) But things get a bit religious, in Content tab, which shows the text content of the page, shows this:
- The Truth Will Set You Free
- About Our Church
- Listen To Our Sermons
- Join Our Church
It seems like this site has maybe have been used to act as a landing page for a church and the authors forgot to remove it.
Using who.is to look up retailerart.com show us the following:
The phone number is the interesting resource here and doing a simple google search for the phone number led me to a malware analysis report published by US Cybersecurity & Infrastructure Security Agency, the report details analysis of malware that came from domains owned by the phone number:
Going back to the gmail original message and scrolling down, it shows us a-lot of gibberish looking resources:
Those screams to me, ‘HEY I AM BASE64, DECODE ME DECODE ME!’ and thus went over to CyberChef, a web based utility tool, to decode and BAM! Obtained what it looks like multiple email templates that attackers use for different campaigns
There are a ton of Interesting resources in the decoded text, some notable ones are:
- There is a comment that says
<!-- IMORTANT NOTES:
fill the TARGET URL
upload images on your server and replace the local links
-->- There is a comment with what it seems like an ASCII art, may indicate the author(s) who wrote this
- Some templates have login name and password
- Also seem to be impersonating emails from Citrix, Fastly and Parsec
Most notable of all is the redirect to HTML page hosted on https://storage.googleapis.com/xxxx , that is a link to a file hosted on Google Cloud Storage, remember the Cash App email? If you click on any of the 'clickable' links in the email, you will get onto to that html page hosted on Google Cloud Storage
Note the #yyyy after cli123.html, this means that it is being linked to a specific anchor tag on that cli123.html page, anchor tags are like bookmarks for the html page, once you click on it, you will get automatically redirected/shown to that specific section of that cli123.html page, questions that we can ask here are
- How is that #yyyy derived? Is it random? Is there some sort of generator function going on?
- Can we get account owner from the id of the Google Cloud Storage bucket?
Time to do some active visiting! For this purpose, I made use of Tor Browser on Kali Linux running with Virtual Box. It is not advised at all to directly visit site, they may have deployed assortments of attacks such as Drive-by download attack. Got to have some sort of 'protection' from any attacks and that is where Tor Browser, Kali Linux and Virtual Box comes into play. Tor Browser act sort of like a VPN and iff I were to mess anything up, say accidentally downloading and detonating a malware, only the Kali Linux on Virtual Box is going to get messed up and could easily swap out Kali Linux with clean version. We have to thank those who worked extensively on virtualisation software, without them it is going to make investigations wayyy harder.
Upon visiting the full Google Cloud Storage url, including the #yyyy, we get redirects and see the followings:
- New resource required, imgurlink.com, pretty similar to popular media sharing site, imgur.com
- We see that there is in.php? combined with URL query params, perhaps they are doing their server-side checking using php with url query params and only allowing valid params to pass through, we could try to see which params would pass and which would not.
- Visiting imgurlink.com shows us the following, and what do we know, it is the same landing site as the above retailerart.com
Alright that is enough for now.
Epilogue
We have come an end of initial bout of Cash App investigation.
There are tons of resources/pivot points that we could further investigate, especially from decoded email templates, but I am quite glad with what we have so far, let's recap what we did:
- Cash App phishing email received
- Obtained other email templates used in other campaigns
- Acquired similar and relevant IP addresses/domains
- Gained insight on Darkside ransomware variant analysis report by a US Agency
Till next time!
