The Journey Did Not Begin

So I started this blog about a year ago. I wrote one post, went on vacation, and never came back. Well, to be clear, I did return from vacation — somewhat unfortunately –, but I didn’t come back to the blog. Perhaps this will be a new beginning…

To reintroduce the blog, I figured I’d write a quick post about a rather unconvincing PayPal phish that I received today. Aside from the typical tell-tale spelling mistakes, the email addressed me by using an email address that doesn’t even belong to me:


Image 1. Is that your email address? If so, they are looking for you.

The email contains a Word document with some pretty poor English, and a not-so-enticing link suggesting that I “click here”. (I did not click here.) I generated an MD5 of the document and queried against VirusTotal, but didn’t get any matches. There didn’t seem to be any unique content in the doc that would cause different hashes across recipients, but who knows.

However, copying the URL from the link, I ran it through, and got a nice screenshot of a PayPal phish in German:


Of course, the link the the doc used a shortened URL, but urlscan is good enough to provide the un-shortened link. The long one has a couple of “DE” variables in it, so the phish may be geo-aware, and change languages based upon victim location. To confirm this, I ran a cURL command to get the response headers and redirects. Using a US-based VPN, the second hop shows that I’m US-based, so the urlscan query must have been initiated from a server in Germany.

The redirects also revealed an additional URL, which when queried against VirusTotal, reveals that the domain has been used in PayPal phishes since at least October 2018. I didn’t get any additional context from the first un-shortened URL, but pivoting off of the IP address, we get 72 additional domains, many of which are very similar, with DNS resolutions dating to 2019-03-27.

There are a lot more queries to do with the info uncovered thus far, but I’m tired and going to bed. So, here are the IOCs collected up to this point:

Sender email: slebew-2990706@jhaiyanegrikkomunikasimusik[.]com
Document Name: Doc-ID#789641.docx
Word Doc MD5: aa72aa3c42795cfa6aaf85bdf22d0942
Sender IP: 209[.]85[.]128[.]68 <– Gmail
Short URL: hxxp://x[.]co/6nilO
Un-Shortened URL: hxxps://confirms-limiteds-invaliddatassesure[.]aplikasimobilyberkelas[.]com/?_
Final URL: hxxps://href[.]li/?
SSL Cert: SHA-256 B7950BFE4EA4A869AA59398E694FFBB5D43D80AAAED0352D90B5570F724A8A8B
SHA-1 8FDEBCBD587BA0863C11275D8B71CA2B2F488186

There’s probably something I’m missing, but it will have to wait for another time.

The Journey Begins <– Default title, but maybe this is the start of a journey. We shall see.

TL;DR: It is just another (cyber)security blog, but maybe you’ll find value in my opinions, analysis, or at least the data that I share.

Join me here for my sporadic, random, and sometimes nonsensical musings, as I blog about whatever piques my interest. Of course, the content will be largely cybersecurity focused, so I may write about any of a broad range of topics, including my own research, honeypot metrics, malware, recent events, and emerging trends. Some of it may be region-specific — especially given the geopolitical nature of state-sponsored cyber activity –, and sometimes might even cross over into the cyberterrorism space, as I look at campaigns conducted by hackers motivated by radical ideology.

Maybe some other things too, but I’ll let you know about that later.

I recently set up some honeypots to get a look at some scanning activity, which has been pretty interesting. As I get a handle on those, and tweak the configs, I’ll share some metrics and trends coming from those. I have VMs setup to do malware analysis on the samples that I collect as well, so look for some discussion of those. I should note though, I am not a highly-skilled malware reverser, so bear with me if some of the malware stuff is a little too obvious, or high-level. If you are a professional you probably aren’t reading this blog, but if you are, feel free to point out my mistakes, or provide suggestions, and we can all learn together.

For now, I will leave you with this stock photo of a sunset, since I will be taking a vacation to do some scuba diving in the near future. While I won’t be blogging about that, feel free to share your scuba stories in the comments.