So I started this blog about a year ago. I wrote one post, went on vacation, and never came back. Well, to be clear, I did return from vacation — somewhat unfortunately –, but I didn’t come back to the blog. Perhaps this will be a new beginning…
To reintroduce the blog, I figured I’d write a quick post about a rather unconvincing PayPal phish that I received today. Aside from the typical tell-tale spelling mistakes, the email addressed me by using an email address that doesn’t even belong to me:
Image 1. Is that your email address? If so, they are looking for you.
The email contains a Word document with some pretty poor English, and a not-so-enticing link suggesting that I “click here”. (I did not click here.) I generated an MD5 of the document and queried against VirusTotal, but didn’t get any matches. There didn’t seem to be any unique content in the doc that would cause different hashes across recipients, but who knows.
However, copying the URL from the link, I ran it through urlscan.io, and got a nice screenshot of a PayPal phish in German:
Of course, the link the the doc used a shortened URL, but urlscan is good enough to provide the un-shortened link. The long one has a couple of “DE” variables in it, so the phish may be geo-aware, and change languages based upon victim location. To confirm this, I ran a cURL command to get the response headers and redirects. Using a US-based VPN, the second hop shows that I’m US-based, so the urlscan query must have been initiated from a server in Germany.
The redirects also revealed an additional URL, which when queried against VirusTotal, reveals that the domain has been used in PayPal phishes since at least October 2018. I didn’t get any additional context from the first un-shortened URL, but pivoting off of the IP address, we get 72 additional domains, many of which are very similar, with DNS resolutions dating to 2019-03-27.
There are a lot more queries to do with the info uncovered thus far, but I’m tired and going to bed. So, here are the IOCs collected up to this point:
Sender email: slebew-2990706@jhaiyanegrikkomunikasimusik[.]com
Document Name: Doc-ID#789641.docx
Word Doc MD5: aa72aa3c42795cfa6aaf85bdf22d0942
Sender IP: 209[.]85[.]128[.]68 <– Gmail
Short URL: hxxp://x[.]co/6nilO
Un-Shortened URL: hxxps://confirms-limiteds-invaliddatassesure[.]aplikasimobilyberkelas[.]com/?_
Final URL: hxxps://href[.]li/?https://www.paypal.com//webapps/mpp/paypal-safety-and-security
SSL Cert: SHA-256 B7950BFE4EA4A869AA59398E694FFBB5D43D80AAAED0352D90B5570F724A8A8B
There’s probably something I’m missing, but it will have to wait for another time.