Scammers Going Mobile: Just to be with you.

Anyone on the Internet has more than likely seen one or more email scams. Even with spam-filters in use, there is always going to be the occasional one that slips through.

The scammers however are coming at us from multiple approaches, or what could be referred to as ‘attack vectors’. This post relates to the SMS text message vector, which is becoming more popular. In the last week alone, I have gone from never receiving one of these scam messages, to receiving two in the same day.

Don’t Click the Link.

Scam text messages, just like scam emails wish to dupe you into doing something that the scammer wants you to do, but you will not realise that you don’t want to do it until it is too late.

However, scam text messages are more limited in the content that they carry, and therefore are more likely to require you to click on a link to download any malware. And so it was with both of the scam text messages I received. So, I made sure that in neither case did I click the links that they contained.

The Clues

How did I know that these were likely scams? Take a look at both of the text messages, whilst both of them appear to address a specific individual by name, neither name used matches my own name. So that is the first clue.

The second clue is that I do not have a Bitcoin account. So the first SMS message is very likely a scam. Even if I did have a Bitcoin account, I would go through a registered Bitcoin exchange, not some random link sent to me in a text message. Most likely, this message was crafted to try and dupe recipients into thinking that they have mistakenly received a message intended for ‘Kaitlyn’, and the scammers are hoping that at least some recipients are silly and dishonest enough to take their change of collecting Kaitlyn’s money.

The third clue, from my perspective is the use of the sender name “WOOLGIFTS”. To my mind that stands out like a sore thumb. Why is it capitalised? Why not “Woolworths Gift Cards”?

Confirming Suspicions

The link provided in the first text message has used a URL shortening service to hide the real link. However, the second message has a link that is a little more intelligible straight up. This allows us to put the domain into IP-address.org to see who might own it.

The results for “woolworths.msggft.com” were uninspiring – as that does not exist as a registered domain. Possibly it could be a subdomain of “msggft.com”, and IP-address.org confirms that such a domain exists, and that it was registered with GoDaddy.com in the United States. Some scammers live in the US, so there is no good news there.

As the link came via text message, it is likely that the content of the malware behind it is targeted at mobile phones, likely iOS or Android phones. As these are different operating systems to some of my other devices, and because I do trust my anti-malware software, a day or two after receiving the text messages, I use a different device to attempt to navigate to “woolworths.msggft.com”.

Good news. Appears that someone has already reported this site. Both “woolworts.msggft.com” and “msggft.com” both show an account suspended page. Either that or the scammers are so crafty, that they have created an account suspended page to navigate non-mobile devices to, to try and fool researchers. Either way, it confirms my suspicions that it was all a scam.

The One That Got Through: Part 1 – Money News

Welcome to my side bar series titled “The One That Got Through”. This series is about recent scam and malicious emails that have made it through without the email filters sending it straight to Junk Mail. Given that the Gmail spam filters tend to be pretty good, I do not expect to write up to many of these articles.

Today’s article is about a recent “Money News” email that I received.

Upfront: I have attempted to contact the Australian companies that this email scam attempts to hide behind the good reputation of, and also the overseas based hosting companies who unwittingly or otherwise have supplied the hosting services that this scam email made use of – none of them have responded.

Whilst I may have investments, and I may receive information about them, none of them are titled “Money News”, nor anything like that.

So when the above email showed up in my inbox, immediately it rang alarm bells:
- I never subscribed to “Money News”
- Even if I had subscribed, this is from “-M-o-n-ey_News--”. If this was a serious publication, why would they format it like that?
- To get it through email spam filters that are looking for spam emails about money
- My name is not “Malane”, so who ever this is from, does not know me.
- The words “Bonus… upon registration”, tell the story. You MAY be lucky enough to get a bonus, if you actually manage to complete the registration process. Companies that actually want to do legitimate business with you, normally do not behave like this.

Who is it From?

So using the trick of hovering over the sender’s ‘name’ with the mouse, Gmail brings up a dialog box that shows the email address that the sender is supposed to be using, “velocity@e.velocityfrequentflyer.com”.

So, supposedly the email is from Virgin Australia’s partner loyalty organisation Velocity. I’m not a member, why would they be emailing me? Or is it from Qantas’ Frequent Flyer loyalty program. I’m confused. Perhaps who ever sent it either intended to create confusion, or they are not resident in Australia, and do not know which company is which.

More Questions Than Answers

So, if I was using a desktop email client such as Outlook, or Mozilla Thunderbird, or if I was opening the email in a mail aggregation app on my mobile phone, a malicious email would be more likely to cause direct problems for the device I’m using. Fortunately, using Gmail through my browser, perhaps there is a little more protection.

Opening the email provides more questions to the untrained eye, than answers. There is almost no information; no email content beyond what appears to be an HTML attachment. And this attachment has a file name of “noname.html”, which seems odd.

No Confidence in the Details

So, to dig deeper into this email, I use the Gmail option to “Show Original”

With the details of the email original on screen, start with the header information. Initially it looks like it could be legitimate – the Message ID has an address that includes the text “virginairli_prod1”, suggesting a connection to Virgin Airlines. However at the bottom of the header details is a section that details the SPF, or spam filter results. This has a “SOFTFAIL” result, which definitely does not inspire confidence. SOFTFAIL essentially tells us that the spam filter thought that the email was suspect, but had no existing evidence or rules to confirm this against.

Now to the Juicy Bits

Scrolling down the original view, reveals the content and coding that I present in the digest.txt text file. Note, I have obfuscated my email address details, as these are immaterial to this investigation, and to protect my own privacy. I have also scanned the text file with a malware scanner, and nothing was detected.

The diegest.txt file can be provided on demand. Please contact MikeL by email to recieve it.

Sender Domains in SPF Results.

Looking deeper into the spam filter results, in the header code of the email, it is worth noting that there are tow Recieved-SPF results. This is where the spam filter attempts to validate the IP address of the email server sending the email against the registered domain name that the senders email account is reporting to be from. To do this I use the lookup tools provided by IP-address.org.

We have one result where the email is reporting to have come from the bmw.com.au domain which failed verification. The other associated domain is beta.brightinsight.net, which did validate correctly. Interestingly, both attempts to validate the senders domain use the same IP address (46.4.90.70).

So the next step is to conduct some research into these domain names, and the IP address given. Looking up bmw.com.au, which one would assume is BMW Australia’s network gives a valid result, indicating that the domain exists and is still registered and operational.

The results indicate that the BMW Australia domain is actually hosted by BMW in Munich, Germany, and they are using a division of their own company in Berlin as the Internet Service Provider. So that checks out.

The results for beta.brightinsight.net are less fruitful. Could not resolve beta.brightinsight.net. Interesting a similar result for the super domain brightinsight.net. So the domain name that passed the spam filters as being valid on the 17 February, failed to resolve any results when I queried it on 21 February. Odd? Yes. It could suggest that the domain was registered/setup for a short period to provide services to support the scam campaign, but was soon shut down, either by authorities responding to the threat, or because the scammers wanted to reduce their chances of authorities tracing their identities/location, and so only operated their infrastructure for a short period to reduce the risks.

Where Does This Lead?

So far, we have an email with odd content, that is supposed to be from Virgin Australia’s Velocity loyalty program, and has attempted to pretend that it was sent from both BMW Australia’s email server, and an email server on a network domain that no longer exists. Fishy? Yes. I don’t think BMW Australia would be in the habit of hosting email services for other large companies.

Looking a little closer at the details of where this email was received from, you’ll note that there is an ‘unsubscribe’ email address - ‘virginairlinesau@e.virginaustralia.com’. Wait. Is this supposed to be from Velocity? Or Virgin? The two companies are linked, but why would one be handling emails for the other? Possible, yet not probable. More confusion. That’s what the scammers will want.

The Real Bones of It

Looking further down the original source content of the email, we come to what appears to be the body of the email. This is what appears as the noname.html file when viewed through Gmail. And here is why.

The text in the above screenshot commences with a simple “Hi,”. If this was from someone who knew me, my name would be in that line between the ‘Hi’ and the comma.

Below that it appears to open an HTML font tag with a color attribute. And it appears to be setting the color attribute to a value. However the multiple lines of seemingly random characters after that is not a valid HTMl RGB colour code. It appears instead to be an ASCII representation of what might actually be some kind of binary code. Ie – this bad HTML color code is actually the malware within this scam email, or so I suspect.

So Where Does This Lead?

So, whilst I’m not going to investigate the type or function of the malware in the email, I am going to look a few more clues that may indicate where it has come from and the potential method of operation.

Scrolling further down the source, below the block of malware binary code, there appears a number of hyperlinks in plain-text. There are two distinct domains referenced in these links. The first domain is the target reference – the destination of the links if clicked. The links belong to the link.nn.ru domain. The other link refers to an image file stored on the domain world-lolo.com. Essentially these are set up as a clickable image-map.

So, going back to the IP address of the source of the email – 46.4.90.70:

Using the IP-address.org tools, we find out that the source IP address belongs the networks of Hetzner Online Gmbh, a German ISP and hosting company.

Further, using the link.nn.ru domain name, which appears by its ‘.ru’ to be a Russian domain, we can do a lookup on IP-address.org. This time the results above tell us that the domain is registered to ROSNIROS Russian Institute for Public Networks.

Finally using the world-lolo.com domain, we can do a similar search, and we find that the domain belongs to OVH SAS, a French ISP and hosting company. So the image file used is hosted from one of OVH’s servers.

One last step that we have is to copy and paste all the lines of the email header and paste them into the validation tools of IP-address.org. From this, we get confirmation of the email originating from Hetzner Online’s servers.

So, what does all this tell us. We have an email, with what is likely malicious content, that has beaten spam filters by adding hyphens to the email title, and has further tried to fool email filters by appearing to come from Velocity/Virgin Australia

The malicious content of the email is likely utilising or complemented by an image file hosted from OVH SAS in France, that triggers code on a network owned by the Russian Institute of Public Networks. And the real sender of the email has managed to either send the email from an application hosted on a server at the German hosting company Hetzner Online Gmbh, or they have managed to marvelously spoof such.

So what does the supposed subject of the email, money news, and a Russian computing organisation have in common? Russian organised cyber-crime groups have been known to target finance and banking operations, so perhaps the purpose of the malware is to capture banking details. However with all that is happening in the cyber-world, this could be a false-flag, where another operator is trying to give the false pretence that the source of this scam is Russian.

What Next?

The next thing to do is to report the email as spam. In Gmail that is simple, by marking it as spam this confers to Google’s Gmail servers that emails like this should be considered spam, and will help their filters to capture it in future.

#stopthescam
#dontclickthelink