A record of a phishing attempt

So, some scammers in Shinjuku (part of Tokyo) have been sending phishing mail via a server in the US, but they can be traced quite obviously by the “hidden” information in the message headers and the attached HTML file. A delicious bonus: the text encoding setting the scammer(s) used, even though they sent Japanese text, was “gb3212”, which is the the one used for mainland Chinese ( ).

Enjoy!

Note: My - admittedly nerdy - mail software does not render HTML mail but shows only text and delivers the HTML in an attached file. Other more convenient (= dangerous) mail software like Outlook Express directly shows the HMTL content on screen.

received mail:

Note:
recipient mail address replaced with XXXXXXXXXX;
recipient mail server name changed to generic name;
< replaced with { and > replaced with } to render the code ineffective

From: 三菱東京ＵＦＪ銀行 {email@bk.mufg.jp}
To: XXXXXXXXXX
Subject: 本人認証サービス
Date: Tue, 21 Oct 2014 01:10:20 +0800
Content-Type: text/html; charset=gb2312
Return-path: {email@bk.mufg.jp}
Envelope-to: XXXXXXXXXX
Delivery-date: Tue, 21 Oct 2014 01:10:40 +0800
Received: from [107.167.79.146] (port=2515 helo=bk.mufg.jp)
by mail.system.net with esmtp (Exim 4.82)
(envelope-from {email@bk.mufg.jp})
id 1XgGTf-0002pe-AS
for XXXXXXXXXX; Tue, 21 Oct 2014 01:10:39 +0800
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
X-Html: 受信HTML\141021_00\index.htm

こんにちは！
2014年「三菱東京UFJ銀行」のシステムが安全性の更新がされたため、お客様はアカウントが凍結?休眠されないように、直ちにアカウントをご認証ください。
以下のページより登録を続けてください。
entry11.bk.mufg.jp/ibg/dfw/APLI … =AA000_001

――Copyright(C)2014 The Bank of Tokyo-Mitsubishi UFJ,Ltd.All rights reserved――

mail server:

nslookup:
146.79.167.107.in-addr.arpa domain name pointer cloud2.us.10mvps.com.

traceroute:
1 [AS4685] hirnij31.asahi-net.or.jp (124.155.65.228) 2.508 ms 2.723 ms 1.658 ms
2 [AS4685] hirnirb-ge0.asahi-net.or.jp (124.155.65.254) 2.642 ms 2.903 ms 2.670 ms
3 [AS4685] tkybi5-v9.asahi-net.or.jp (124.155.64.1) 15.667 ms 15.933 ms 15.629 ms
4 [AS4685] kddni3.asahi-net.or.jp (202.224.32.56) 16.641 ms 16.804 ms 16.685 ms
5 [AS2516] 125.29.26.105 (125.29.26.105) 16.597 ms 16.573 ms 16.688 ms
6 [AS2516] otejbb205.int-gw.kddi.ne.jp (118.155.197.1) 78.535 ms
[AS2516] otejbb206.int-gw.kddi.ne.jp (118.155.197.2) 36.583 ms
[AS2516] otejbb205.int-gw.kddi.ne.jp (118.155.197.129) 16.665 ms
7 [AS2516] lajbb002.int-gw.kddi.ne.jp (203.181.100.62) 117.294 ms
[AS2516] lajbb001.int-gw.kddi.ne.jp (203.181.100.18) 116.439 ms
[AS2516] lajbb001.int-gw.kddi.ne.jp (203.181.100.14) 114.847 ms
8 [AS2516] tr-la7.kddnet.ad.jp (59.128.2.158) 115.332 ms 115.710 ms
[AS2516] tr-la7.int-gw.kddi.ne.jp (59.128.2.210) 114.595 ms
9 [AS6939] v216.core1.lax2.he.net (65.19.143.9) 116.527 ms 116.273 ms 114.555 ms
10 [AS46841] 10ge2-3.core1.phx2.he.net (184.105.222.85) 126.548 ms 127.382 ms 127.521 ms
11 [AS6939] 66.160.146.123 (66.160.146.123) 141.519 ms 131.833 ms 130.593 ms
12 * * *

nslookup:
bk.mufg.jp has address 203.178.124.177

traceroute:
1 [AS4685] hirnij31.asahi-net.or.jp (124.155.65.228) 2.677 ms 1.756 ms 2.648 ms
2 [AS4685] hirnirb-ge0.asahi-net.or.jp (124.155.65.254) 4.598 ms 2.957 ms 2.625 ms
3 [AS4685] tkybi5-v9.asahi-net.or.jp (124.155.64.1) 16.621 ms 15.956 ms 15.619 ms
4 [AS4685] kddni2.asahi-net.or.jp (202.224.32.55) 24.688 ms 16.958 ms 16.615 ms
5 [AS4685] tkyni92.asahi-net.or.jp (202.224.32.92) 16.615 ms 15.968 ms 20.596 ms
6 [AS7521] 210.173.176.46 (210.173.176.46) 16.700 ms 16.929 ms 17.631 ms
7 [AS4713] 122.28.104.169 (122.28.104.169) 16.630 ms 16.885 ms
[AS4713] 210.254.187.41 (210.254.187.41) 16.678 ms
8 [AS4713] 60.37.27.168 (60.37.27.168) 101.437 ms
[AS4713] 60.37.27.169 (60.37.27.169) 16.260 ms
[AS4713] 60.37.27.168 (60.37.27.168) 17.033 ms
9 * * [AS4713] 153.146.171.38 (153.146.171.38) 21.848 ms
10 [AS4713] 221.184.29.190 (221.184.29.190) 19.804 ms 19.472 ms 19.652 ms
11 [AS4680] 202.228.3.73 (202.228.3.73) 19.642 ms 101.156 ms 19.646 ms
12 * * *

========================================

attached HTML file:

Note:
< replaced with { and > replaced with }, to render the code ineffective

{!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”}
{html}{head}
{meta content=“text/html; charset=gb2312” http-equiv=Content-Type}
{/head}
{body}
{p}こんにちは！{/p}
{p}2014年「三菱東京UFJ銀行」のシステムが安全性の更新がされたため、お客様はアカウントが凍結?休眠されないように、直ちにアカウントをご認証ください。{/p}
{p}以下のページより登録を続けてください。{/p}
{p}{a
href=“http://bk.mufg.jp.frn.cn.com/ibg/dfw/APLIN/loginib/login.htm?_TRANID=AA000_001”}三菱UFJダイレクト
{p}{br}――Copyright(C)2014 The Bank of Tokyo-Mitsubishi UFJ,Ltd.All rights
reserved――{/p}
{p}{/p}{/body}{/html}

“Hidden” URL in HTML file:
bk.mufg.jp.frn.cn.com/ibg/dfw/AP … /login.htm

nslookup:
bk.mufg.jp.frn.cn.com has address 126.72.58.76

traceroute:
1 [AS4685] hirnij31.asahi-net.or.jp (124.155.65.228) 2.658 ms 2.729 ms 2.661 ms
2 [AS4685] hirnirb-ge0.asahi-net.or.jp (124.155.65.254) 3.638 ms 2.950 ms 2.664 ms
3 [AS4685] tkybi5-v9.asahi-net.or.jp (124.155.64.1) 15.664 ms 15.924 ms 15.671 ms
4 [AS4685] tkyni92.asahi-net.or.jp (202.224.32.92) 16.647 ms 24.646 ms 24.650 ms
5 [AS4685] ebgp-sb2.asahi-net.or.jp (202.224.35.109) 20.661 ms 18.880 ms 19.662 ms
6 * * *
7 [AS17676] softbank221111178246.bbtec.net (221.111.178.246) 17.759 ms 17.429 ms 17.658 ms
8 [AS17676] softbank221110221034.bbtec.net (221.110.221.34) 17.651 ms 17.221 ms 17.666 ms
9 * * *

nslookup:
76.58.72.126.in-addr.arpa domain name pointer softbank126072058076.bbtec.net.

traceroute:
1 [AS4685] hirnij31.asahi-net.or.jp (124.155.65.228) 2.585 ms 2.671 ms 2.660 ms
2 [AS4685] hirnirb-ge0.asahi-net.or.jp (124.155.65.254) 2.651 ms 2.921 ms 2.666 ms
3 [AS4685] tkybi5-v9.asahi-net.or.jp (124.155.64.1) 15.667 ms 15.950 ms 15.648 ms
4 [AS4685] tkyni92.asahi-net.or.jp (202.224.32.92) 26.636 ms 24.836 ms 21.647 ms
5 [AS4685] ebgp-sb2.asahi-net.or.jp (202.224.35.109) 19.568 ms 17.921 ms 19.645 ms
6 * * *
7 [AS17676] softbank221111178246.bbtec.net (221.111.178.246) 17.779 ms 17.421 ms 18.004 ms
8 [AS17676] softbank221110221034.bbtec.net (221.110.221.34) 17.556 ms 17.914 ms 17.653 ms
9 * * *

以上

I got a phishing email that went through and wasn’t flagged. Nice try!

phishing980×637 48.6 KB

That’s a slick one.

These are clearly alpha emails.

Not like those beta emails

Alpha Mails!

I wonder if the alpha character was some sort of attempt to get past spam/malware filters which may detect the string “activation” ? Weird.

I’m kicking myself for clicking on this link. This SMS came in on my phone and I stupidly clicked the shortURL. The page looked like the DHL front page but the URL was definitely NOT DHL’s

More importantly, I haven’t send out anything via DHL today or in months - so I should’ve known better. I admit I was feeling curious when I clicked the link

Plus the April 31 delivery date is another clue, isn’t it?

IMG_20210430_132507974×700 95.3 KB

I’ve since downloaded Malwarebytes and scanned my phone. Will try to be more careful

IMG_20210430_1329361080×959 71.9 KB

1.99 NT$ will probably appear on your next phone bill if you have an account. If they do that 1 million times they made almost 2 million NT$.

I know someone who was hit with this DHL phishing, as an email however, on Outlook, it took only one click, and there were multiple charges that went through on his card that night. I would call the bank and put a block on my cards if it were me.

yurp

Can you explain this a bit?

He got an email just like the sms above, describing a bogus package, with a small charge he was liable for. The email looked legitimately from DHL, except that the from address was not a DHL domain address. There was one link in the email. The antivirus software he was running did not block the link. He clicked on it, and not long later he was getting smses from the bank about charges on his card. The next day he went back into the email, to get as much info as he could to give the bank. The antivirus software, I think Norton, had updated, and had blocked the link as a phishing attempt.

I know what phishing is, but I wonder what action was triggered with the click. Maybe I’m a bit outdated, but I’m surprised that a simple click produces a bank transaction. I’m guessing there were other things that he clicked on or accepted.

I do have to wonder what is stored on the PC / Phone in question if clicking on a spam/phishing email can result in ones Credit Card being charged. Seems too much is stored there and it allows charges without any warning.

Yeah that’s what I said. However I think it didn’t necessarily trigger a transaction automatically. I think they fooled the browser into sending, to their domain, a cookie for another site, an active login session, which they were able to use to charge on the card.

Some websites store details in your browser. This information is ‘sandboxed to the origin’. Which means, for example, only hsbc’s web server can see hsbc details in your browser. However this ‘sandboxing’ depends on how the webserver is configured, short story is you can mess it up, and allow other domains, evil1.hsbc.com for example to see your browser stored information. This is how a lot of these attacks work.

In the case of the fake DHL email, I’m uncertain how it was done, maybe something like the above, or maybe exploiting some specific Outlook vulnerability.

should we always clear form histories, cookies and browser caches etc. often therefore?

Yeah, that is a good idea.

This is still doing the rounds as I just received this email too, from “Capterra” saying that “AnPost” have a parcel to be delivered and to ‘click here’ to pay $2.99 first. I didn’t look any further beyond the preview and have deleted it.

For those of you who use SF express. There is a phishing campaign going about. The long or short of it is don’t click on any email links from SF express.

Those technically interested can read about the details here: