In not be many words let go down the rabbit hole but putting myself in the mindset of a person who does not check e-mails and just clicks on links, making the "think before you click" more or a "click and then think"
Spoiler : Chrome extension added, no document, no malicious sites
Warning: Do not go clicking phishing links, this entry was constructed in a sandbox, also please do not copy or visit any of the links in the guide, the author accepts no responsibility for silly things you do with this information!!!
This is the e-mail, from my spam folder, this is Gmail which makes if very easy to spot malicious messages, but that still DOES NOT STOP people from clicking on that link, lets look a little deeper....
Yes, thanks Gmail but lets ignore that nasty red banner, images are blocked as this is phishing, but lets look at the message:
I have an Amazon Prime membership and yes it is cancelled, so it would not be auto-renewing as its disabled, so this e-mail is obviously assuming all the recipients have a Prime account, nice, lets introduce some red boxes:
Then from the top down....all red flags here.....
- Sense of urgency and something being "held" or stopped
- Customer spelt wrong, and it should be my Name not "customer"
- Urgency again to update my payment details with a nice button to do that for me
- Footer all wrong and incorrect for Amazon
Next lets look at where it has come from, this is the from address, well that nice, it has come from the Amazon domain at the end, but not from this address so I consider spoofing going on here.......
| from: | Amazon.co.uk no-reply-secure.SWKTI7SR0U-SWKTI7SR0USWKTI7SR0U-SWKTI7SR0U@amazon.co.uk | ||
| to: | <removed> | ||
| date: | 15 May 2023, 07:58 | ||
| subject: | Your Prime Membership: Payment declined: Payment method has been declined, please update your payment method so that your order is not canceled and your account is not suspended |
So the messages is from Amazon.co.uk but its failed the SPF and DMARC records which means its not from Amazon
Lets take the message header from this and look a little deeper, nice this actually started its life from this domain as this is the message ID : 20230515065843.D8D0C23FA4CA@mail.kplusi.ir
Right, not an Amazon e-mail, from not Amazon servers failing SPF and DKIM, so this is clearly crap, however it also has some Base64 data encoded within:
----boundary_245627_9649a81c-550c-44c0-8d8c-fd551c8bc5cc
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64
Interesting, not something one finds in a message, so what exactly are they hiding in Base64 I wonder, well that seems to be a website, so you cannot see it, how interesting, you can see the HTML with the tags below, so the e-mail contains the malicious website......nice......
This is what that HTML hides:
The link is this:
Which is clearly not Amazon so where does the link go, we first we go to a wordpress site then to redirection URL......interesting.....
This now redirects to Bing, but I bet it did something yesterday, the flow looks like this:
HTTP Request
flow: 216.218.206.62:443
time: 0
url: https://seiwakaiun[dot]com[dot]ph/wp/signin.php
HTTP Response
flow: 216.218.206.62:443
time: 0
response: HTTP/1.1 302 Found
HTTP Request
flow: 216.218.206.62:443
time: 0
url: https://seiwakaiun[dot]com[dot]ph/wp/signin.php
However the hidden payload here is Chrome gets given a browser extension that is loaded into your version of Chrome as you can see here:
This is what it does......with the extension data....
File created:
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.61.4_0\manifest.jsonchrome.exe
This is a reason not to click links in e-mails that are in your spam folder with warning about malicious content, apart from a Chrome extension this did not do anything harmful to the sandbox VM, but that extension might be used later for other malicious purposes.
Massive shout out to Triage for the sandbox, which are you look at on this link : https://tria.ge/ and you can view the report for this ovviously fake e-mail with this : https://tria.ge/230516-q8gd9aab61/behavioral2
This particular sample got a 6/10 for "suspicious" activity but hopefully this outlines how you need to be vigilant at all times.
