Diagnosing a Phishing Attack

Posted on 2019-12-27 by mike

I was clearing out some older emails today and encountered an attempt to phish Apple credentials; although this one was specific to Apple, the general lessons apply to all phishing attacks … and indeed more general malicious spam.

The attack was immediately obvious simply from the email addresses within the “To” and “From” headers without opening the body of the email :-

To: customer@apple.bill.com
From: suρρort@aρρlе.com <srvcsiyaccntse19sr345icdoeh@pesawwaatadaka.com>

First of all, look at the “To” header :-

  1. It doesn’t contain your (or in this case my) email address. This is a mark of suspicion; not enough on it’s own to make it spam, but on the way.
  2. Look how “apple” is a sub-domain of “bill.com”. Is Apple likely to allow anything significant to be branded with anything other than “apple”? More suspicious.

Next look at the “From” header … it may well be that your mail client does not show the full version of this – it would show just the “suρρort@aρρlе.com” rather than the real email address which is contained within “<” and “>” (“srvcsiyaccntse19sr345icdoeh@pesawwaatadaka.com”). So some of the first indicators may not be visible to you :-

  1. The real email address (“srvcsiyaccntse19sr345icdoeh@pesawwaatadaka.com”) is very odd, and the domain part (“pesawwaatadaka.com”) has no apparent connections with Apple.
  2. The supposed email address (“suρρort@aρρlе.com”) appears where a full name would normally appear – this is a clear mark of suspicion.
  3. Look closely at the “p”s in “aρρlе.com” and “suρρort”. Magnify the screen if you wish; not quite right are they? That’s because they’re not “p”s but a Greek rho letter with a similar but not identical appearance to a “p”. Using deceptive Unicode letters like this is doubly suspicious – enough to treat the email very carefully.

The subject itself also has lots of suspicious keywords selected (in some cases) to fool you into treating it more urgently and less suspiciously :-

  1. “Fwd:”: This is commonly added when someone manually forwards an email on – why is this sort of email being forwarded and not sent directly? Do you have a personal assistant who handles emails for you?
  2. “Daily-Reminder”: If it’s a daily reminder, what is so urgent about it?
  3. “Receipt-Document due”: Are you behind on your paperwork with Apple?
  4. “Alert!”: Is it really?

And lastly, there is the message body itself, although by now there is enough information leading to suspicion that there is no need to examine the body. But the body consists of just an attachment; no serious email from an organisation like Apple will consist of just an attachment with no explanation as to the contents. I have never sent an email to someone with just an attachment – even when they know such a thing is on the way; there is always an explanation.

I (and don’t do this unless you know you are running it in a prepared environment with full protection against infection) downloaded the attachment and passed it through some checks :-

  1. It isn’t detected as malware by VirusTotal (which passes an uploaded file through 61 anti-malware engines).
  2. The document contains lots of scary words plus a link to a suspicious site. The link was to csactivityremember.ddns.${obfuscated}. The “ddns” bit indicates that this site moved around to different servers on a regular basis. Not the sort of thing that Apple would do; and Apple certainly wouldn’t use a name like that.

Note how there was enough information in the “To” and “From” headers to indicate that this was a suspicious email – all the rest of it was further analysis to confirm my suspicions. You can (and should) reject such suspicious emails at the earliest possible stage.

This entry was posted in Active Attacks, Email and tagged , . Bookmark the permalink.