Rack of Ethernet switches.

Analyzing Web Mail Abuse and Spear-Phishing

Spear-Phishing Analysis

Here is a real example and a detailed investigation of an attempt at "spear-phishing".

It is phishing as it features the usual attempt to get the receiver to reply with their login and password. It is spear-phishing because it wasn't just randomly blasted out to millions of addresses. The message was specialized and based on a little research.

ECN, or the Engineering Computer Network, is the subdomain for the College of Engineering at Purdue University. But of course they aren't going to do something as ridiculous as ask everyone to please mail back their login and password!

The message also includes the usual quirky formatting and broken English:

And so on. Do they not teach English in Nigeria? Wait, I'm getting ahead of myself...

Let's analyze the message header and see what really happened. We can try to answer two interesting questions:

  1. Who sent it?
  2. Whose poor system configuration unwittingly helped the attempted attack?

Below is the complete header as it was received. I have highlighted header fields of interest, the rest are mostly spam and virus checking output:

From webmasters@ecn.purdue.edu  Sat Feb 20 16:07:43 2010
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on rvl4.ecn.purdue.edu
X-Spam-Level: *
X-Spam-Status: No, score=1.2 required=1.5 tests=BAYES_50 autolearn=no
        version=3.2.5
Received: from andromeda.lunarpages.com (andromeda.lunarpages.com [67.210.126.45])
        by rvl4.ecn.purdue.edu (8.14.4/8.14.2) with ESMTP id o1KL7M6j022107
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
        for <cromwe11@rvl4.ecn.purdue.edu>; Sat, 20 Feb 2010 16:07:43 -0500 (EST)
Received: from localhost ([127.0.0.1])
        by andromeda.lunarpages.com with esmtpa (Exim 4.69)
        (envelope-from <webmasters@ecn.purdue.edu>)
        id 1NiwXe-0008GY-UJ; Sat, 20 Feb 2010 13:07:10 -0800
Received: from 41.138.186.107 ([41.138.186.107]) by usindh.edu.pk (Horde
        MIME library) with HTTP; Sat, 20 Feb 2010 13:07:10 -0800
Message-ID: <20100220130710.2jc06olc2swgowkw@usindh.edu.pk>
Date: Sat, 20 Feb 2010 13:07:10 -0800
From: ECN PURDUE WEBMAIL MAINTAINERS <webmasters@ecn.purdue.edu>
Reply-to: webmasterserver@mail2webmaster.com
To: undisclosed-recipients:;
Subject: ECN PURDUE Webmail Service users
MIME-Version: 1.0
Content-Type: text/plain;
        charset=ISO-8859-1;
        DelSp="Yes";
        format="flowed"
Content-Disposition: inline
User-Agent: Internet Messaging Program (IMP) H3 (4.1.6)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - andromeda.lunarpages.com
X-AntiAbuse: Original Domain - rvl4.ecn.purdue.edu
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ecn.purdue.edu
X-Source:
X-Source-Args:
X-Source-Dir:
X-ECN-MailServer-VirusScanned: by amavisd-new
X-ECN-MailServer-Origination: andromeda.lunarpages.com [67.210.126.45]
X-ECN-MailServer-SpamScanAdvice: DoScan
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by rvl4.ecn.purdue.edu id o1KL7M6j022107
Status: R
Content-Length: 1220



Attn. Valid Users of ECN PURDUE Webmail Service,

The College of Engineering, Purdue University Webmail Data base has
encountered
a problem of virus and this may lead to losing of some vital
information in your
webmail account. Currently we are running upgrades and checkup in all webmail
account in our data base.
We are doing our best to stop this virus from spreading into more accounts. If
you wish your account to remain in our data base, we kindly ask you to provide
us with the below details:

Name: .......................................
Address: ...................................
Telephone: ........................................
Fax: ........................................
Name of user/identification of the user: ..........................
Password: ...................................

Note: These will enable us back up every information in your webmail account.
Immediately we are through in backing up your account, you will receive a mail
asking you to change your password. We are assuring you that non of your
information will be tampered. We are deeply sorry for any inconveniences these
may have caused you.

Regards,
College of Engineering, Purdue University
Webmail Maintainers Team.

Let's eliminate the simple parts first. These lines are meaningless:

From webmasters@ecn.purdue.edu  Sat Feb 20 16:07:43 2010
From: ECN PURDUE WEBMAIL MAINTAINERS <webmasters@ecn.purdue.edu>
To: undisclosed-recipients:;

The "From" fields can be whatever the sender wants them to be, and the "undisclosed-recipients" means that the list of receipients (undoubtedly huge, Purdue is a big engineering school) was specified within the SMTP protocol itself, with RCPT TO: commands by the sender, but was not listed in a header field, either "To" or "Cc" or "Bcc".

No, the useful header fields are the multi-line "Received" entries, and possibly the originating "Message-ID" field. Because of the way the headers are constructed, you have to read these from bottom to top. So:

Claimed origin:

Message-ID: <20100220130710.2jc06olc2swgowkw@usindh.edu.pk>

First hop:

Received: from 41.138.186.107 ([41.138.186.107]) by usindh.edu.pk (Horde
        MIME library) with HTTP; Sat, 20 Feb 2010 13:07:10 -0800

Second hop:

Received: from localhost ([127.0.0.1])
        by andromeda.lunarpages.com with esmtpa (Exim 4.69)
        (envelope-from <webmasters@ecn.purdue.edu>)
        id 1NiwXe-0008GY-UJ; Sat, 20 Feb 2010 13:07:10 -0800

Third hop:

Received: from andromeda.lunarpages.com (andromeda.lunarpages.com [67.210.126.45])
        by rvl4.ecn.purdue.edu (8.14.4/8.14.2) with ESMTP id o1KL7M6j022107
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
        for <cromwe11@rvl4.ecn.purdue.edu>; Sat, 20 Feb 2010 16:07:43 -0500 (EST)

Let's resolve some IP addresses and fully qualified domain names where we can, and do whois lookups where we can't. I'll use the host command instead of nslookup or the far more capable dig in order to minimize the output:

% host usindh.edu.pk
usindh.edu.pk has address 67.210.126.45
usindh.edu.pk mail is handled by 0 usindh.edu.pk.
% host 67.210.126.45
45.126.210.67.in-addr.arpa domain name pointer andromeda.lunarpages.com.
% host 41.138.186.107
Host 107.186.138.41.in-addr.arpa. not found: 3(NXDOMAIN)
% whois 41.138.186.107
% This is the AfriNIC Whois server.

% Information related to '41.138.160.0 - 41.138.191.255'

inetnum:        41.138.160.0 - 41.138.191.255
netname:        VISAFONE-20090814
descr:          Visafone Communications Limited
country:        NG
admin-c:        FY2-AFRINIC
tech-c:         FY2-AFRINIC
org:            ORG-VCL3-AFRINIC
status:         ALLOCATED PA
mnt-by:         AFRINIC-HM-MNT
mnt-lower:      VISAFONE-MNT
source:         AFRINIC # Filtered
parent:         41.0.0.0 - 41.255.255.255

organisation:   ORG-VCL3-AFRINIC
org-name:       Visafone Communications Limited
org-type:       LIR
country:        NG
address:        12, Ologun Agbaje Street
address:        Victoria Island
address:        Lagos
e-mail:         simon@cybaaspace.net
e-mail:         simon.ogwujiakwu@visafone.com.ng
phone:          +2347025551211
fax-no:         +23412624287
admin-c:        FY2-AFRINIC
tech-c:         FY2-AFRINIC
mnt-ref:        AFRINIC-HM-MNT
mnt-ref:        VISAFONE-MNT
mnt-by:         AFRINIC-HM-MNT
source:         AFRINIC # Filtered

person:         Fred Young
nic-hdl:        FY2-AFRINIC
address:        33 Saka Tinubu Street
address:        Victoria Island
address:        Lagos Nigeria
address:        Lagos
address:        Nigeria
e-mail:         simon@cybaaspace.net
e-mail:         simon.ogwujiakwu@visafone.com.ng
phone:          +2347025551211
fax-no:         +23412624287
source:         AFRINIC # Filtered

% whois lunarpages.com

[... output trimmed ...]

   Domain Name: LUNARPAGES.COM
   Registrar: TUCOWS INC.
   Whois Server: whois.tucows.com
   Referral URL: http://domainhelp.opensrs.net
   Name Server: NS0.LUNARSERVERS.COM
   Name Server: NS1.LUNARPAGES.COM
   Name Server: NS2.LUNARPAGES.COM
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 17-mar-2009
   Creation Date: 29-mar-2001
   Expiration Date: 29-mar-2014

Registrant:
 Add2Net Inc.
 1360 N Hancock St.
 Anaheim, CA 92807
 US

 Domain name: LUNARPAGES.COM


 Administrative Contact:
    Web Hosting, Lunarpages  domains@lunarpages.com
    1360 N Hancock St.
    Anaheim, CA 92807
    US
    +1.7145218150    Fax: +1.7145218195

 Technical Contact:
    Web Hosting, Lunarpages  domains@lunarpages.com
    1360 N Hancock St.
    Anaheim, CA 92807
    US
    +1.7145218150    Fax: +1.7145218195

[... output trimmed ...]

% whois usindh.edu.pk
This TLD has no whois server, but you can access the whois database at
http://www.pknic.net.pk/

There's all the information we need to explain this!

The scammer was on a machine using IP address 41.138.186.107. That IP address does not resolve back to a fully qualified domain name, but we can see that it is one of a block of 8,192 addresses assigned to Visafone Communications Ltd of Lagos, Nigeria. 41.138.160.0 through 41.138.191.255, or 41.138.160.0/18 in modern notation.

The scammer used the machine at 67.210.126.45 as a web mail relay. The scammer connected to the HTTP service running on usindh.edu.pk, which resolves to IP address 67.210.126.45.

These first two discoveries come from the first (bottom most) "Received" field:

Received: from 41.138.186.107 ([41.138.186.107]) by usindh.edu.pk (Horde
	MIME library) with HTTP; Sat, 20 Feb 2010 13:07:10 -0800

The connection to the HTTP service generated a Message-ID of:
20100220130710.2jc06olc2swgowkw@usindh.edu.pk

Someone at that host should be able to figure out if they logged in using stolen credentials, or if the web mail service is just wide open for anyone to abuse.

Notice the reference to "Horde MIME library". There have been a number of advisories about vulnerabilities in this product. For example, Secunia Advisory SA31842. Google reports "about 4,420" results for a search for:
horde mime library advisory

The hostname usindh.edu.pk belongs to the University of Sindh in Pakistan. Lunarpages is a web-hosting company using virtual hosting — it listens on one IP address and serves out different sites depending on the requested server name. So while usindh.edu.pk resolves to 67.210.126.45, http://usindh.edu.pk/ gets you the University of Sindh while http://67.210.126.45/ gets you the Lunarpages web-hosting company, and your browser is redirected from that IP address to www.lunarpages.com, which is at a completely different IP address, 74.50.4.210. The traceroute utility suggests that 74.50.4.210 is in Las Vegas while their web hosting server, at 67.210.126.45, is in San Diego.

University of Sindh home page.
Lunarpages home page.

The second "hop" was within the Lunarpages server, from the buggy or misconfigured web mail service to the Exim mail server process. This is not a hop between hosts, but a TCP connection from the web service process to the mail service process within the same machine:

Received: from localhost ([127.0.0.1])
        by andromeda.lunarpages.com with esmtpa (Exim 4.69)
        (envelope-from <webmasters@ecn.purdue.edu>)
        id 1NiwXe-0008GY-UJ; Sat, 20 Feb 2010 13:07:10 -0800

The third hop then moved it from Lunarpages to Purdue:

Received: from andromeda.lunarpages.com (andromeda.lunarpages.com [67.210.126.45])
        by rvl4.ecn.purdue.edu (8.14.4/8.14.2) with ESMTP id o1KL7M6j022107
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
        for <cromwe11@rvl4.ecn.purdue.edu>; Sat, 20 Feb 2010 16:07:43 -0500 (EST)

So:
A scammer based in Lagos, Nigeria
abused a web server for a university in Sindh, Pakistan
(but hosted in San Diego, California or maybe Las Vegas, Nevada)
to launch a narrowly targeted attack on a university in Indiana (which is one of those fairly anonymous states in the east-central U.S. and south of the Great Lakes).

The remaining mystery: did the scammer really control the address webmasterserver@mail2webmaster.com, where the hoped-for naive responses would go?


Back to the main Security Page