Analyzing Web Mail Abuse and Spear-Phishing
Spear-Phishing Analysis
Here is a real example and a detailed investigation of an attempt at "spear-phishing".
It is phishing as it features the usual attempt to get the receiver to reply with their login and password. It is spear-phishing because it wasn't just randomly blasted out to millions of addresses. The message was specialized and based on a little research.
ECN, or the Engineering Computer Network, is the subdomain for the College of Engineering at Purdue University. But of course they aren't going to do something as ridiculous as ask everyone to please mail back their login and password!
The message also includes the usual quirky formatting and broken English:
- ... has encountered a problem of virus and ...
- ... may lead to losing of some vital information in your ...
- ... running upgrades and checkup in all webmail account in ...
- ... to backup every information in your ...
- Immediately we are through ...
- We are assuring you that non of your information will be tampered.
And so on. Do they not teach English in Nigeria? Wait, I'm getting ahead of myself...
Let's analyze the message header and see what really happened. We can try to answer two interesting questions:
- Who sent it?
- Whose poor system configuration unwittingly helped the attempted attack?
Below is the complete header as it was received. I have highlighted header fields of interest, the rest are mostly spam and virus checking output:
From webmasters@ecn.purdue.eduSat Feb 20 16:07:43 2010 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on rvl4.ecn.purdue.edu X-Spam-Level: * X-Spam-Status: No, score=1.2 required=1.5 tests=BAYES_50 autolearn=no version=3.2.5Received: from andromeda.lunarpages.com (andromeda.lunarpages.com [67.210.126.45])by rvl4.ecn.purdue.edu (8.14.4/8.14.2) with ESMTP id o1KL7M6j022107(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)for <cromwe11@rvl4.ecn.purdue.edu>; Sat, 20 Feb 2010 16:07:43 -0500 (EST)Received: from localhost ([127.0.0.1])by andromeda.lunarpages.com with esmtpa (Exim 4.69)(envelope-from <webmasters@ecn.purdue.edu>)id 1NiwXe-0008GY-UJ; Sat, 20 Feb 2010 13:07:10 -0800Received: from 41.138.186.107 ([41.138.186.107]) by usindh.edu.pk (HordeMIME library) with HTTP; Sat, 20 Feb 2010 13:07:10 -0800Message-ID: <20100220130710.2jc06olc2swgowkw@usindh.edu.pk>Date: Sat, 20 Feb 2010 13:07:10 -0800From: ECN PURDUE WEBMAIL MAINTAINERS <webmasters@ecn.purdue.edu>Reply-to: webmasterserver@mail2webmaster.comTo: undisclosed-recipients:;Subject: ECN PURDUE Webmail Service users MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline User-Agent: Internet Messaging Program (IMP) H3 (4.1.6) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - andromeda.lunarpages.com X-AntiAbuse: Original Domain - rvl4.ecn.purdue.edu X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - ecn.purdue.edu X-Source: X-Source-Args: X-Source-Dir: X-ECN-MailServer-VirusScanned: by amavisd-new X-ECN-MailServer-Origination: andromeda.lunarpages.com [67.210.126.45] X-ECN-MailServer-SpamScanAdvice: DoScan Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by rvl4.ecn.purdue.edu id o1KL7M6j022107 Status: R Content-Length: 1220 Attn. Valid Users of ECN PURDUE Webmail Service, The College of Engineering, Purdue University Webmail Data base has encountered a problem of virus and this may lead to losing of some vital information in your webmail account. Currently we are running upgrades and checkup in all webmail account in our data base. We are doing our best to stop this virus from spreading into more accounts. If you wish your account to remain in our data base, we kindly ask you to provide us with the below details: Name: ....................................... Address: ................................... Telephone: ........................................ Fax: ........................................ Name of user/identification of the user: .......................... Password: ................................... Note: These will enable us back up every information in your webmail account. Immediately we are through in backing up your account, you will receive a mail asking you to change your password. We are assuring you that non of your information will be tampered. We are deeply sorry for any inconveniences these may have caused you. Regards, College of Engineering, Purdue University Webmail Maintainers Team.
Let's eliminate the simple parts first. These lines are meaningless:
From webmasters@ecn.purdue.edu Sat Feb 20 16:07:43 2010 From: ECN PURDUE WEBMAIL MAINTAINERS <webmasters@ecn.purdue.edu> To: undisclosed-recipients:;
The "From" fields can be whatever the sender
wants them to be, and the "undisclosed-recipients" means
that the list of receipients (undoubtedly huge, Purdue
is a big engineering school) was specified within
the SMTP protocol itself, with RCPT TO:
commands by the sender, but was not listed in a header
field, either "To" or "Cc" or "Bcc".
No, the useful header fields are the multi-line "Received" entries, and possibly the originating "Message-ID" field. Because of the way the headers are constructed, you have to read these from bottom to top. So:
Claimed origin:
Message-ID: <20100220130710.2jc06olc2swgowkw@usindh.edu.pk>
First hop:
Received: from 41.138.186.107 ([41.138.186.107]) by usindh.edu.pk (Horde
MIME library) with HTTP; Sat, 20 Feb 2010 13:07:10 -0800
Second hop:
Received: from localhost ([127.0.0.1])
by andromeda.lunarpages.com with esmtpa (Exim 4.69)
(envelope-from <webmasters@ecn.purdue.edu>)
id 1NiwXe-0008GY-UJ; Sat, 20 Feb 2010 13:07:10 -0800
Third hop:
Received: from andromeda.lunarpages.com (andromeda.lunarpages.com [67.210.126.45])
by rvl4.ecn.purdue.edu (8.14.4/8.14.2) with ESMTP id o1KL7M6j022107
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
for <cromwe11@rvl4.ecn.purdue.edu>; Sat, 20 Feb 2010 16:07:43 -0500 (EST)
Let's resolve some IP addresses and fully qualified domain names
where we can, and do
whois
lookups where we can't.
I'll use the
host
command instead of
nslookup
or the far more capable
dig
in order to minimize the output:
% host usindh.edu.pk
usindh.edu.pk has address 67.210.126.45
usindh.edu.pk mail is handled by 0 usindh.edu.pk.
% host 67.210.126.45
45.126.210.67.in-addr.arpa domain name pointer andromeda.lunarpages.com.
% host 41.138.186.107
Host 107.186.138.41.in-addr.arpa. not found: 3(NXDOMAIN)
% whois 41.138.186.107
% This is the AfriNIC Whois server.
% Information related to '41.138.160.0 - 41.138.191.255'
inetnum: 41.138.160.0 - 41.138.191.255
netname: VISAFONE-20090814
descr: Visafone Communications Limited
country: NG
admin-c: FY2-AFRINIC
tech-c: FY2-AFRINIC
org: ORG-VCL3-AFRINIC
status: ALLOCATED PA
mnt-by: AFRINIC-HM-MNT
mnt-lower: VISAFONE-MNT
source: AFRINIC # Filtered
parent: 41.0.0.0 - 41.255.255.255
organisation: ORG-VCL3-AFRINIC
org-name: Visafone Communications Limited
org-type: LIR
country: NG
address: 12, Ologun Agbaje Street
address: Victoria Island
address: Lagos
e-mail: simon@cybaaspace.net
e-mail: simon.ogwujiakwu@visafone.com.ng
phone: +2347025551211
fax-no: +23412624287
admin-c: FY2-AFRINIC
tech-c: FY2-AFRINIC
mnt-ref: AFRINIC-HM-MNT
mnt-ref: VISAFONE-MNT
mnt-by: AFRINIC-HM-MNT
source: AFRINIC # Filtered
person: Fred Young
nic-hdl: FY2-AFRINIC
address: 33 Saka Tinubu Street
address: Victoria Island
address: Lagos Nigeria
address: Lagos
address: Nigeria
e-mail: simon@cybaaspace.net
e-mail: simon.ogwujiakwu@visafone.com.ng
phone: +2347025551211
fax-no: +23412624287
source: AFRINIC # Filtered
% whois lunarpages.com
[... output trimmed ...]
Domain Name: LUNARPAGES.COM
Registrar: TUCOWS INC.
Whois Server: whois.tucows.com
Referral URL: http://domainhelp.opensrs.net
Name Server: NS0.LUNARSERVERS.COM
Name Server: NS1.LUNARPAGES.COM
Name Server: NS2.LUNARPAGES.COM
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 17-mar-2009
Creation Date: 29-mar-2001
Expiration Date: 29-mar-2014
Registrant:
Add2Net Inc.
1360 N Hancock St.
Anaheim, CA 92807
US
Domain name: LUNARPAGES.COM
Administrative Contact:
Web Hosting, Lunarpages domains@lunarpages.com
1360 N Hancock St.
Anaheim, CA 92807
US
+1.7145218150 Fax: +1.7145218195
Technical Contact:
Web Hosting, Lunarpages domains@lunarpages.com
1360 N Hancock St.
Anaheim, CA 92807
US
+1.7145218150 Fax: +1.7145218195
[... output trimmed ...]
% whois usindh.edu.pk
This TLD has no whois server, but you can access the whois database at
http://www.pknic.net.pk/
There's all the information we need to explain this!
The scammer was on a machine using IP address 41.138.186.107. That IP address does not resolve back to a fully qualified domain name, but we can see that it is one of a block of 8,192 addresses assigned to Visafone Communications Ltd of Lagos, Nigeria. 41.138.160.0 through 41.138.191.255, or 41.138.160.0/18 in in modern notation.
The scammer used the machine at 67.210.126.45
as a web mail relay.
The scammer connected to the HTTP service running on
usindh.edu.pk,
which resolves to IP address 67.210.126.45.
These first two discoveries come from the first (bottom most) "Received" field:
Received: from 41.138.186.107 ([41.138.186.107]) by usindh.edu.pk (Horde MIME library) with HTTP; Sat, 20 Feb 2010 13:07:10 -0800
The connection to the HTTP service generated a Message-ID
of:
20100220130710.2jc06olc2swgowkw@usindh.edu.pk
Someone at that host should be able to figure out if they logged in using stolen credentials, or if the web mail service is just wide open for anyone to abuse.
Notice the reference to "Horde MIME library".
There have been a number of advisories about vulnerabilities
in this product.
For example,
Secunia Advisory SA31842.
Google reports "about 4,420" results for a search for:
horde mime library advisory
The hostname usindh.edu.pk belongs to the
University of Sindh
in Pakistan.
Lunarpages is a web-hosting company using virtual
hosting — it listens on one IP address and
serves out different sites depending on the requested
server name.
So while usindh.edu.pk resolves to 67.210.126.45,
http://usindh.edu.pk/
gets you the University of Sindh while
http://67.210.126.45/
gets you the Lunarpages web-hosting company, and your
browser is redirected from that IP address to
www.lunarpages.com, which is at a completely
different IP address, 74.50.4.210.
The
traceroute
utility suggests that 74.50.4.210 is in Las Vegas
while their web hosting server, at 67.210.126.45,
is in San Diego.
The second "hop" was within the Lunarpages server, from the buggy or misconfigured web mail service to the Exim mail server process. This is not a hop between hosts, but a TCP connection from the web service process to the mail service process within the same machine:
Received: from localhost ([127.0.0.1])
by andromeda.lunarpages.com with esmtpa (Exim 4.69)
(envelope-from <webmasters@ecn.purdue.edu>)
id 1NiwXe-0008GY-UJ; Sat, 20 Feb 2010 13:07:10 -0800
The third hop then moved it from Lunarpages to Purdue:
Received: from andromeda.lunarpages.com (andromeda.lunarpages.com [67.210.126.45])
by rvl4.ecn.purdue.edu (8.14.4/8.14.2) with ESMTP id o1KL7M6j022107
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
for <cromwe11@rvl4.ecn.purdue.edu>; Sat, 20 Feb 2010 16:07:43 -0500 (EST)
So:
A scammer based in Lagos, Nigeria
abused a web server for a university in
Sindh, Pakistan
(but hosted in San Diego, California
or maybe Las Vegas, Nevada)
to launch a narrowly targeted attack on a university
in Indiana (which is one of those fairly anonymous
states in the east-central U.S. and south of the Great Lakes).
The remaining mystery: did the scammer really control the address webmasterserver@mail2webmaster.com, where the hoped-for naive responses would go?
Back to the main Security Page