Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Logical & Physical Security Correlation

Published: 2017-03-28
Last Updated: 2017-03-29 06:55:52 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Today, I would like to review an example how we can improve our daily security operations or, for our users, how to help in detecting suspicious content. Last week, I received the following email in my corporate mailbox. The mail is written in French but easy to understand: It is a notification regarding a failed delivery (they pretended that nobody was present at the delivery address to pick up the goods).

To be honest, I hesitated a few seconds about the legitimacy of this message. For the following reasons:

  • I'm doing a lot of online shopping and deliver at my company address
  • The email address used was a "corporate" address that I'm protecting and not using outside contacting my customers.
  • My name, company name, address were correct
  • The mail was in good French, no typo
  • There are plenty of companies busy in this field, you do not know in advance which company will deliver your packet

The reflex is to visit the website but I got this message:

The first thought was that the website was indeed compromised and the owner closed it temporary. But the malicious Office document referenced in the mail was still available! So, the website was not cleaned yet. I tried to find a contact in the company to report the problem. Google did not know “Duprat Logistics” in Belgium. If it's unknown to Google, it's really strange. It looked like a fake company. The name of the person mentioned in the mail was unknown on LinkedIn. The postal address does not exist. Another evidence:

Domain Name: dupratlogistics.com
Registry Domain ID:
Registrar WHOIS Server: whois.regtons.com
Registrar URL: http://regtons.com
Updated Date:
Creation Date: 2017-03-17T00:00:00Z
Registrar Registration Expiration Date: 2018-03-17T00:00:00Z
Registrar: GRANSY S.R.O D/B/A SUBREG.CZ
Registrar IANA ID: 1505
Registrar Abuse Contact Email: abuse@regtons.com
Registrar Abuse Contact Phone: +420.734463373
Reseller: ??????? ?????? ?????????
Registry Registrant ID: G-987982
Registrant Name: Jarred Ewing
Registrant Organization:
Registrant Street: Smaratun 60
Registrant City: Vik
Registrant State/Province: Vik
Registrant Postal Code: 870
Registrant Country: IS
Registrant Phone: +354.4701571
Registrant Phone Ext: None
Registrant Fax:
Registrant Fax Ext:
Registrant Email: JarredEwing@mail2tor.com
Registry Admin ID: G-987982

The domain has been registered the 17th of March! Have a look at the email address (mail2tor.com). The reseller field contains Cyrillic characters.

But the mail claimed that they visited my place the 21st of March at 11:32. Unfortunately for them, I’ve a CCTV and this is the picture was taken at this time. Nobody was present (of course, I checked in the interval of -1h / +1h).

The rest of story is classic. As you can imagine, the document was malicious (MD5: 9a9f84d7ade2e2802c1b2b584b668046). The macro downloaded a PE file from hxxp://185.145.129.70/ini.xyz.

I'm not aware of other companies targeted by the same email in Belgium but this was a very nice attempt. To conclude, there are many ways to defeat such phishing attempts by correlating information from multiple sources (logical and physical). It's time consuming but here are a few examples:

  • Check the domain name registration details (via a whois[1] server)
  • Search for addresses, names on Google
  • Geolocate IP address of the fake website
  • Cross check activities with CCTV, badge readers, etc.

Stay safe!

[1] https://www.whois.net/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Keywords: phishing spam
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Symantec vs. Google: The CA Fight Continues. What do you need to know?
Mar 27th 2017
1 day ago by Johannes (2 comments)

Distraction as a Service
Mar 25th 2017
3 days ago by Russell (6 comments)

Nicely Obfuscated JavaScript Sample
Mar 24th 2017
4 days ago by Xme (3 comments)

SSMA Usage
Mar 23rd 2017
6 days ago by Tom (1 comment)

"Blank Slate" malspam still pushing Cerber ransomware
Mar 22nd 2017
6 days ago by Brad (2 comments)

View All Diaries →

Latest Discussions

Preventing outside sources accessing the local network via open ports on a networked printer.
created Mar 28th 2017
18 hours ago by mrectek (1 reply)

Very High DNS traffic
created Mar 26th 2017
2 days ago by Anonymous (0 replies)

Abnormal DNS Volumes
created Mar 26th 2017
3 days ago by Anonymous (2 replies)

"Insecure" technical requirements for online course?
created Mar 24th 2017
4 days ago by Marko (1 reply)

CTI Summit Keynote - Cliff Stoll - (Still) Stalking the Wily Hacker
created Mar 11th 2017
2 weeks ago by Russell (1 reply)

View All Forums →

Latest News

View All News →

Top Diaries

Malspam with password-protected Word documents
Mar 21st 2017
1 week ago by Brad (12 comments)

Dyn.com DDoS Attack
Oct 21st 2016
5 months ago by Johannes (9 comments)

Distraction as a Service
Mar 25th 2017
3 days ago by Russell (6 comments)

Microsoft Patch Tuesday Delayed
Feb 18th 2017
1 month ago by Johannes (7 comments)

How was your stay at the Hotel La Playa?
Feb 18th 2017
1 month ago by Xme (9 comments)