Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: Curious Phishing Email - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Curious Phishing Email
Hello all,

I want to introduce you all to my fun little dilemma. I have a phishing email to analyse and it’s stumped me!

The email basically consists of a URL from a spoofed email address specifically targeted towards the victim. I am not concerned for the origin right now. However, I am interested in the overall objective.

The payload does not fit the likes of a typical phishing email, and I must be missing the trick. Usually URL’s in phishing emails direct the victim to a credential stealing or malware dropping web pages. In this example so far, to my understanding this is not the case.

The URL I am looking at is: http://www.berkaril.com/document.php?busy=25gaeu8wbdk7zb1

Instead the attacker wants to troll its victims with a plethora of quotes and one liners which change every time you refresh the page.

In some cases, these are quite funny. But I cannot see the benefit for the attacker, why conduct a phishing campaign to tell the victim that their “web fu is very good. Let’s Fight. – Bruce Sherrod”

This URL has intrigued and hence reaching out to you good folk!

Firstly I want to make note of what I want to accomplish and why:

1. I believe that it is highly likely that there is another objective to this website and I think that it might be designed to deliver a malicious payload to a victim. I would like to understand this objective.

2. I want to improve my “web Fu” as the trolling website has provoked me to do. These exercises keep you current.

3. I am just plainly curious.

So my investigation thus far:

• The URL in the phishing email “www.berkaril.com/document.php?busy=25gaeu8wbdk7zb1
• The domain registration is situated in Turkey
• The website is hosted under the IP address of 37.230.110.23 along with 10 other sites
• The domain Registrar is Aerotek Bilisim Sanayi ve Ticaret AS
• The website is coded in PHP which suggests that the page I am displayed is the result of a PHP code being run and I am seeing the output. (I would like to analyse the PHP code to determine if there are any malicious payloads it tries to drop anyone know how I can do that?)
• I have tried to browse the website on a virtual machine using a sandboxed internet browser (Firefox)


Next steps

So I plan to run on a physical machine a sandbox to see if the results vary to identify if there is any logic to identify virtualised environments.



Looking forward to your messages


Rich
Rich

1 Posts

Sign Up for Free or Log In to start participating in the conversation!