Looking at the phishing email I received the other day telling me that my PayPal account had been suspended the next step in my investigation is to determine how it reached my inbox.
There are many good resources available that describe manual email header analysis. To start out take a look at this article at Forensic Focus. This is a short read that is good introduction to reading email headers.
Next I’ll point you at a good article titled “What all the stuff in email headers means—and how to sniff out spoofing” at Ars Technica. Jim Salter is a good technical writer and he did all his homework writing this article.
I also recommend these couple of articles (first, second) on email forensics by Peter Matkovski on Medium (paywall?). He said up front that he was going to break the analysis into three parts but doesn’t seem to have gotten to part three, the attachments just yet. Still very good reading.
I’m all for line by line analysis when I have the time. Problem is I rarely have the time so I often use web based message header analysis tools. I looked at and compared three different web based email message header analysis tools recently.
The Trace Email tool at DNSChecker (https://dnschecker.org/email-header-analyzer.php) analyzes based on the IP source where the submitted message came from. The report includes host information including a threat level assessment and a whois lookup. The folks at DNS Checker offer a wide variety of tools and this is just one of perhaps 2 dozen.
The ‘Analyze Headers’ capability at MXtoolbox (https://mxtoolbox.com/EmailHeaders.aspx) is more comprehensive. It takes a little longer to execute but this tool examines the SPF and DKIM information in the submitted headers and presents a more complete report. A unique feature of this tool is the link at the bottom of the report page ‘Permanently forget this email header’.
Google Admin Toolbox
The Google Admin Toolbox Message Header tool (https://toolbox.googleapps.com/apps/messageheader/ ) is as fast as DNSChecker and provides a pass/fail check of SPF, DKIM, and DMARC information.
Summing up DNSChecker will tell you about the IP source. MXToolbox provides the most analysis of the header and reports on SPF and DKIM. The Google Admin Toolbox Message Header tool was the only one here that reported on SPF, DKIM, and DMARC.
I received a really authentic looking email message today telling me that my PayPal account had been suspended.
Only problem was that he email address the message was sent to doesn’t actually have a PayPal account associated with it. But given the effort that must have been taken to undertake this campaign I thought I’d investigate. Fair warning: I have worked in cyber security for years and analyzed hundreds of emails. I examine information from the email messages and strongly suggest you never follow any URL to the host site.
The first step was to look at the sender’s email address (xqxjtfd at hwgnbiftch dot xxzk8aish dot com). This turned out to be of no real value. It was not from the PayPal domain and running the domain it was from through VirusTotal yielded little information other than the domain ‘xxzkaish dot com’ was likely dynamically generated. None of the VirusTotal engines saw this as malicious.
The next step was to look at the link in the email message itself. Putting myself in the threat actors shoes for a moment what they were trying to do is to elicit an ‘aw shit’ emotion and get the reader to click on the PayPal login link in the message. That ‘Login to PayPal’ link in the message was interesting in that it resolved to LinkedIn dot com.
LinkedIn does offer a URL shortening capability. In fact if you share a link that is longer than 26 characters in a LinkedIn post they automatically shorten the URL. Note: I have contacted LinkedIn Support asking if this is a genuine LinkedIn shortened URL and if they can share with me the post or profile that the URL was generated from. From the safety of a virtual sandbox I followed this LinkedIn URL.
As you can see the LinkedIn shortened URL produces a recent screen copy of the PayPal login screen. The big red flag is the URL for that login page being from the’kozow dot com’ domain. As of this writing running the complete domain ‘aotsuruz0e dot kozow dot com’ through VirusTotal resulted in three engines identifying this as either phishing (Emsisoft and Google Safebrowsing) or malicious (Netcraft). Running just the top level domain ‘kozow dot com’ through VirusTotal resulted in just two engines (Emsisoft and Netcraft) producing results.
Going further and looking at the words used I called up Google Translate. I believe that the sender email address was likely dynamically generated and resulted in no translation. The domain used to display the PayPal login used two words. The word ‘aotsuruz0e’ did not translate (parsing the word differently did return ‘blue crane zoe’ in Japanese) and “kozow’ in Polish translates to ‘goat’ in English.
I believe that the domain ‘kozow dot com’ has likely been hacked and is in the hands of one or more threat actors. My recommendation is that domain be blacklisted by Internet Firewalls.
I had the opportunity to attend the Security Onion 2020 User Conference yesterday. This was a two plus hour virtual event this year due to the pandemic. The Security Onion Solutions team did a really great job both logistically via WebEx and Discord. The team did well content wise too; packing an extraordinary amount of news about the new version along with a thorough walk through of many of the useful capabilities of the new version of this commercially supported open source network security monitoring solution. It was announced that Security Onion v2 (actually 2.3) has reached General Availability (GA) release status and (sadly) that the previous version Security Onion 16.04 will go end of life in April of 2021.