Offensive Security
Search…
Web Vulnerabilities - OWASP TOP 10
Other Web Vulnerabilities
Phishing attempts
Tracking the hackers
Every now and then I receive interesting emails to my very old and albeit hacked (according to haveibeenpwned.com - I have changed the password) email address such as this:
Purpose of today's assignment is simple:
I wanted to know where it came from...Boy, was I in for a ride.
The issue with this email is not isolated one, as my partner also receives them and she is not really tech savvy person, therefore for somebody like her this type of email can appear genuine. The logic behind this (badly/cleverly?) socially engineered message is that if you are an owner of an Idevice you definitely have an ICloud account with your debit card linked. Seeing unauthorized payment coming from Apple would evoke a response to investigate further with the worry that an iCloud account could have been used by somebody else to make a purchase! First reaction is to login and investigate of course, and designers of the above email, conveniently provided you with the Login Now link.
How do I know it is not from Apple itself ?
1) Sign number one:
The title of the email massage says:
"RE : [ Invoice Received ] [ News Report Statement Alert ] Reminder: Your AppIelD was make a payment Invoice ID: 2950320884"
Comments:
"RE": is usually automatically attached by mail application in response to an email you have sent. There is just no way one could sent an email regarding a purchase that has not been made. But let's assume automated delivery message can sometimes add RE.
2) Sign number two:
I needed to change the font to accentuate the visual intricacies connected with font formatting. As you look above, default font does a pretty good job at masquerading those little changes. Big props to the designers.
3) Sign number three:
Said email has been delivered from a strange address: <[email protected]>. Google search has not revealed any connections to it, has not been used in the past which means it is probably automatically generated from a bogus database.
4) Sign number four:
We can also conclude that the person writing the above message in the email was not grammatically gifted one. He wrote: " AppIelD was make a payment"; did he mean that "AppleID was used to make a payment" or "AppleID has made a payment" ? Call me a grammar Natzi but I am sure folks a Apple have a decent command of English language.
Going deeper
Because I feel both brave and curious about the whole process of "phishing" I decided to follow the rabbit down to it's hole.
"Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication."
So let's follow the Login Now link and we are presented with...
​
​
(word of warning for everyone reading, this website is designed to steal anything you put in the AppleID and password form - do not do it, unless you can think of something funny to send, even then not advisable - I would not recommend this to my friends or family)
Again, the website looks really genuine on the first look. However upon further investigation we are able to find out that every single link that is "clickable" on this website brings us back to this main page. There are no separate pages for "contact us", "create your Apple ID" or "learn more" etc. But that is irrelevant if you are concerned and your nerves take the better of you during the heat of the moment.
The URL of this webpage is "https://appweb-temp.ml/page?ref=sign_in&path=/manage/&ssl_check=true&id_session=fPGF7zKmQeSxk8BZOT8pidXCOKzQDm2TcIykhiG8wzGRIhRwb0VueT72EGSh3Uag#"
Which brings us to the main URL:
appweb-temp.ml
which is not a default Apple address and in itself returns a response "server not found" . Google search does not include any results for this address either which should raise a red flag. However the WWW is being resolved somehow with the full link, therefore it must have an IP address and other details...
Note:
I was thinking long and hard about this before I decided to carry on with the further investigation. Any further findings would reveal PII (personally identifiable information). My mind entered a battle between what is illegal but moral depending on your philosophical stance. Even though people who created this website had "malicious" intent and could be called scallywags, it is not my intent here to bring them down or expose their whereabouts.
After persistent search and lots of Internet-ju-jitsu my pursuit ended on the fruitful note. The scallywags have left a massage.
MaU NiKuNg YeAA :v~
[B]oca[H]sho[P]
Personally, I will politely decline.
The end.
UPDATE: lately the page has been taken down. Who knows what happened to it.
Copy link