Yesterday I was phished

Discussion in 'Current Events' started by jscheef, May 28, 2011.

  1. jscheef

    jscheef Administrator
    Staff Member

    Joined:
    Dec 4, 2008
    Messages:
    69
    Likes Received:
    0
    The other day I got suckered by falling into the typical phishing scenario - I'm expecting a package and an email arrives about how my package has arrived. I was so phished that I went to the garage looking for the package. When there was no package, I went right back to that email and clicked the clink to find my package. Even the fact that the link was not actually going to ups.com did not deter me.

    Here is the visible text of the message,
    =======
    Dear client
    Your package has arrived.
    The tracking # is : 392869B2DAEB9292 and can be used at :
    http://www.ups.com/tracking/tracking.html
    The shipping invoice can be downloaded from :
    http://www.ups.com/tracking/invoices/download.aspx?invoice_id=392869B2DAEB9292

    Thank you,
    United Parcel Service
    *** This is an automatically generated email, please do not reply ***
    ======
    Naturally the URLs were links; the actual address under the first link is:
    http://upsclients.org/tracking.php?tp=(censored) Note: do not click or paste this into your browser unless you are prepared to stop any resulting actions!! The actual address under the second URL has a similar but different address. The natural inclination would be to click the second link when the first one "failed" - continue reading...

    When the page opened to a fake 404 error, I knew the worst and started to look for the damage. First I saved the source to the web page (available on request) which included some highly obfuscated JavaScript. When I tried to decipher the JavaScript, I realized that I was not up to the task. Instead I looked to see if anything had been added to run when the computer next rebooted. For this task I use the Autoruns utility from SysInternals (www.sysinternals.com) which redirects to Microsoft). Some looking soon uncovered a program installed in an "unusual" location with a nonsense name and set to run on bootup. Deleting the program removed the immediate threat.

    I do not know what would happen had the program run. It is highly likely I would be part of a botnet right now.

    Does anyone have similar experiences to relate?

    Jim

    (Moderator Note: I obfuscated the link to malicious web site for safety sake, Jeff)
     
  2. jasetaro

    jasetaro Administrator
    Staff Member

    Joined:
    May 20, 2011
    Messages:
    176
    Likes Received:
    0
    I've seen a few dozen similar messages, they were discussed on various InfoSec blogs a week or so ago... I've seen variants claiming to contain tracking information from UPS, FedEx or DHL. Some contain attachments, other links to bogus/malicious web sites... The bottom line is make sure you keep your system patched and use caution when following links in unexpected e-mails.

    I'd suggest submitting the message to anti-malware developers so they can investigate and hopefully get the site shutdown... Instructions vary by vendor, you can find instructions for submitting the message to F-Secure here.

    FWIW the registration information for the upsclients.org web site is:

    Registrant ID:hc537127869-cn
    Registrant Name:zou wen
    Registrant Organization:zouwen
    Registrant Street1:Shang Hai
    Registrant Street2:
    Registrant Street3:
    Registrant City:SH
    Registrant State/Province:SH
    Registrant Postal Code:200085
    Registrant Country:CN
    Registrant Phone:+021.39042343
    Registrant Phone Ext.:
    Registrant FAX:+021.39042343
    Registrant FAX Ext.:
    Registrant ***************@hotmail.com

    No surprise there, most of these scam seem to link back to Russia or China.
     
  3. jscheef

    jscheef Administrator
    Staff Member

    Joined:
    Dec 4, 2008
    Messages:
    69
    Likes Received:
    0
    Jeff,

    By shut the site down, do you mean kill their domain registration? I didn't look up their IP address but I assume the actual site is in China. How can a registrar located in China register a .org domain name?

    Jim
     
  4. jasetaro

    jasetaro Administrator
    Staff Member

    Joined:
    May 20, 2011
    Messages:
    176
    Likes Received:
    0
    Jim, I'm not sure of all the intricacies involved, but the InfoSec community has been fairly successful at getting phishing sites shutdown... If nothing else they'll be able to identify the exploit being used and add the malware it's pushing to their detection databases.
     

Share This Page