Fun With Phishing
Last weekend I was going through my spam folder on one of my email accounts and I noticed something "phishy". I had received an email from a friend that was pretty much blank but had a Bit.ly link in the middle of the body of the message. Now, I knew that this email was garbage, but what stuck out to me was the CC of other recipients matched some other legitimate email address of other people that I know as well. So, something was up. I wasn't sure if this person's email account got compromised directly, or if the reply-to email account had been in contact with my friend and then their account was compromised. Regardless, I felt the need to investigate and try to unpack what was going on.
As with any good phishing email, I cracked open the headers and started rooting around to see IP addresses and what not. Digging through the headers I could find the sending IP and looks like it appeared to be on a bluehost server
Received: from [188[.]168[.]20[.]6] (port=33982 helo=techcold[.]com) by box5421[.]bluehost[.]com with esmtpa (Exim 4.94.2) (envelope-from <xxxxxxxxxxx@techcold[.]com>) id 1nQHHw-000Rwz-AG; Fri, 04 Mar 2022 16:24:44 -0700
I did an ARIN lookup for that IP address after looking through the whois, the abuse contact came back to the Russian Federation:
So that was fun. I did a bit more digging into the body of the message which looked like this:
But really has all of this in it:
I un-shortened the Bitly link and this was the result:
So, as it appears, there's possibly a compromised server sending out links from the Russian Federation with URL's that contain elements about PAKUKRAINECENTER.
At this point, I notified my friend about it and informed him that they should probably reset their passwords on their email account. I also reached out to Bluehost abuse and sent them the report as well. I have to say that regardless of the circumstance, that I'm kinda happy at my little DIFR and never really thought that I would need to use any of those techniques for myself.
- Previous: Adventures in Proxmox