04/02/2012

New Phishing Tricks by the Bad Guys



UPDATE: Looks like I'm not the only one getting these emails!

Dancho Danchev with Webroot also has a great blog post on these email. His is called, Spamvertised 'US Airways' themed emails serving client side exploits and malware

One bit of good news/bad news on them: we can be even more certain that the domain owner shown in my post is an innocent victim, too, as Dancho's blog shows many other URLs being used for serving the malware. In fact, his blog post doesn't even mention the domain name that was in the email I received.


Sometimes, you really just have to laugh.

I got a phishing spam today. Really, you might even call it a spear-phishing spam, given that it had my name and email address correct.

It was an email that looked every bit like a legitimate Check-in Confirmation email from US Airways. The problem: I'm not traveling anytime soon, so I know it's a fake.

Here's what it looked like:



Examining the link shows it was destined to go to an Indian website (.in) that's registered with the following info:

Domain ID:D5073610-AFIN
Domain Name:RUPEERUPAYA.IN
Created On:27-May-2011 21:14:29 UTC
Last Updated On:27-Jul-2011 19:20:22 UTC
Expiration Date:27-May-2012 21:14:29 UTC
Sponsoring Registrar:GoDaddy.com Inc. (R101-AFIN)
Registrant ID:CR84151356
Registrant Name:ian jamieson
Registrant Organization:perdita & pongo llc
Registrant Street1:po box 2225
Registrant City:manchester ctr.
Registrant State/Province:Vermont
Registrant Postal Code:05255
Registrant Country:US
Registrant Phone:+1.8022360304
Registrant Email:ianpjamieson@gmail.com

Whether or not the registrant name is legit is anyone's guess, but it's hosted at this IP 184.168.172.1 by GoDaddy.

It's exceedingly rare that anyone uses their real info to host a phishing site--much less one hosted with a legitimate company like GoDaddy, so the domain has probably been compromised. Either that or the registrant name is completely falsified.

The bottom line: don't click on links in emails, even if you think they're legit and from someone you know.

Instead, by doing a "Right Click," you can copy the link out of the email and paste it into Notepad. From there, it doesn't take a rocket scientist to see this link is going to an Indian website (.in) and not to US Airways.

For a quick-and-dirty email, one has to wonder what kind of success rate they're having with this particular email. After all, it is a relatively clever bit of social engineering, some people will, no doubt, fall for.

Even still, if you do get sucked into clicking a link like the one in this phishing email (or click it accidentally), this is where good antivirus software can make all the difference.

Here's what happens when you click this particular link, if you're running the 2012 VIPRE Internet Security Suite:



As you can see, VIPRE 2012 blocked it as a trojan, so there should be little doubt in your mind now that between
  1. the "US Airways" link mysteriously going to a .in website...
  2. it being registered to an "ian jamieson..."
  3. and VIPRE ISS blocking the first thing on the site as a trojan
This is a malicious website and a phising/spear-phishing attack.

Now, it's time to contact GoDaddy to get the site yanked before more people get infected.

Oh, and in case you're wondering here are the threat details from VIPRE: