Tuesday, September 18, 2018

Green Boxes and Spam: Spoofing with Subjects and Recipients Stolen from Spoofee's Email Accounts

The COM spammers are back, wreaking havoc on email domains without spoofing protection.

The latest escapades are spoofed messages sent with subject lines stolen from the spoofee's accounts.  In a campaign apparently beginning in mid-summer 2018, the messages all contain a green box which functions as a link and contains text.  Figure 1 below shows an example of a typical box.

Figure 1.  A green box present in spoofed emails.

The quality of the graphic of the green box is poor.  The corners of the box are pixelated if the image is enlarged.

The text inside the green box has included these variants:
  • Click here to view this message
  • Click here to open full message
  • Click here to open this message
The campaign is sophisticated with a significant amount of horsepower behind it.

What makes this campaign unique is that the messages include a subject line which has been stolen from the account of the person being spoofed, and the recipients are the same recipients as that original message.  This makes the message appear familiar to the recipient since the spoofed message appears to be from someone they know and uses a subject which has already been in use between the apparent sender and the recipient.

The link from the green box goes to a domain which has been newly registered within the past few weeks.  Examples include:
  • msgreload5.review
  • portalread5.review
  • usermsgreadt.review
  • webmail4.icu
The link may host different content at different times.  Shortly after the message is received, the link is likely to go to a facsimile web site with a university logo attempting to collect user names and passwords.  Some hours afterwards, the same link may go to the content more typical of the COM spammers pill-selling operations, and after a number of days it is likely that the link fails to resolve entirely.

Table 2 below lists some of the universities which have reported cases of this spoofing since July 2018.  Several universities report several waves of spam coming days or weeks apart.

Table 2.  Schools, colleges and universities warning their users about the green-box spam and associated phishing.

September 9th 2018Anhui University
September 12th and 18th 2018Baylor University
September 5th 2018Bauhaus-Universit├Ąt Weimar
September 4th 2018Binghamton University
August 31st 2018Drake University
September 9th 2018European Molecular Biology Lab, Heidelberg, Germany
August 21st 2018Ithaca College
Duo as response
September 23rd 2018Kansas State University
September 25th 2018Kesteven and Grantham Girls' School, Grantham, England
August 31st 2018McGill, Montreal, Canada
July 15th 2018National Taiwan University
September 9th 2018Peking University Health Science Center, China
September 5th 2018Plymouth State University, New Hampshire
August 20th 2018Ritsumei University
August 28th 2018Queen's University, Kingston, Ontario, Canada
August 18th 2018State University of New York, Cortland
September 12th 2018Universidade de Lisboa, Portugal
August 21st 2018University of Calgary
August 21st 2018University of Florida
August 29th 2018University of Missouri
August 30th 2018University of Oregon
August 17th 2018University of Pittsburgh
July 14th 2018University of Sydney
September 11th 2018Universit├Ąt Ulm

No comments:

Post a Comment

Comments are welcome in all languages.