I want to introduce you all to my fun little dilemma. I have a phishing email to analyse and it’s stumped me!
The email basically consists of a URL from a spoofed email address specifically targeted towards the victim. I am not concerned for the origin right now. However, I am interested in the overall objective.
The payload does not fit the likes of a typical phishing email, and I must be missing the trick. Usually URL’s in phishing emails direct the victim to a credential stealing or malware dropping web pages. In this example so far, to my understanding this is not the case.
The URL I am looking at is: http://www.berkaril.com/document.php?busy=25gaeu8wbdk7zb1
Instead the attacker wants to troll its victims with a plethora of quotes and one liners which change every time you refresh the page.
In some cases, these are quite funny. But I cannot see the benefit for the attacker, why conduct a phishing campaign to tell the victim that their “web fu is very good. Let’s Fight. – Bruce Sherrod”
This URL has intrigued and hence reaching out to you good folk!
Firstly I want to make note of what I want to accomplish and why:
1. I believe that it is highly likely that there is another objective to this website and I think that it might be designed to deliver a malicious payload to a victim. I would like to understand this objective.
2. I want to improve my “web Fu” as the trolling website has provoked me to do. These exercises keep you current.
3. I am just plainly curious.
So my investigation thus far:
• The URL in the phishing email “www.berkaril.com/document.php?busy=25gaeu8wbdk7zb1
• The domain registration is situated in Turkey
• The website is hosted under the IP address of 220.127.116.11 along with 10 other sites
• The domain Registrar is Aerotek Bilisim Sanayi ve Ticaret AS
• The website is coded in PHP which suggests that the page I am displayed is the result of a PHP code being run and I am seeing the output. (I would like to analyse the PHP code to determine if there are any malicious payloads it tries to drop anyone know how I can do that?)
• I have tried to browse the website on a virtual machine using a sandboxed internet browser (Firefox)
So I plan to run on a physical machine a sandbox to see if the results vary to identify if there is any logic to identify virtualised environments.
Looking forward to your messages
Apr 27th 2017
1 year ago