Net-”Filx”-shing
Today is the holiday of Dusshera in India. Its one of those festivals where one of our Gods killed a daemon dude, you know, “good-prevails-over-evil” kind of stuff. Actually this daemon guy, Ravana, sounds kind of a cool character and might have been fun to hang out with but then he made a pass at the God’s wife and well, we don’t take kindly to such things. Not in this country, No. (Maybe France??)
Anyways, we will get to that story some other time. For now, I am happy that it got us a holiday and being close to the weekend, it just made it an extended weekend. As on most weekends, I was contemplating what kind of a brew should I begin the day with and the list of Netflix shows I had to catch up, I got an email in my inbox.
I know the first thought that came in your mind. “Who uses yahoo mail these days?”. Well, poor (and old) people do. So get past that.
Probably the second thought in your mind is ‘Geez, that’s a phishing email. Someone is trying to get your Netflix credentials’, and you know, you won’t be wrong. Having written about these sophisticated phishing techniques that leverage ‘https’, it wasn’t too hard to spot it as one.
You might then say ‘delete the email’ but what kind of a sissy cyber security guy I would be if I didn’t dig into it deeper. As it is, its an extended weekend and there really isn’t a lot to do. So let’s go down the rabbit hole and maybe in the process give some tips to others on identifying such emails.
An easy and first level tell on the email is the weird ‘i’ in Netflix with a conspicuous diacritic dot on ‘i’.
Easy to miss though and knowing this is not a part of standard ascii character set, surely the creators of the email are using puny-coding here. A small hover of the cursor and Revelio.
Let’s go one level deep and see what the raw HTML contents of this email and what links it might be taking us to, especially when clicked on any of the buttons.
Here are the email headers:
From: =?UTF-8?B?zp1ldGbGluG7idGFLuG0hNC+bQ==?= <noreplayscustomer-72243-ornos@mail.65176.dataunumon.com>
Subject: =?UTF-8?B?UtC1OiBbIE7QtdC1ZCDOkdGBdNGW0L5uIF0gzqXOv3XQsyDJkeG0hOG0hM6/?= =?UTF-8?B?dW50IGjJkdGVIM6/biBozr/GlsmXIGbOv9CzINGAyZHRg21lbnQg0LNlyZE=?= =?UTF-8?B?ZXOv24sINGAxpZlyZHRlWUgddGAZMmRdGUg0YPOv3XQsyDRgMmR0YNtZW50?= =?UTF-8?B?IMmXZXTJkeG7icaW0ZUgxoVlZs6/cmUgzqR1ZSwgzp/htIR0zr/GhWXQsyA4?= =?UTF-8?B?ICcxOSBbUmVmLcaWRDo6T1A6MzU5MDEzXQ==?=
UTF-8 base64 Encoded stuff?? Hmm. Let’s go in the HTML body.
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: base64
Content-Length: 46850
PCFkb2N0eXBlIGh0bWw+CjxodG1sPgoKPGhlYWQ+CiAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICA8dGl0bGU+VE9EQVkgT05MWSEgVGFrZSA2MCUgT2ZmID1GMD05Rj05OT04QzwvdGl0bGU+
<snip/>
cDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8L2Rpdj4KPC9ib2R5PgoKPC9odG1sPg==
Whoa. The entire HTML rendering the email’s body is base64 encoded. It’s not illegal but certainly highly unusual. Let’s decode it and we get the proper HTML.
<!doctype html>
<html><head><meta charset=”utf-8">
<title>TODAY ONLY! Take 60% Off =F0=9F=99=8C</title> <<<Interesting Title
<snip/>
</html>
Now let’s find some of the interesting stuff from this HTML. The first thing is it has a few base64 encode images. There are the rows from which the content is rendered.
<td align=”left” style=”font-family:Helvetica, Arial, sans;font-weight:bold;font-size:32px;color: #221f1f;line-height:40px;padding: 25px 90px 10px 90px;”> Update Your Рауmеnt DеtаіƖѕ </td>
<td align=”left” style=”padding:22px 90px 0 90px;font-family:Helvetica Neue, Helvetica, Roboto, Segoe UI, sans-serif;font-size:18px;line-height:24px;-webkit-font-smoothing:antialiased;color: #221f1f;”> Wе’ге hаνіng ѕοmе tгοublе wіth уοuг сuггеnt b<FONT style=”FONT-SIZE: 0px; COLOR: transparent”>H4UegsL3yA</font>іl<FONT style=”FONT-SIZE: 0px; COLOR: transparent”>BgLm</font>l<FONT style=”FONT-SIZE: 0px; COLOR: transparent”>7458</font>іn<FONT style=”FONT-SIZE: 0px; COLOR: transparent”>NjNHtJ6pEt4m</font>g іnfοгmаtіοn. Wοuld уοu Ɩіκе tο геtгу гunnіnɡ уοuг сагɗ аɡаіn? </td>
Check the fonts used and now to some interesting domain names:
<td style=”color:rgb(169, 166, 166);font-family:Helvetica, Arial, sans;font-size:13px;line-height:16px;padding:15px 90px 0 90px”> ΡƖeɑѕe ɗо nоt гeρƖу tо tɦỉѕ emɑỉƖ, ɑѕ աe ɑгe unɑƅƖe tо гeѕρоnɗ fгоm tɦỉѕ emɑỉƖ ɑɗɗгeѕѕ. If уοu neeɗ ɦeƖρ οг աοuƖɗ Iỉke tο ᴄοntɑᴄt uѕ, ρƖeɑѕe ⱱỉѕỉt οuг НeƖρ ƇCenteг ɑt <a href=”https://utm.io/ulKt?email=atul_kabra_20@yahoo.com&idtrack=SivJLSfq&linkfol=helpurl" style=”text-decoration: underline;color:rgb(169, 166, 166)”>heIp.netfIx.com</a>
“help.netflx.com”???
Of course, my interest was to find out where would it take me if I were to click on any of the payment related embedded buttons.
<td style=”padding:10px 16px;max-width:265px;border-radius:2px;”> <a href=”https://utm.io/ulKt?email=atul_kabra_20@yahoo.com&idtrack=SivJLSfq&linkfol=RetryPayment" style=”color:#ffffff;font-family: Helvetica, Arial, sans;font-size:14px;font-weight:bold;text-align:center;text-decoration:none;font-size:16px;line-height:24px;font-weight:normal;text-align:center;text-decoration:none;font-family:Helvetica Neue, Helvetica, Roboto, Segoe UI, sans-serif;color:inherit;”>RETRY PAYMENT</a></td>
So they seem to be taking to a site utm.io, which apparently is a cloud based spreadsheet, and then interestingly it redirects to a Netflix look alike page.
Pretty nifty, ain’t it? Checkout the nicely crafted aesthetics. Who the hell wouldn’t fall for this, unless of course you had an eagle eye and looked at the URL which says words like ‘netfilxs.corn.zcoiuploadservers.com’, which probably would be ignored by most ageing people like me. And to gain the trust further, it has the https ‘padlock’ which everyone tells is the equivalent of security in the online world (D-uh). Let’s click on this padlock to see what it shows:
Now I know Netflix is going thru some tough times with Disney entering the fray and other revenue issues like password re-use but I am quite certain that the situation is not so grim that Netflix would have to resort to free SSL certificates from ‘Let’s Encrypt’. Oh while, we are at it, here are the details of the SSL cert used to sign this Netflix look alike.
Noice, ain’t it?
“Ok, smarty pants. We concede that you are God and on this festive day of ‘God-over-Devil’ you got the devil by whatever-it-is-that-the-gods-get-the-devils-by. The big question is what can normal people who don’t understand the goop of HTML and base64 and SSL and padlocks and all that do? Is there a way we can deploy a solution in our businesses so that if some stupid ass clicked on a link in such an email, we will get to know?”
You know Sir (or Madam), it is precisely for reasons like this that ‘smarty pants’ found a start-up and give it ‘smarty pants name’ like PolyLogyx. If you didn’t know what PolyLogyx is, we basically have a solution that capture a GREAT variety of endpoint activity data and brings it a central location which allows for rules, analysis and reporting based on that data. (Yup, I didn’t write all this to miss out on a plug). Now while I was doing all this reverse-shenanigans, I was doing this on a my laptop that was running the PolyLogyx solution, capturing all these site visits and submitting that to a server where we have a rule which says ‘If you see SSL activity based on a certificate from Let’s Encrypt, send an alert’.
“Let’s Encrypt” is being heavily misused these days and therefore having a such a rule in place is not a bad idea, even though it may generate some noise. Of course it is incumbent upon the fact that the endpoint sensor *should* have the ability to generate that level of visibility.
So this what that rule would look like on our platform.
As I visited these sites on my laptop, I got the following telemetry on our platform:
Needless to say, it has all the data items needed for the alert to be triggered.
Should we investigate the alert further? Of course, we should.
At this point, its easy for human eyes of the analyst to observe that some nincompoop (Ok, I take it back) some ‘sweet innocent vulnerable’ person ended up clicking on a link that would have looked like Netflix but is surely not. Time to send that person another ‘Security Awareness’ training kit, which hopefully doesn’t say “Just because it is https, it is safe”.
PS: It turns out that if you click on this suspicious link multiple times, it starts taking you to actual ‘Netflix’ page. Perhaps a way of ‘forensic evasion’.
PPS: If you are interested in getting any of those files (base64 encoded HTMLs etc) for your academic purposes, feel welcome to DM me.
PPPS: The title of the article does not have a typo.