My family participates in a Community Supported Agriculture (CSA) program where we pay a Quarterly Membership Fee and receive a basket of fresh locally grown vegetables and fruit every two weeks. Apparently, their mailing list was also recently “harvested” for what appears to be less legitimate purposes.
I received the message below this morning (6/27/2014). The timing was such that my initial reaction was “Good, it’s an announcement on the July 4th holiday CSA schedule adjustment”. But then I saw the link text and the fact that the link was pretty much all that was in the message body. Alarm bells went off… So, out of curiosity, I did an analysis of where this thing is coming from. See that below the original message, if interested.
From: My CSA [mailto:redactedRealAttorney@Redacted-Real-Law-Firm.com]
Sent: Friday, June 27, 2014 5:17 AM
To: RecipientYouShouldntHaveSpammed; numerous other recipients…
Subject: from CSA
So what was the payload? The link above was pasted (unredacted) into a private browser on a secure remote server and it produced an application window that looked like an Internet Explorer browser full of phony “Diet News” and suspicious related as content. An attempt to close the window with the upper right red X brought up a new window with an “Are you sure… blah blah blah and an OK button that would likely install the mailware. Some other time maybe.
The first clue it’s a malicious message is the link URL. The domain carpediem.in just doesn’t equate with my CSA and the TLD (top level domain) of .in means it is a registration originating in India. Furthermore the file type (the .php) of the page in the link indicates it is a dynamic page and possibly some sort of application that seeks to do something malicious.
Analyzing the header of the message reveals more clues…
The alleged sender email address indicated in the header is redactedRealAttorney@Redacted-Real-Law-Firm.com. Probably spoofed at random and likely another stolen piece of identity. This person apparently actually exists and has a law firm according to an internet search.
The last hop before my ISP was… Received: from maui.mirahost.com ([188.8.131.52]) For the non geeks out there this means the last known place the message came from before my service provider got it. According to http://whatismyipaddress.com/ip/184.108.40.206 it is a server at Softlayer in Texas.
Before Softlayer it came from… Received: from Redacted-Real-Law-Firm.com (unknown [220.127.116.11]) The word “unknown” in there is another indication that the association of the domain Redacted-Real-Law-Firm.com with this address was not resolved by known legitimate DNS servers. Looking up the numeric address reveals (no surprise) that it resolves to Morocco, a low enforcement region for internet concerns http://whatismyipaddress.com/ip/18.104.22.168
Below is the message with an abridged full header…
Received: from eastrmimpi109 ([22.214.171.124]) by RecipientISP.Redacted
(InterMail vM.8.01.05.15 201-2260-151-145-20131218) with ESMTP
for email@example.com; Fri, 27 Jun 2014 07:17:09 -0400
Received: from maui.mirahost.com ([126.96.36.199])
by RecipientISP.redacted with
id KPH71o0052qsbMn01PH8tv; Fri, 27 Jun 2014 07:17:08 -0400
Received: from maui.mirahost.com (unknown [127.0.0.1])
by maui.mirahost.com (Postfix) with ESMTP id B307993E286E;
Fri, 27 Jun 2014 11:17:00 +0000 (UTC)
Received: from Redacted-Real-Law-Firm.com (unknown [188.8.131.52])
by maui.mirahost.com (Postfix) with ESMTP;
Fri, 27 Jun 2014 11:17:00 +0000 (UTC)
From: My CSA
Subject: from My CSA
Date: Thu, 27 Jun 2014 12:17:00 +0000
X-Mailer: iPad Mail (11D201)
In Conclusion: This is what they do these days. It’s a blended threat with a portion old fashioned Identity Theft, a bit of deception and social engineering. If you fall for it and your device isn’t protected and secure you may end up running a malicious application on your system before you know it.