Re: Phishing campaign using nested Google redirect
On Fri, 19 Feb 2021, Giovanni Bechis wrote: On 2/19/21 1:09 AM, John Hardin wrote: On Thu, 18 Feb 2021, Giovanni Bechis wrote: On 2/18/21 6:37 PM, Ricky Boone wrote: Just wanted to forward an example of an interesting URL obfuscation tactic observed yesterday. https://www.google.com/url?sa=t=j==s=web=15=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam as well. If you can send me a spample I could tweak it a bit more. We may need to coordinate a little here - there's also a google.com/url redir rule in my sandbox, and they may be overlapping. I proposed a shared sandbox for that reason when we developed bitcoin rules (and we had similar problems with overlapping rules). Perhaps it's time we pursued that. :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The promise of nuclear power: electricity too cheap to meter The reality of nuclear power: FUD too cheap to meter --- 3 days until George Washington's 289th Birthday
Re: Phishing campaign using nested Google redirect
On Thu, 18 Feb 2021 16:08:01 -0800 (PST) John Hardin wrote: > In our case it's best to upload an entire email (all headers intact > and with as little obfuscation as possible) to something like > Pastebin, then post the URL to that here so it can be downloaded. ... > For just URLs, though, examples could just be pasted into the body of > your post (as you did) or in a .txt attachment. I'd still suggest uploading them to pastebin. Other spam filters may already have better handling for those URLs.
Re: Phishing campaign using nested Google redirect
On 2/19/21 1:09 AM, John Hardin wrote: > On Thu, 18 Feb 2021, Giovanni Bechis wrote: > >> On 2/18/21 6:37 PM, Ricky Boone wrote: >>> Just wanted to forward an example of an interesting URL obfuscation >>> tactic observed yesterday. >>> >>> https://www.google.com/url?sa=t=j==s=web=15=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g >> >> I just committed a new variation of GB_GOOGLE_OBFUR that should match this >> spam as well. >> If you can send me a spample I could tweak it a bit more. > > We may need to coordinate a little here - there's also a google.com/url redir > rule in my sandbox, and they may be overlapping. > I proposed a shared sandbox for that reason when we developed bitcoin rules (and we had similar problems with overlapping rules). Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: Phishing campaign using nested Google redirect
On Thu, Feb 18, 2021 at 7:08 PM John Hardin wrote: > > In our case it's best to upload an entire email (all headers intact and > with as little obfuscation as possible) to something like Pastebin, then > post the URL to that here so it can be downloaded. This keeps the spample > from being modified during transit in ways that could impede analysis and > rule development and testing. > > For just URLs, though, examples could just be pasted into the body of your > post (as you did) or in a .txt attachment. Gotcha, thanks. Hopefully the copies I put up on GitLab are still useful for testing any rules; I didn't see any issues when I ran SA against the redacted copies. Since they included real addresses, names, etc., I have to redact certain elements due to my company's policies.
Re: Phishing campaign using nested Google redirect
On Thu, 18 Feb 2021, Giovanni Bechis wrote: On 2/18/21 6:37 PM, Ricky Boone wrote: Just wanted to forward an example of an interesting URL obfuscation tactic observed yesterday. https://www.google.com/url?sa=t=j==s=web=15=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam as well. If you can send me a spample I could tweak it a bit more. We may need to coordinate a little here - there's also a google.com/url redir rule in my sandbox, and they may be overlapping. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- Today: Perseverence lands on Mars
Re: Phishing campaign using nested Google redirect
On Thu, 18 Feb 2021, Ricky Boone wrote: Nice. I've copied scrubbed versions of what I've seen so far here: https://gitlab.com/-/snippets/2079108 (I can never remember if it is appropriate to include attachments to mailing lists like this). In our case it's best to upload an entire email (all headers intact and with as little obfuscation as possible) to something like Pastebin, then post the URL to that here so it can be downloaded. This keeps the spample from being modified during transit in ways that could impede analysis and rule development and testing. For just URLs, though, examples could just be pasted into the body of your post (as you did) or in a .txt attachment. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- Today: Perseverence lands on Mars
Re: Phishing campaign using nested Google redirect
Nice. I've copied scrubbed versions of what I've seen so far here: https://gitlab.com/-/snippets/2079108 (I can never remember if it is appropriate to include attachments to mailing lists like this). On Thu, Feb 18, 2021 at 1:13 PM Giovanni Bechis wrote: > > On 2/18/21 6:37 PM, Ricky Boone wrote: > > Just wanted to forward an example of an interesting URL obfuscation > > tactic observed yesterday. > > > > https://www.google.com/url?sa=t=j==s=web=15=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g > > > > Google then spits back a response with the redirect target in both > > JavaScript and non-JavaScript forms (meta refresh tag): > > > > https://www.google.com/url?q=https%3A%2F%2Fwww.tehminadurranifoundation.org%2F1%2F1%2Findex.phpsa=Dsntz=1usg=AFQjCNEa27A724-wMQik8STZvuisHK2G4g > > > > Slightly different response behavior this time, but ultimately > > redirects the victim to the malicious destination. The effective > > destination in this case has been taken down, but I'll avoid putting > > the full link. > > > > Unfortunately, there didn't seem to be any rules that would help catch > > this. I have a couple thoughts on some that I would need to test, but > > wanted to share to the community. > > > I just committed a new variation of GB_GOOGLE_OBFUR that should match this > spam as well. > If you can send me a spample I could tweak it a bit more. > > Giovanni >
Re: Phishing campaign using nested Google redirect
On 2/18/21 6:37 PM, Ricky Boone wrote: > Just wanted to forward an example of an interesting URL obfuscation > tactic observed yesterday. > > https://www.google.com/url?sa=t=j==s=web=15=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g > > Google then spits back a response with the redirect target in both > JavaScript and non-JavaScript forms (meta refresh tag): > > https://www.google.com/url?q=https%3A%2F%2Fwww.tehminadurranifoundation.org%2F1%2F1%2Findex.phpsa=Dsntz=1usg=AFQjCNEa27A724-wMQik8STZvuisHK2G4g > > Slightly different response behavior this time, but ultimately > redirects the victim to the malicious destination. The effective > destination in this case has been taken down, but I'll avoid putting > the full link. > > Unfortunately, there didn't seem to be any rules that would help catch > this. I have a couple thoughts on some that I would need to test, but > wanted to share to the community. > I just committed a new variation of GB_GOOGLE_OBFUR that should match this spam as well. If you can send me a spample I could tweak it a bit more. Giovanni OpenPGP_signature Description: OpenPGP digital signature
Phishing campaign using nested Google redirect
Just wanted to forward an example of an interesting URL obfuscation tactic observed yesterday. https://www.google.com/url?sa=t=j==s=web=15=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.tehminadurranifoundation.org%252F1%252F1%252Findex.php%26sa%3DD%26sntz%3D1%26usg%3DAFQjCNEa27A724-wMQik8STZvuisHK2G4g Google then spits back a response with the redirect target in both JavaScript and non-JavaScript forms (meta refresh tag): https://www.google.com/url?q=https%3A%2F%2Fwww.tehminadurranifoundation.org%2F1%2F1%2Findex.phpsa=Dsntz=1usg=AFQjCNEa27A724-wMQik8STZvuisHK2G4g Slightly different response behavior this time, but ultimately redirects the victim to the malicious destination. The effective destination in this case has been taken down, but I'll avoid putting the full link. Unfortunately, there didn't seem to be any rules that would help catch this. I have a couple thoughts on some that I would need to test, but wanted to share to the community.