Here's a spample of a well done "Dropbox" Phish sent thru Gmail,
containing a custom URL shortener which (apparently) did _NOT_
exist at message arrival time:
http://puffin.net/software/spam/samples/0045_shortener_phish.txt
I MUNGED the To & From headers, however I left the original From
domain in the DKIM header.
My post SA filter does HEAD lookups of URL shorteners, with
logging of the full headers.
URL shorteners are (currently) low enough volume that I check any
"interesting" ones, in particular, phish.
Here's the server log entry:
[ HEAD "http://tinyurl.com/easystorage42"; ]
HTTP/1.1 404 Not Found
Date: Mon, 19 Sep 2016 17:29:04 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=dc570dff5ac6a2bc68a5d2e9ff02f5f8b1474306144; expires=Tue,
19-Sep-17 17:29:04 GMT; path=/; domain=.tinyurl.com; HttpOnly
Set-Cookie: tinyUUID=7e020645a4cd45051c050000; expires=Tue, 19-Sep-2017
17:29:03 GMT; path=/; domain=.tinyurl.com
Server: cloudflare-nginx
CF-RAY: 2e4ec1fa555d3816-ATL
Here's the HEAD headers the next day (same Code, albeit compiled
in a Windows app rather than Penguin-land):
[ HEAD for URL http://tinyurl.com/easystorage42 ]
HTTP/1.1 301 Moved Permanently
Date: Tue, 20 Sep 2016 19:08:17 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=db099f950a3ec03be684df56d1c5cb2191474398497; expires=Wed,
20-Sep-17 19:08:17 GMT; path=/; domain=.tinyurl.com; HttpOnly
Set-Cookie: tinyUUID=7e18925a80f84470c6860000; expires=Wed, 20-Sep-2017
19:08:16 GMT; path=/; domain=.tinyurl.com
Location: http://proj ect miya . com/images/index.htm
X-tiny: cache 0.0095739364624023
Server: cloudflare-nginx
CF-RAY: 2e5790b36552423d-MSP
** I put four blank spaces in the "Location", so nobody would
"be bothered". ;) They were NOT in the actual output.
My first thought was network hiccup. Then it struck me that this
was not a random/system generated one, rather it was one of those
"custom"/vanity(?) shorteners that often appear in ESP/snow.
I have no experience creating Shorteners.
*** Could someone who does, please weigh in on whether this may
be a new tactic? ***
If it is, it's almost clever.
For years, I've been poison pill scoring stuff like that, and
letting Quarantine re-testing sort things out. :)
* Does anyone have any idea of the significance of the "X-tiny"
header in the Windows vs Linux output? It's probably trivial.
In general, this is a good example of the Phish I regularly see
sent via Gmail. From.Realname is an oft phished target (never
fuzzed), SPF passes, and the English is generally well done.
The worst/best-done campaign (WOW/Blizzard/BattleNet) I've ever
seen went on for seven months, with no sign that Gmail even
noticed it. :\
- "Chip"
