SpamAssassin caught this phish, however some tweaks would have
let it thru, and it's an interesting new (to me) approach, so I
figured I'd share it with y'all.
Full raw spample (with MUNGED email addresses):
http://puffin.net/software/spam/samples/0053_phish_image.txt
At arrival time, the domain "alshimisiani" was only on
URIBL Black (the webhost's SA does not run URIBL, so that was
caught by my post-SA filter).
The HTML link had all manner of weirdness (in particular, that
Google "data-saferedirecturl" thingie), so I did a raw HTTP GET
of the image, semi-thinking it was going to be borked or lame.
Instead, I saw this very nicely done, VERY convincing image:
http://puffin.net/software/spam/samples/0053_phish_image.png
I've never noticed that style before. I've seen similar with
attached image(s), however I rarely pull down remote images.
For a while, I've been concerned that spammers would move to
more remote images in phish, and have been thinking about
adding arrival-time pull-down & analysis of them.
** Has anyone noticed this tactic, and, if so, has it been
going on for a while?
Also of interest is the main URL.
It looks like the site is legit and was cracked/hijacked.
The page used javascript and a meta refresh to redirect to a
different apparently-cracked site, with an interesting 3 hops
within that site, before the final pure javascript payload.
I don't have the time to analyze the js, however it is somewhat
unusual/different from what I've seen in the past.
If it's down by the time anyone legit checks it, feel free to
email me off-list for a copy (LEGIT geeks only and note that I'll
be mostly offline for the next 4-7 days).
I _VERY_ briefly researched the token "data-saferedirecturl", and
my first impression is that maybe it shouldn't occur in email, so
it may be a good test.
** What do the HTML gurus think?
Perhaps it would be worthwhile to MassCheck a meta of
"BODY_URI_ONLY" with highly phish-y From.RealNames?
I just checked the last 3 months of my best corpora, and ham
hits on "BODY_URI_ONLY" were in three categories (highest to
lowest volume):
- DMARC reports
- ESP/bulk (with SA scores between -4.0 and 5.3)
- person-to-person with an image attachment
I'm already selectively "skip" listing all three scenarios, in
particular DMARC reports (i.e. I never "white" list, I have my
rules segmented into groups that can be easily skipped).
- "Chip"
