How to recognize a targeted malware/phishing attack

TOPICS:

Posted By: ImproveYourSecurity November 6, 2015

I received an email pretending to be from my hoster Strato (known as Cronon AG) telling me that my domain I have for my IT Consulting business has been suspended because of complains they received.

This kind of email is called “Spear Phishing”: it targets only certain users that have a proven connection to the attacked brand or company. In this case, I am clearly a customer of Cronon AG because the WHO IS information shows this. (see below)

 

Dear Sorin Mustaca,

The Domain Name mustaca.com have been suspended for violation of the Cronon AG Abuse Policy.

Multiple warnings were sent by Cronon AG Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us for additional information regarding this notification.

Sincerely,

Cronon AG

Spam and Abuse Department

 

The email appears to come from them, but observe the “.KD” in the FROM email address. Suspicious!

cronon-malware2

This is how the email header looks like:

strato-email

Just have a look at those areas I marked with red. Absolutely nothing to do with the Cronon AG!

This shows that the email is a fake.

 

Then, observe that they have obtained my name, email address and my domain. Very convincing!

But, all this information is available in the WHOIS information for my domain and is publicly available:

whois-mustaca

 

The Link

The link points to a malicious file that gets dropped!

The URL is so created that it gives the impression that it retrieves something dedicated to my account. Observe the “mustaca.com” appended to the URL.

http://<host>.com.au/abuse.php?mustaca.com

In order not to link here a malware file, I removed the host.

The malware is recognized by Avira as  ‘TR/Crypt.Xpack.312513 [trojan]’.

Good job, Avira!

 

 

Feedback

 

I have informed the company owning the website which hosts the malware.

submit-feedback

Let’s see if they answer or at least remove the malware!

 

PS: I also informed Strato that their customers are being targeted.st

All these and many more topics are in the free eBook "Improve your security" available here: www.improve-your-security.org.

About the Author

ImproveYourSecurity
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since 2000 in the IT Security industry and until 2014 for Avira as Product Manager, where he was responsible for the known products used by over 100 million users world-wide. Serving the security needs of so many different users made him think that there are other ways of to help the users: teachning them about security.

By continuing to use the site, you agree to the use of cookies and to its Privacy Policy more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close