How to Spot a Malicious Email
Every morning my first job of the day over a nice cup of coldbrew coffee is to go through the emails received over night.
Occasionally I find a gem in the midst of the noise received from the internets.
This morning I received the following email in the Security Operations mailbox:
A spotting the spelling mistake in the subject line. This adds 2 to the score so we start with a risk score of 2/10.
European Health Insurance Card? I am sure I have one so I do need to get a new one? Whats this email all about?
I felt this needed looking into a little more and as many people are getting hit by ransomware these days, I thought it might be a good idea to go step by step how I look into emails I don’t expect and how I examine them in a safe and secure manner.
All emails start with a risk score of zero out of ten as we have already noted, the spelling in the subject line is incorrect starting us of at 2/10. For every check we perform, if the test fails then we assign two points to the score and for a partial fail we assign one point.
So to start we have a risk score of 2/10.
Quite interesting from a security point of view as it made it through the usual malware and virus scanners and then passed through the usual junk filters. So as it made it this far, I thought it fair game to look into it a little deeper.
The email has come into our SecOps@ email box, a box used by analysts to communicate with clients and receive suspicous files and emails for analysis.
As this is an unsolicited email, we can increment the risk score off by two giving 4/10.
The first task in handling this email, run it through virus total to have a look and see what if the community has reported anything on it.
We can see from this that Virustotal show this email as clean. Thats interesting, could this be a real email?
With Virustotal reporting it clean, we leave the risk score at 4/10.
The Virtustotal analysis page is here (https://www.virustotal.com/en/url/aecf08b245acfa6cca4bd16471a9ee09d000a66fe9dc3a77fe4b44739e480639/analysis/).
The company that has sent this is Aceso Healthcare Services. A quick search on companies house shows a number of businesses called Aceso but none of them are Aceso Healthcare Services.
So for this email, we have a risk score of 6/10 now.
Next stop is to check the credit reference agencies.
CreditSafe has no record of such a company. Noe we have a risk score of 8/10 and can call this a Scam.
So lets go a little deeper. Lets click the link in a sandbox environment.
Opening the Email Fully
Looking Deeper at the Site
The site looks good and is rather convincing. My first observation is there is no HTTPS so the URL bar is not containing the green padlock.
Secondly, this is a scam site. The scammers even announce the fact.
With 2 points for the lack of a secure connection when exchanging formation and 1 point for announcing this is in fact a scam, the score if racking up for this email.
Risk Score: 11/10
But as we are doing an in-depth look, lets look at the source code of the page. The entire page is a form which, when you click on the button calls a PHP script called payment-process.php.
Once you payment-process.php runs it redirects you to a paypal payment page where the ID of the scammer starts to be revealed.
We can add a further 2 points for use of personal paypal page and a further bonus point for the use of a free email address in the merchant paypal address:
mukulchawala86 [at] yahoo [dot] com
So there we have it, a final Risk Score of: 14/10
While not a malicious site per-se, as you can obtain the same for free direct from the government, and with a Risk Score of 14/10 this fits nicely into our Scam box.