Posts Tagged ‘phishing’

Attempted BlueHost Phishing Attack

Tuesday, May 16th, 2017

Just got this phishing attempt purporting to be a domain change notification.

Raw source (slightly edited to remove my email address, and with added line breaks to keep the block from spilling into my righthand links column):


Delivered-To: [my email address]
Received: by 10.129.168.138 with SMTP id f132csp137359ywh;
Tue, 16 May 2017 04:25:08 -0700 (PDT)
X-Received: by 10.25.145.78 with SMTP id y14mr3013524lfj.182.1494933668196;
Tue, 16 May 2017 04:21:08 -0700 (PDT)
X-Received: by 10.25.145.78 with SMTP id y14mr3013498lfj.182.1494933666719;
Tue, 16 May 2017 04:21:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1494933666; cv=none;
d=google.com; s=arc-20160816;
b=EkN54HW9eTyfd0jOfsRVNR0X/FcZbGItIa0uZOBR4HJp7/98oZ6n1B7FLmwrWmZrv4

5dDu5xxwEZUzXOGnickvxjN/j4xeYRwg4QRKcl1oGU/sN1/28cbmMhz+cPm/9IiocabJ

lbM3KY9yS06l8Tqks6NqCjYu37tBecVsdXCIDs97H8jlGMftPJtfHwSjp4NB8

Atmse85rgzAUDI3VQ0heJUNaej7eJ3iQZUoO4WUrE2a83+zL1RFIxhMy

xwuntOSRaMWqjkjUb0z pwB6DYLaFL6I4OBemO2fQ9KPAVSArN+W6yiD/

WTdHOH80EG6taU55R0BSe3v0Cm/JSjA

tGng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=date:message-id:content-transfer-encoding:mime-version:from:subject
:to:delivery-date:arc-authentication-results;

bh=3vPc/J8rnDJTfIYUKavWvnMr/

efHU9EsfJ+Vu6fidbs=;b=fgaxPBNn1/vQIC45obi02J30mqqvoJ8yrp

N9bGIHG2rvWt1Qmtxt4ik7dyARWJDqzvOQnNMHX+

4bC1fVD1qcmjntpe0fkMR8HbYywI8r3k3rZArnj79fVoWJX

wzb0akib3zyGGSFLS+nZ1fkCdPfmU96JmPYevKmB3l0v86yU/

aj2WqNE+Olvc6s14wuBXia8rzGtWtsLHIlm2zmqS2NFLNTv

CapcNPx8ZQvOQEA37pv6oRmlnz/XOg7Rwi4dIrzaAbtY8wv0sI/29

EjXFkxsVgvXKHIRVc685xWXYuYKATJGIzfccUNJaP/

TBuhLI7uS8uo7QBkm+B21jhl0x

AnNw==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of cq99590@annika.timeweb.ru designates 2a03:6f00:1::5c35:605f as permitted sender) smtp.mailfrom=cq99590@annika.timeweb.ru
Return-Path:
Received: from annika.timeweb.ru (annika.timeweb.ru. [2a03:6f00:1::5c35:605f])
by mx.google.com with ESMTPS id p5si688773lfp.49.2017.05.16.04.21.06
for
(version=TLS1_2 cipher=AES128-SHA bits=128/128);
Tue, 16 May 2017 04:21:06 -0700 (PDT)
Received-SPF: pass (google.com: domain of cq99590@annika.timeweb.ru designates 2a03:6f00:1::5c35:605f as permitted sender) client-ip=2a03:6f00:1::5c35:605f;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of cq99590@annika.timeweb.ru designates 2a03:6f00:1::5c35:605f as permitted sender) smtp.mailfrom=cq99590@annika.timeweb.ru
Delivery-date: Tue, 16 May 2017 14:21:06 +0300
To: lawrenceperson@gmail.com
Subject: Domain: BATTLESWARMBLOG.COM. Warning 5946
From: Bluehost
X-Priority: 4 (Low)
Mime-Version: 1.0
X-Mailer: Php_libMail_v_2.0(webi.ru)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: base64
Message-Id:
Date: Tue, 16 May 2017 14:21:06 +0300

RGVhciBCbHVlaG9zdCBjdXN0b21lciBMQVdSRU5DRSBQRVJTT04s
DQoNClRoaXMgbm90aWZpY2F0aW9uIGlzIGdlbmVyYXRlZCBhdXRvb
WF0aWNhbGx5IGFzIGEgc2VydmljZSB0byB5b3UuDQpXZSBoYXZlI
HJlY2VpdmVkIGEgcmVxdWVzdCB0aGF0IHRoZSBuYW1lIHNlcnZlcn
MgYmUgY2hhbmdlZCBmb3IgdGhlIGZvbGxvd2luZyBkb21haW4gbm
FtZShzKToNCg0KQkFUVExFU1dBUk1CTE9HLkNPTQ0KDQpJZiB5b3U
gYXJlIG1vbml0b3JpbmcgdGhpcyBuYW1lIHdpdGggRG9tYWluIEJh
Y2tvcmRlcnMsIHRoZSBhYm92ZSBjaGFuZ2UgaXMgYWxzbyBkaXNwb
GF5ZWQgaW4gdGhlICJNb25pdG9yaW5nIGFuZCBCYWNrb3JkZXJpbm
ciIHNlY3Rpb24gb2YgeW91ciBBY2NvdW50IE1hbmFnZXIuDQoNCmh
0dHA6Ly9teS5ibHVlaG9zdC5jb20uNjczMjcxY2M0N2MxYTRlNzdm
NTdlMjM5ZWQ0ZDI4YTcuZm9vb3BlcnRvLmNsaWVudC5jb29wZXJ0a
W5vLXRlc3QucnUvZG9tYWluL2x4eHZrbWhtem8uaHRtDQoNClRo
YW5rIHlvdSwNCkJsdWVob3N0DQpUb2xsIEZyZWU6ICg4ODgpIDQw
MS00Njg4DQpPdXRzaWRlIFVTOiAxKyg4MDEpIDc1Ni05NTAw


And here’s the non-encoded message payload:


Dear Bluehost customer LAWRENCE PERSON,

This notification is generated automatically as a service to you.
We have received a request that the name servers be changed for the following domain name(s):

BATTLESWARMBLOG.COM

If you are monitoring this name with Domain Backorders, the above change is also displayed in the “Monitoring and Backordering” section of your Account Manager.

http://my.bluehost.com.673271cc47c1a4e77f57e239ed4d28a7.foooperto.
client.coopertino-test.ru/domain/lxxvkmhmzo.htm

Thank you,
Bluehost
Toll Free: (888) 401-4688
Outside US: 1+(801) 756-9500


Note the .ru address in the phishing link, and the phishing URL suggests this attempt is geared at Mac users.

I don’t think I was personally targeted, I think this was probably sent out to every BlueHost domain contact email address the spammers could target.

I’m posting this as a warning to other BlueHost domain owners (and, in fact, anyone else that has a hosted domain): 1. Don’t click suspicious email links. 2. When in doubt, every email link is suspicious. Log into your domain hosting control panel directly like your normally would and contact your hosting company that way.

This was a clumsy attempt. Additional phising attacks are likely to be more sophisticated. Let the blogger beware…