2018-03-22 - GODADDY-THEMED PHISHING

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-02-28-GoDaddy-phish-1810-UTC.eml.zip   210 kB (209,557 bytes)
• 2018-02-28-GoDaddy-phish-attachment-Invoice-My_Account_Order_History_Receipt.pdf.zip   196 kB (196,200 bytes)

• 2018-03-22-GoDaddy-phish-1555-UTC.eml.zip   1.3 MB (1,348,299 bytes)
• 2018-03-22-GoDaddy-phish-attachment-Invoice.pdf.zip   1.3 MB (1,291,912 bytes)
• 2018-03-22-GoDaddy-phish-traffic.pcap.zip   372 kB (372,040 bytes)

NOTES:

• I found a similar phishing email from 2018-02-28 that I originally ignored, but this is a trend, so I've included it in the above archives.
• I didn't include any info from the 2018-02-28 phish below, so you'll have to dig into that one if you want those indicators.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domain:

• www.myaccount-godaddy.lowercholesterolsupplements[.]com

 

EMAIL HEADERS

X-Originating-Ip: [173.201.193[.]102]
Authentication-Results: [removed]; iprev=pass policy.iprev="173.201.193[.]102"; spf=softfail smtp.mailfrom="id-referance-4232352611@bigmir[.]net" smtp.helo="p3plsmtpa08-01.prod.phx3.secureserver[.]net"; dkim=none (message not signed) header.d=none; dmarc=none (p=nil; dis=none) header.from=bigmir[.]net
X-Suspicious-Flag: NO
X-Classification-ID: 6cd03c44-2de9-11e8-b253-5254006a2e70-1-1
Received: from [173.201.193[.]102] ([173.201.193[.]102:40590] helo=p3plsmtpa08-01.prod.phx3.secureserver[.]net)
     by [removed] (envelope-from )
     [removed]; Thu, 22 Mar 2018 11:55:25 -0400
Received: from bigmir[.]net ([144.202.110[.]202])
     by :SMTPAUTH: with SMTP
     id z2XfexiIUDVohz2YeeorPA; Thu, 22 Mar 2018 08:55:19 -0700
X-Sender: 1f090ed@vatimen[.]com
From: Godaddy Team 2018<id-referance-4232352611@bigmir[.]net>
To: [removed]
Subject: Your Billing is attached !
Date: 22 Mar 2018 15:55:15 +0000
Message-ID: <20180322155515.BBCD5532FFAA2313@bigmir[.]net>
MIME-Version: 1.0
Content-Type: multipart/mixed;
     boundary="----=_NextPart_000_0012_E5C8996C.D4B90631"

 

TRAFFIC

2018-03-22 NETWORK TRAFFIC:

• 192.185.121[.]132 port 80 - www.myaccount-godaddy.lowercholesterolsupplements[.]com - GET /
• 192.185.121[.]132 port 80 - www.myaccount-godaddy.lowercholesterolsupplements[.]com - GET /signin.html
• 192.185.121[.]132 port 80 - www.myaccount-godaddy.lowercholesterolsupplements[.]com - other GET requests for the images/etc.

 

FILE HASHES

2018-03-22 PDF ATTACHMENT:

• SHA256 hash:  7d884528aa1bcf93c3a65a1b2df4059288aff750720507fea6c00e484127700b
  File size:  1,297,459 bytes
  File name:  Invoice.pdf
  File description:  PDF that contains link to GoDaddy-themed phishing site

 

IMAGES

Shown above:  Email seen in my inbox earlier today.

 

Shown above:  Start of the attached PDF invoice.

 

Shown above:  End of the attached PDF invoice with link to the phishing page.

 

Shown above:  The fake GoDaddy login phishing page.

 

Shown above:  Traffic to the phishing page filtered in Wireshark.

 

Click here to return to the main page.