3

Since yesterday, I receive forged mails which are targeted at me. They use personal information, seem to come from one of my friends and only contain links to these web sites:

http kaosbolaclothing.com/ceremonyemploy/Dean_Edwards28/
http www.sidat.com.mx/engagediatmosphere/Matthew_Bailey44/

(links disabled to prevent someone from accidentally following them).

What should I do now?

[EDIT] Some more information:

  1. The mail addresses me personally (by first name)
  2. The sender is the full name of my friend (no typos) but the attacker is using different sender emails (probably forged).

Here is the mail header (personal information replaced with ${...}):

Content-Transfer-Encoding:   quoted-printable
Content-Type:    text/plain; charset=utf-8
DKIM-Signature:  v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1345684031; bh=GeuilzHJrvCxtRBuL4FZxQ7aXRM6tpTAePrK26c0570=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Yr4o5RXwGl5U/PCXc8Fjb2jSCXJ+Tm2Hp2OIjZ5uLP896jlz7BL8fOzaFrDYfkHRnYjDCjUQh8ID/P1lFoFDvi7SNHZpK765gG6yyGfMqOk3Beoozxk60WsNoyy7+R/K/X+RQ+x7ZCWmwYaqDwIn9L0neohCsdKJGKtdZOPFyXM=
Date:    Wed, 22 Aug 2012 18:07:11 -0700 (PDT)
Delivery-date:   Thu, 23 Aug 2012 03:07:17 +0200
DomainKey-Signature:     a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=6LG8CeLCvrnyj4Nognto3b5cV3zLh/o3gtbFxCf0pYJHx3ulUef0M4XNTe9lU5WnIMwpZaBdaSrF7K31KcBvKwJJcbfwpKNGdezUfKNQC00Fmo4sUur9ZrehWrV+j97HmD/UlEcZKuFwE0Lrq1+MYItPkgEGCeOYaDWBAPqbNsI=;
Envelope-to:     ${my email}
From:    ${name of friend} <${different addresses}>
MIME-Version:    1.0
Message-ID:  <1345684031.52519.YahooMailNeo@web163902.mail.gq1.yahoo.com>
Received:   
from nm23-vm1.bullet.mail.ne1.yahoo.com ([98.138.91.50]) by www.hepe.com with smtp (Exim 4.72) (envelope-from <rosmery81jimenez@yahoo.com>) id 1T4LtC-0007qp-De for digulla@hepe.com; Thu, 23 Aug 2012 03:07:17 +0200
from [98.138.90.51] by nm23.bullet.mail.ne1.yahoo.com with NNFMP; 23 Aug 2012 01:07:12 -0000
from [98.138.89.174] by tm4.bullet.mail.ne1.yahoo.com with NNFMP; 23 Aug 2012 01:07:12 -0000
from [127.0.0.1] by omp1030.mail.ne1.yahoo.com with NNFMP; 23 Aug 2012 01:07:12 -0000
(qmail 52628 invoked by uid 60001); 23 Aug 2012 01:07:11 -0000
from [216.58.103.108] by web163902.mail.gq1.yahoo.com via HTTP; Wed, 22 Aug 2012 18:07:11 PDT
Reply-To:    ${different addresses}
Return-path:     <${different addresses}>
Subject:     FOR ${my name}
To:  ${my email}
X-Mailer:    YahooMailWebService/0.8.121.416
X-Sender-Host-Country:   USA
X-Spam-Checker-Version:  SpamAssassin 3.3.1 (2010-03-16) on sebigbos.hepe.com
X-Spam-Status:   No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
X-YMail-OSG:     grrWpYMVM1nX9hYw_uNTgdCPoNKWu5jkv0EmY0ZHG4tPd2O mRxwvLiQpCv.k64Dpw3ncbfn2yZ8BJSdT8MQfa30vkl_20DL1PRE.Znx._Cq 5nmBpOrqzrKpnI6FQWrv09oazY4eKdfYj4Tctb69dInKejxmOVmrJBDVT.Bg qe.buX4abq2f0JwUSlgieoxQcVlERFSy4ENI6.t633e4GCpKFaWn.5bJk_P5 VYpdFdVgBtyttRn6e1PQFCI4LkETAAzBcXtlcXf2yF5aL7C4SMWhbpXbbyN9 rOdZXO1vl_hxHl5wCY88YrPkKcm9QvRNHDdyIx0PrnEP3GYiLHPbl_4PoB6K m12Bda2O5ObmO8XC4_OOYc.xfkm8DKezgTyMlvooh1miYOyiELCNMhiTsdbq 4tPsZYnwmhGInOo4qnW6zZuhgIMtwmT2PYKubcjX1xWFNQUpKbAK1pdhEycK KcAiO.c43J1A3fnOZ1oNUeIttRKcRtKaRXjL35UmQadPYDIYQOjK9Dq1LCT3 6rSl2ROTg73gxGH_h1wpAb4A9XI0KCElRgIdLv5UQu5eACzNYq2dQo5J_SQP bGU9NyeEBuq9wZXgvMIKF
X-Yahoo-Newman-Id:   293921.35658.bm@omp1030.mail.ne1.yahoo.com
X-Yahoo-Newman-Property:     ymail-3
  1. I'm pretty sure my server isn't hacked
Aaron Digulla
  • 365
  • 1
  • 8

2 Answers2

8

Just to add to @Polynomial's (what seems to me to be correct) answer (upvoted), when you talk to your friend, don't approach him/her as if it's a confrontation. I've seen many folk (after being hacked) react so badly because they felt they were confronted.

I think you can quickly confirm if it is a phish by asking if he's aware of the situation or if any of his other friends have received such emails? If his account was hacked as Polynomial rightly suggested then I doubt you're alone in receiving such a spam/phish, unless for some (rare) reason you're being specifically targeted. I receive similar emails around once per month from some friend, whose webmail password has been compromised (it's interesting when it happens to a security mailing list).

Looking at the mail headers, the X-Spam-Status: No, score=-0.1 headers show that everything on the mail was well-constructed, no content appearing like a spam mail, most likely a low SPF rating on the sending mail server and the websites referenced have no prior in terms of being a phishing or compromised URL. Taken with the results below, this would seem to indicate freshly compromised sites.

I also checked the reputation of the two sites (I regularly do this on such occasions and notify the vendors and the local CERT of such sites, I'd recommend doing so). I used to volunteer at a CSIRT and such notifications are invaluable.

  1. kaosbolaclothing.com

  2. www.sidat.com.mx

From experience, I've found the Websense Lookup Tool to be the best but I no longer have a login there.

I unfortunately don't have time to actually look at the sites to see if they try to exploit anything but I'd be interested to know :)

Mark Hillick
  • 2,124
  • 11
  • 14
  • Spammers, these days, tend to compromise websites and upload phishing pages. It makes it difficult to trace the hosted page back to them. – Polynomial Aug 23 '12 at 09:07
  • Yep, agreed. It's an arms race and the spammers etc are winning. I actually wrote a paper on it a few years ago for a SANS white paper when I was volunteering at a CSIRT. Like so much else in security, it's more often than not about having an "incident handling" plan, reacting quickly and properly. – Mark Hillick Aug 23 '12 at 09:09
  • @MarkHillick: Did you just check the whole site or the specific page that I mentioned? Maybe just that single page was hacked. But then, maybe it's just targeted spam. I'm not sure whether it's worth to raise my CERT's attention or not :-/ I'm on Linux so it's probably safe to look at the web site (I could download the HTML from the command line, so no way that JavaScript could hack me) but I'm not in a position to do a decent analysis it (time, knowledge). – Aaron Digulla Aug 23 '12 at 09:13
  • @AaronDigulla Only the domain, if I'd time, I'd check the pages. You can ask a URL checker to manually review a site & they **should** check the complete site and then categorise it accordingly. The "good behaviour" is to notify the CERT but given the amount of attacks like this now, a CERT probably won'twant to look at it unless it's out of the ordinary or has big impact. Re. browsing on Linux being safer, see this from [yesterday](http://security.stackexchange.com/questions/19055/is-it-safer-to-use-less-heard-of-software-than-popular-software) :) I use a VM in such scenarios. – Mark Hillick Aug 23 '12 at 09:28
  • 1
    Upvoted for the helpful details on reputation checking :) – Stennie Aug 23 '12 at 09:31
6

They probably did come from your friend, but not intentionally. There are two likely scenarios:

  1. A spammer knows your friend's email password, and is using details from previous emails to scam you.
  2. Your friend's computer has malware on it, and it's using their email account to send spam. In this case, it's probably pulling names and other details from the contact list.

In either case, tell your friend and get him/her to clear up their machine and change their password. Make sure it's in that order, otherwise malware could just keylog the new password.

In terms of the sites, it's difficult to know whether they're dedicated phishing/spam domains, or just sites that have been hacked into. In the USA it's a federal crime to send scam emails, so you can report it via IC3.

Update: It's likely that the attacker is monitoring your communications (e.g. Facebook, Twitter) and using them to target you directly. At this point it may be effective to just reply and say "I know you're trying to phish me, I'm not falling for it, bugger off."

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • And, could it be a faked sender, using some tools like FakeMailer, so his friend email account has not been compromised, but the attackers knows it, and is trying to *phish* him? – eversor Aug 23 '12 at 08:35
  • I'm also leaning towards phishing right now. It's possible that the Yahoo account is hacked but I'm still curious how they made the connection between me and my friend. We just met a couple of times at Linux events, so there is no close relation between the two of us. – Aaron Digulla Aug 23 '12 at 08:39
  • Possible that they're monitoring conversations through other channels. Faceook? Twitter? – Polynomial Aug 23 '12 at 08:47
  • I'm not using Twitter but he might be in my list of friends on Facebook. Checking ... yep, we're connected via Facebook. Sounds like a hit. – Aaron Digulla Aug 23 '12 at 08:54
  • Are you searchable by email address on Facebook? If so, it's likely they found your profile that way. – Polynomial Aug 23 '12 at 08:55
  • @Polynomial: Yep, that makes sense. I'm searchable by email (maybe I should switch that off :-/) so that would explain everything I've found so far. – Aaron Digulla Aug 23 '12 at 09:10