8

A friend received a spoofed email (from Bank of America using an uber.com address) which was correctly identified as 'spam' by Gmail. However, looking at the raw message it seems to have passed SPF, DKIM and DMARC checks.

1) How did a spam email manage to pass SPF, DKIM and DMARC using a source domain as popular as uber.com - a domain the spammers likely don't control?

2) Is there anything else in the message header/body which would conclusively determine the email to be spoofed? (i.e. other than probabilistic reasoning or blacklisting of elements contained within e.g. external links)

Pasted below is the entire raw message (destination email changed for anonymity).

Delivered-To: myemail@gmail.com
Received: by 2002:a19:f009:0:0:0:0:0 with SMTP id p9csp8149944lfc;
        Thu, 2 May 2019 15:48:40 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyhm5pZuY7Fm7UQDAafePILEmcZUG7oB/gvcd6J/EhUFwZiS3XMf65THeoGx++FQCmhzOCE
X-Received: by 2002:a17:906:13d2:: with SMTP id g18mr3231656ejc.78.1556837320717;
        Thu, 02 May 2019 15:48:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1556837320; cv=none;
        d=google.com; s=arc-20160816;
        b=eXB2eqanspJQA6s/q5LqzZmlHbIEk21g9zucGA8hxmjYVXu0b3XnZzYUdJjY5bA0at
         P6F6qlig4aO5N2Gsr8a9MDRSvvfAibeRTENq/7iO3gaUQIbAM9gQ/aQhV6uLiD+DoSZU
         dHhhwJB2GQ/5Dh6HoXNuj4SrTMn3yHOEuQA4I+Htw7B1CASkDTIKcs7CART606F33R3N
         hJqQWlkTlXRNKeSCVY9Ji+7Ij08mciIOJXA2ug0ZYvH9W/C1St8yENSLKfFcrJlk/U/c
         OyxFmB11yDK9wP9Af5JyzOlkNvGVhXgo1oZzNuB0cyY0nn/HynNrzWhhhTBohg6p92k7
         9CuQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=message-id:to:subject:reply-to:mime-version:from:date
         :dkim-signature:dkim-signature;
        bh=qLQDboUSSv8iAbkYL4wb/BR8FXlb49YUxc2eDjBWs5k=;
        b=EtdsO3m3lHH8+WCcDco6Ahfet2PLEix2p1NKcgzqD7fH+37MPmVieWp3qZo2gy0cgD
         VP4TGaspSGND2cjBZUqlTr6ScJPj98eRtsIOVb/CRgocSy354o72WzT43P2LXJaOSz+L
         Rq814M7GHwrtutY3bWpYteO2nEAg18EgSyjC7mYqYvERRa7OFhIJO36/ZnAxCGV5xWTm
         nd3evLaWNpsRP8eUysyOkuC1wGNW9HGCdcs0q5meSfxl+3PmYzTZ4MlrhAxvEWyPRRM4
         gDnwQ7w6RUZjGtbsEWul/5zKa5HDX1jTtH4DRYWe3MaLJ4zpFPQ289mnypfpoHB9vNKb
         wS5A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@uber.com header.s=s1 header.b=sGXq8dN3;
       dkim=pass header.i=@sendgrid.info header.s=smtpapi header.b=hex9bvGh;
       spf=pass (google.com: domain of bounces+3504297-df62-myemail=gmail.com@em.uber.com designates 50.31.36.149 as permitted sender) smtp.mailfrom="bounces+3504297-df62-myemail=gmail.com@em.uber.com";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=uber.com
Return-Path: <bounces+3504297-df62-myemail=gmail.com@em.uber.com>
Received: from o15.email.uber.com (o15.email.uber.com. [50.31.36.149])
        by mx.google.com with ESMTPS id c8si312626edb.189.2019.05.02.15.48.40
        for <myemail@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 02 May 2019 15:48:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounces+3504297-df62-myemail=gmail.com@em.uber.com designates 50.31.36.149 as permitted sender) client-ip=50.31.36.149;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@uber.com header.s=s1 header.b=sGXq8dN3;
       dkim=pass header.i=@sendgrid.info header.s=smtpapi header.b=hex9bvGh;
       spf=pass (google.com: domain of bounces+3504297-df62-myemail=gmail.com@em.uber.com designates 50.31.36.149 as permitted sender) smtp.mailfrom="bounces+3504297-df62-myemail=gmail.com@em.uber.com";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=uber.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=uber.com; h=content-type:from:mime-version:reply-to:subject:to; s=s1; bh=v7x4HoONz0ezNRDnKYF0uc2hhtM=; b=sGXq8dN3+HHhABwT351Y+af+nr2B8 pHTDx2MjlKRIDe7H/cnIsI/CpwpJLrb8Stp9RsP0sP5nK3TZmKHQwJedhRvBTC7n r/uPT0JSi+ONLtF9C+0qRXmWmJtqQzFf9slsVRdHaXX8RLa6yaLLzwsHuuRdaJZG o4oB6ZA5AJCesY=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=sendgrid.info; h=content-type:from:mime-version:reply-to:subject:to:x-feedback-id; s=smtpapi; bh=v7x4HoONz0ezNRDnKYF0uc2hhtM=; b=hex9bvGhVyaiDwHKrN h24yUEJB4HO3pTdxhcoAK5VsaYOCXZx9p4blLSQp3uV8ew7NLo2z/zx4csNICZWh SmC8COHDgWcHciNfl43kiraXp400kRYiGsS1pHqVRX5Ob8D0JkPBK5O8DVaeruG8 CZA/6xSoS+V/bEH7nyXlXwrfc=
Content-Type: multipart/alternative; boundary=05837142e85bc2c4ac09b1d30a5ba3fe4f9b7871babe88f65414e2efb0b2
Date: Thu, 02 May 2019 22:48:36 +0000 (UTC)
From: Bank Of America <peopledevelopment@uber.com>
Mime-Version: 1.0
Reply-to: peopledevelopment@uber.com
Subject: [ALERT] Your account id has been blocked !!
To: myemail@gmail.com
Message-ID: <EYI_MwnGTyKSrZKHNQnOnw@ismtpd0039p1iad1.sendgrid.net>
X-SG-EID: BJ2Hyk3p2HXeBi9v1wQzSyZ8DM5WrDY+tsMwP5EVk1O0bcaJmQS4hZuUFgRtapyAExYteHWmn73qmX 7VEhHR5sd3ci/g+WzM8Uf68Ux7oY1gt0agNXHr4DKEE+nngxEBm8ZP2xGBiEEEpg5Whgqt/yWpHjZ7 HukhCl3QGdVTLehqCV+7CWTGIxhA8qDvQEtuCLBT6YeFBksxtcPbtJlU+nsHzCU+ZUGuJa5/mD+y0F s7tmnWQuHkKZKYL9EbGQts
X-SG-ID: Z2FxZazunBjVeNuNdzHDqrF8mxuCpi0krmont6YQrP1PhrSAm6F2vnhCz+cZmwIQQzzeNf3kS2PU4G C99ZbMEWr4lLYj5ol2knDZ/n3jZwq//ee6CYHr7NePdVS5vtJCVf7ranRUtPwlaGzBDEs80XrtvoiJ GPsexH5dsi0CLhc=
X-Feedback-ID: 3504297:hpZl/F8wyMjPOktsUM9fV9PBbsSgTLHDWo42qpJEarc=:hISn6uOVLCzR0vuCEri7CQ==:SG

--05837142e85bc2c4ac09b1d30a5ba3fe4f9b7871babe88f65414e2efb0b2
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
Mime-Version: 1.0

Dear Valued Customer,=20

You Have A Personal Security Alert from BankOfAmerica.

Sign-On https://flyingteachers.nl//wp-content/Wordpress/

Note: You will need to update your information for that service completely.=
=20

=C2=A9 Copyright, BankOfAmerica, 2019.=20
Access https://google.com
--05837142e85bc2c4ac09b1d30a5ba3fe4f9b7871babe88f65414e2efb0b2
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=UTF-8
Mime-Version: 1.0


<HTML><HEAD></HEAD>
<BODY>&nbsp;<IMG src=3D"https://www2.bac-assets.com/homepage/spa-assets/ima=
ges/assets-images-global-logos-boa-logo-CSXe4b047c0.svg" width=3D279 height=
=3D64>=20
<TABLE id=3Dyui_3_7_2_1_1357636237151_3250 style=3D"FONT-SIZE: 12px; FONT-F=
AMILY: Arial, Helvetica, sans-serif" cellSpacing=3D0 cellPadding=3D0 width=
=3D600 border=3D0>
<TBODY></TBODY></TABLE><BR>Dear Valued Customer, <BR><BR>You Have A  Person=
al Security Alert from BankOfAmerica.<BR>
<P></P>
<P><FONT id=3Dyui_3_16_0_1_1399663152274_19869 style=3D"FONT-SIZE: 12px; CO=
LOR: #333333; LINE-HEIGHT: 18px" face=3D"Verdana, sans-serif">
<TABLE id=3Dyui_3_16_0_1_1399663152274_48813 style=3D"BACKGROUND: no-repeat=
 left top" height=3D15 cellSpacing=3D0 cellPadding=3D0 width=3D111 bgColor=
=3D#6cae35 border=3D0>
<TBODY id=3Dyui_3_16_0_1_1399663152274_48812>
<TR id=3Dyui_3_16_0_1_1399663152274_48811 bgColor=3D#6cae35>
<TD id=3Dyui_3_16_0_1_1399663152274_48862 bgColor=3D#6cae35 vAlign=3Dmiddle=
 width=3D15 align=3Dcenter><FONT size=3D2><HTTPS: id=3Dyui_3_16_0_1_1399663=
152274_48861 width=3D"15" height=3D"15" email_cta_arrow.gif=3D"" media=3D""=
 static_assets=3D"" mcontent=3D"" content.usaa.com=3D""></HTTPS:></FONT></T=
D>
<TD id=3Dyui_3_16_0_1_1399663152274_48810 bgColor=3D#6cae35 vAlign=3Dmiddle=
 width=3D96 align=3Dcenter><A id=3Dyui_3_16_0_1_1399663152274_48814 style=
=3D"TEXT-DECORATION: none; COLOR: #fff; FONT: bold 11px arial, sans-serif" =
href=3D"http://email.uber.com/wf/click?upn=3D-2FQ0tIReEQQvMTn37D6ijIfRAMGF2=
MPDMqrIBax6TjqHI26EB2dJUvOpfb6-2BtHW1GBBasvV-2BPdUGxE65m1S0AUw-3D-3D_upBRTD=
Ma1f8arr27T-2FChSHKA02CtoItCQ9e6PNbvcG9XxnPK4VYSIoINuPPUDOYMFaHDvWWc6mRXY-2=
BjkyEJ4uGUdSbHsos4WOz9Yr529xiH9tDHJLxlZMIShGPk0S8U4onf5vQHto3-2B7-2BwbS3DDx=
gGjcR-2BFeB1tfaZTkc-2BdDdmBj2b7z5S6KGHutMpn48l3JhaVOuRvB-2F5niKuSo53oVEp9Ag=
pJI7RnaO6AO3D5pLjHBeAsWMwbWL4o9BhEfMC8cT0zWfUna8GP3wEKDFrXWVmspJeNCXCcqbUUp=
SUF49HwDS-2F279HaQ-2BkL8PVsX8eMAvnRBRi8DRIAWf938W9MaPq8yv9aeEq8G6uedSgCjCX1=
FAAhXKhtxerCOMO6JhOYPlm2-2FHX633X1SrBaiTYZGOw-3D-3D" rel=3Dnofollow target=
=3D_blank>Sign-On</A></TD></TR></TBODY></TABLE></FONT></P>Note: You will ne=
ed to update your information for that service completely. <BR><BR><FONT id=
=3Dyui_3_13_0_1_1398145588576_6499 size=3D1></FONT><FONT size=3D2>=C2=A9 Co=
pyright, BankOfAmerica, 2019.</FONT>=20
<img src=3D"http://email.uber.com/wf/open?upn=3DupBRTDMa1f8arr27T-2FChSHKA0=
2CtoItCQ9e6PNbvcG9XxnPK4VYSIoINuPPUDOYMFaHDvWWc6mRXY-2BjkyEJ4uGUdSbHsos4WOz=
9Yr529xiH9tDHJLxlZMIShGPk0S8U4onf5vQHto3-2B7-2BwbS3DDxgGjcR-2BFeB1tfaZTkc-2=
BdDdmBj2b7z5S6KGHutMpn48l3JhaVOuRvB-2F5niKuSo53oVEnZOKS1AsqehIRfEXmYLYu3fhQ=
UZgheXahrlWwKmrfQylaw7Y2sX09qWBC67FiV-2Fwmf5O6ZvgYoAV3vtQZhLjSa6B7I0DiwhfzK=
11lBOmIXiMuUc30aqH9s9sDIGqnGR8O-2Fdgjw-2FWHQjWqMlfMnd1TWWYULqOl5xYb-2BD-2B1=
JMvHPISuLN3S-2BBtXPo-2BSzlYb9YTw-3D-3D" alt=3D"" width=3D"1" height=3D"1" b=
order=3D"0" style=3D"height:1px !important;width:1px !important;border-widt=
h:0 !important;margin-top:0 !important;margin-bottom:0 !important;margin-ri=
ght:0 !important;margin-left:0 !important;padding-top:0 !important;padding-=
bottom:0 !important;padding-right:0 !important;padding-left:0 !important;"/=
>
</BODY></HTML>
<a href=3D"http://email.uber.com/wf/click?upn=3D-2FQ0tIReEQQvMTn37D6ijIUDYH=
X2-2FyU5mi0Enz-2FchsQI-3D_upBRTDMa1f8arr27T-2FChSHKA02CtoItCQ9e6PNbvcG9XxnP=
K4VYSIoINuPPUDOYMFaHDvWWc6mRXY-2BjkyEJ4uGUdSbHsos4WOz9Yr529xiH9tDHJLxlZMISh=
GPk0S8U4onf5vQHto3-2B7-2BwbS3DDxgGjcR-2BFeB1tfaZTkc-2BdDdmBj2b7z5S6KGHutMpn=
48l3JhaVOuRvB-2F5niKuSo53oVEggJcxBzsBUTFT7XWbdRLfOKJHct29bBLqq-2FiX-2BnFPQ-=
2BLCqjk6YuSfSFkaKdm5QvdZMBusseXcTQlJhzVP-2Beo5392uwTJHnkaMczik43b2te8teMEjS=
hfujpSCF4MTUkjQ5IBldCR7EOeT4-2BF6vpq0Ctnr2W7ZarsqWFftMiNy8s-2BU-2F5eF1gGJwN=
7E92IF4inQ-3D-3D" target=3D"_blank" rel=3D"noopener">Access</a>


--05837142e85bc2c4ac09b1d30a5ba3fe4f9b7871babe88f65414e2efb0b2--
schroeder
  • 123,438
  • 55
  • 284
  • 319
Islay
  • 593
  • 1
  • 4
  • 9
  • 1
    This mail looks not original enough for me to do a proper analysis. I have no idea what might have been changed in the body by the OP since the body hash does not match. The `DKIM-Signature` fields seem to be edited too, i.e. there are only spaces where I would expect newline+space. – Steffen Ullrich May 10 '19 at 04:02
  • The original destination email address has been replaced with "myemail" in a text editor - that's the extent of the change. Indeed, I did not realise earlier that that change alone could've caused the message digest check to fail... – Islay May 10 '19 at 08:38

2 Answers2

7

From: Bank Of America <peopledevelopment@uber.com> is the address used in the header.from field, so technically the email didn't spoof Bank of America but an Uber.com email address with a Display Name property that says Bank of America.

The email was sent via a system that is authorized to send on behalf of the uber.com domain. In this case Sendgrid. (See the DKIM signatures and the naming of the uber.com signature selector: s1).

Sendgrid allows use of API keys to send out emails. All too often these API keys fall into the wrong hands (used in clear text in public website code), and in case of Sendgrid it may mean you can send authenticated emails on behalf of the domain it corresponds to.

Indeed, as @schroeder points out, this should be reported to Uber.

Reinto
  • 223
  • 1
  • 6
5

I entered the header in an email header parser, and it passes because it comes from an authorised and valid uber.com IP address for sending emails (50.31.36.149).

But the DKIM body signature check failed. So, it looks like the phisher got ahold of a valid Uber account and either took an existing email, and replaced the body content, or your edits modified the parts of the email that were signed.

Is there anything else in the message header/body which would conclusively determine the email to be spoofed?

Yes, that fact that it purports to be from Bank of America but sent from an Uber account.

I'd report this to Uber, actually.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 2
    While I agree with the analysis in general (compromised Uber account) I don't think that the mismatch of the body hash is caused by an edit of an existing mail by the attacker. I rather suspect that the OP has made too much edits to the mail himself so that the hash does not match anymore. But this is hard to tell since the real mail received by the OP is unknown. – Steffen Ullrich May 10 '19 at 04:04
  • Thanks, @SteffenUllrich for the pointer. I only changed the original email address to "myemail" and I can see why that might change the body hash. If the body hash is ignored, what may be the most likely explanation? Could this be a standard case of Business Email Compromise? – Islay May 10 '19 at 08:47
  • @Islay I agree with Steffen. The DKIM failure is likely because of your changes. So the minor point of a re-purposed email might not be correct. The core conclusion still holds that someone gained access to the Uber account. – schroeder May 10 '19 at 08:57
  • @schroeder Good point, thanks. I'll point my friend here and, hopefully, he'll shoot it off to Uber's attention. – Islay May 10 '19 at 09:04