Email Phishing and Spams Trends - Be wary

Avice De'veréux — Tue, 11 Dec 2007 14:09:28 +0000

Below is typical phishing email I received on Dec 8, 2007. It was send to one of my active gmail accounts.

The Email Header

From: “Gmail Team”
Subject: Gmail Warning!!!! Verify Your Gmail Account To Avoid Close.
Part of the message ↓: Dear member,

This message is from gmail message center to all gmail free account owners
and premium account owners. We are currently upgrading our data base and
e-mail account center. We are deleting all unused gmail account to create
more space for new accounts.

*To prevent your account from closing, you will have to verify it below so
that we will know that it’s a present used account.*

* CONFIRM YOUR IDENTITY. VERIFY YOUR FREE GMAIL ACCOUNT NOW !!! [...]

Raw Email Content

This are part of of the raw message on gmail its not download via pop3. Certain meta info is not available as its got filtered by gmail services (spam automatic removal).

Delivered-To random-victims-name@gmail.com
Received: by 10.114.235.19 with SMTP id i19cs230694wah;
 Sat, 8 Dec 2007 04:27:12 -0800 (PST)
Received: by 10.141.20.7 with SMTP id x7mr3231780rvi.1197116792300;
 Sat, 08 Dec 2007 04:26:32 -0800 (PST)
Received: by 10.141.115.15 with HTTP; Sat, 8 Dec 2007 04:26:32 -0800 (PST)
Message-ID: <2f83b9150712080426n4a018c86mc2af4a4ed271f223@mail.gmail.com>
Date: Sat, 8 Dec 2007 13:26:32 +0100
From: "Gmail Team" 
Reply-To: customercareteamalert2@gmail.com
Subject: Gmail Warning!!!! Verify Your Gmail Account To Avoid Close.
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_Part_11145_31274162.1197116792293"

------=_Part_11145_31274162.1197116792293
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

 Dear Member*,* **
 * Account Alert*
***
 *
 *VERIFY YOUR GMAIL ACCOUNT NOW TO AVOID CLOSE !!!*
***GMAI L
*Dear Member*,*
 This message is from gmail message center to all gmail free account owners
and premium account owners. We are currently upgrading our data base and
e-mail account center. We are deleting all unused gmail account to create
more space for new accounts.

 *To prevent your account from closing, you will have to verify it below so
that we will know that it's a present used account.*

* CONFIRM YOUR IDENTITY. VERIFY YOUR FREE GMAIL ACCOUNT NOW !!!

 Gmail! ID:.........................

 Password:........................

 Your Birthday:.................

 Your Country or Territory:...........
 Enter the Security
Characters:......... [image: Registration
Verification Code]
*

 *Warning!!! **Account owner that refuses to update his or her account
before two weeks of receiving this warning will lose his or her account
permanently. *
**
*Sincerely,*
*Gmail Team*

------=_Part_11145_31274162.1197116792293
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Dear Member,

 Account Alert

VERIFY YOUR GMAIL ACCOUNT NOW TO AVOID CLOSE !!!

GMAI
 L
Dear Member,

This message is from gmail message center to all gmail free account owners and premium account owners. We are currently upgrading our data base and e-mail account center. We are deleting all unused gmail account to create more space for new accounts.

To prevent your account from closing, you will have to verify it below so that we will know that it's a present used account.

CONFIRM YOUR IDENTITY. VERIFY YOUR FREE GMAIL ACCOUNT NOW !!! 

       Gmail! ID:.........................

        Password:........................

       Your Birthday:.................

       Your Country or Territory:........... 

       Enter the Security Characters:.........                                

Warning!!!   Account owner that refuses to update his or her account before two weeks of receiving this warning will lose his or her account permanently.

Sincerely,
Gmail Team

------=_Part_11145_31274162.1197116792293--

They used Outlook to published this email and leeched numbers of images across different “known” web services ↓

Image Sources

Gmail Logo: Google Presskit logo

Captcha : yahoo (SSL)

Gmail Logo 2: genbeta.com (might be their host)

Header: EbayStatic Server

Whats the motiff

It may seem funny to read the message as this are pretty much a script kiddies at work. I’m sure that most savvy users will not trust this types of threat. But what most people unaware of is the “Image” portions of the message. It can play a big role for expoiting email.

QuickInfo: Spam “images” trends start around june 2006 and earlier version of popular email client (Outlook and Thunderbird) doesn’t block images by default.

If you are familliar with Internet Security in general,you may notice that there is many attemp and proof of concept method in exploiting Images like “TIFF & JPEG“. Both of this vulnurebilities exists in Internet Explorer Browser and various microsoft windows products. While we can only make educated guesses as there is no real working proof yet.

My doodling scenario produce this ↓

Session “hacker” create a malicious server side image → proxy tunnel send to multiple email server → the curious victim open the email → steal client informations (cookie or server session cookie) → spoof the request → send RST back to client (reset) → dump the victims data in one instance. → write signature on victim email (avoid loop) → propogate using victims session → new net-worm is born

Try digging around VX Heavens & milw0rm Database you’ll find something to start thinkering.

Kakkoi » millw0rm

Email Phishing and Spams Trends - Be wary

The Email Header

Raw Email Content

Whats the motiff