Beware of the “India Post 170th Anniversary” WhatsApp Scam

November 11, 2024 Anurag2 Comments

Recently, a new phishing scam has been circulating on WhatsApp, claiming to celebrate the “India Post 170th Anniversary.” The message includes a shortened URL, such as https://tinyurl.com/lndiaPost-1164

which redirects unsuspecting users to a fraudulent website: https://indiapost37.pages.dev/22602976.

This website impersonates India Post, one of India’s largest postal networks, in an attempt to steal users’ personal information. Here’s a breakdown of how the scam works and how to stay protected:

How the Scam Works

The Message: It starts with a WhatsApp message claiming that India Post is celebrating its 170th anniversary with special prizes. This message contains a shortened link that appears legitimate at first glance, using the name “India Post” to gain trust.
The Phishing Website: Once the link is opened, it redirects to a webpage mimicking the official India Post website, complete with logos and branding. However, this page is hosted on a suspicious domain (pages.dev), which is a clear red flag that it is not an official India Post site.
Fake Questionnaire: The page presents users with simple questions such as:
- What is your age?
- What is your gender?
- Do you know about India Post?

The goal here is to keep the user engaged while also making the scam seem more legitimate.

4. “Prize” Announcement: After answering the questions, users are prompted with a pop-up claiming they have won a large amount of money—typically in the range of INR 62,478.55. This is an attempt to excite users and push them to the next step, which involves sharing more sensitive information.

5. Request for Personal Information: To claim the so-called prize, users are then asked to provide personal details such as their email address and mobile number. This is the final stage where the scammers collect information that could be used for future phishing attacks, identity theft, or selling the data to other cybercriminals.

Key Red Flags to Recognize the Scam

Unfamiliar Domain Name: The genuine India Post website domain is indiapost.gov.in. Any other domain should be considered suspicious.
Requests for Personal Information: Government institutions rarely ask for personal details through unsolicited messages or unverified websites.
Too Good to Be True Prizes: Randomly winning large sums of money without prior participation is a classic sign of a scam.

To further investigate the legitimacy of these URLs, we can utilize VirusTotal, an online tool for checking websites and files for potential threats. Upon submitting both URLs

https://tinyurl.com/lndiaPost-1164 and https://indiapost37.pages.dev/2260297 VirusTotal scans them against multiple security databases and provides a report with detailed insights. In this case, the report reveals that both URLs have been flagged by several security vendors as malicious or phishing sites. Screenshots from VirusTotal show clear warnings of suspicious behavior, confirming that these URLs are designed to deceive users into revealing personal information. This evidence underscores the importance of checking untrusted links on reputable scanning platforms before clicking them.

How to Stay Safe

Avoid Clicking Suspicious Links: Never click on links sent from unknown numbers, especially those that seem promotional or too good to be true.
Verify with Official Sources: Go directly to the official India Post website (indiapost.gov.in) or contact them directly to confirm any offers.
Report Phishing Attempts: If you receive such a message, report it on WhatsApp and avoid forwarding it to others.
Educate Others: Share this information with friends and family to prevent them from falling victim to similar scams.

Conclusion

Phishing scams like these take advantage of people’s trust and curiosity. By staying alert and following best practices online, you can avoid falling prey to such fraudulent schemes. Always verify links and offers directly with official organizations and be cautious of any request for personal information from unverified sources.

Stay safe and share awareness—your vigilance is your best defense!

Reference:

Any.run Report on the analysis

Instagram Phishing Email: We detected a new login into your Instagram account

October 4, 2024 Anurag2 Comments

How to Spot the Phishing Email Right Away

The first red flag in this scam is that the email doesn’t come from an official Instagram domain. Instead, the message is sent via an unfamiliar email address that is clearly not affiliated with Instagram. A legitimate email from Instagram will come from an official domain like @mail.instagram.com or similar. If you notice the sender’s email address is strange or not even remotely related to Instagram, it’s a phishing attempt.

Email Body: Suspicious Links and No Mention of Account Details

This phishing email didn’t mention Instagram username, the location of the alleged login, or any details expected from a real alert.

Moreover, the email typically contains links urging you to “Send Password Request” and “Not My Request“. Instead of leading to Instagram’s official site, the link is a mailto: link with several email addresses, which is highly suspicious. No legitimate company, let alone Instagram, would handle account security issues this way.

Upon reviewing the email header, I noticed that it was sent from 144 . 76 . 133 . 106 (Germany).

And all the email addresses were listed in the mailto: field.

Key Red Flags of the Phishing Email

Unfamiliar Email Address: Always check the sender’s email address. Phishing emails usually come from random addresses that don’t resemble official Instagram domains.
No Mention of Your Account: The email fails to specify which Instagram account is affected. A legitimate alert would always include details such as your account username, device, or location of the suspicious activity.
Suspicious Links: The email includes odd links (often mailto: links with multiple email addresses) instead of leading to Instagram’s official help page or security center.
Generic Greeting: Phishing emails often use non-personal greetings like “Dear User” or “Hello Instagram User” instead of addressing you by your actual name or username.
Pressure Tactics: The email urges immediate action to “secure your account,” but provides no credible way to verify the login attempt through legitimate channels.

Conclusion

The “We detected a new login into your Instagram account” phishing email is an obvious scam, particularly when you notice that it doesn’t mention which account was compromised. The lack of details, unfamiliar sender, and suspicious links make it easy to identify as a phishing attempt. Stay vigilant, verify any unusual emails, and always prioritize your online security.

Have you ever encountered an email like this? Share your experience and help others stay safe online!

Beware of Phishing Emails: “Hey, You Have a Problem” Scam

August 24, 2024August 24, 2024 Anurag2 Comments

Phishing scams are becoming increasingly sophisticated, and one of the more recent and alarming tactics involves an email with the subject line “Hey, You Have a Problem.” The body of the email is brief but ominous:

Subject: Hey, you have Problem
Body: Hi! You have a problem.
Details here
You have very little time.
Don’t you dare share this info with any of your friends.

The email contains a link to a website that supposedly contains more information about the so-called “problem.” However, this link is a trap designed to exploit your fear and curiosity.

How the Scam Works

The Hook: The email’s vague and alarming message is designed to create a sense of urgency. The phrase “You have very little time” triggers panic, pushing you to click on the link without thinking.
The Deception: Once you click the link, you’re taken to a website that claims you’ve been hacked. The site may impersonate a hacker, threatening that they have gained control of your device, taken screenshots of you through your camera, or recorded your browsing activity.
The Demand: To avoid these fabricated consequences, the “hacker” demands a ransom payment in Bitcoin, a popular cryptocurrency known for its anonymity. The site might also include a countdown timer, adding further pressure to comply quickly.

Email header

The email sent by id rafaelgarciays@buhuchetnko.ru client IP: 92.53.96.143

Redirection link

The link given in email redirects to domain https :// 59exp . ru and the VirusTotal score for this URL is 1/96

What Happens When You Click the Link?

If you click on the link provided in the email, here’s what typically happens next:

Personalized Attack: The link contains a parameter specific to the victim’s email address, allowing the scammer to track which email recipient clicked on the link. This personalization adds a layer of authenticity to the scam, making it more convincing.
Fake Ransom Demands: Once on the phishing site, you’ll be presented with a message from an alleged hacker claiming that they have compromised your device. The message might say that they have deployed a script on a website you visited, which allegedly allowed them to take screenshots of you using your camera.
Bitcoin Ransom: The scammer then demands a ransom, usually in Bitcoin, to prevent the release of these “screenshots” or other fabricated evidence of wrongdoing. The demand is typically accompanied by threats and a tight deadline to create a sense of urgency.

Opening Phishing Site

The phishing site links a security incident to the victim’s email ID and the Bitcoin address 1CWTFeMfPCG1Q6uVLSpHUmQ1J1i6hxj1LK, where the scammer demands a transfer of USD $699.

After reviewing the blockchain transactions associated with the Bitcoin address 1CWTFeMfPCG1Q6uVLSpHUmQ1J1i6hxj1LK, no transaction for the amount of USD $699 has been found to date.

How to Protect Yourself

Don’t Click on Suspicious Links: If you receive an unexpected email with a link, especially one that makes alarming claims, don’t click on it. Instead, verify the sender’s identity through other means.
Check the URL: Before clicking any link, hover over it to see the actual URL. If it looks suspicious or unfamiliar, don’t click it.
Be Skeptical of Urgent Requests: Scammers often create a false sense of urgency to pressure you into acting quickly. Take a moment to think before responding to any urgent requests, especially those involving money.
Use Strong, Updated Security Measures: Ensure your devices are protected with up-to-date antivirus software, and consider using a password manager to help secure your accounts.
Report Phishing Attempts: If you receive a phishing email, report it to your email provider and any relevant authorities. This helps protect others from falling victim to the same scam.
Educate Yourself and Others: Stay informed about the latest phishing tactics and share this information with friends, family, and colleagues to help them avoid similar scams.

Conclusion

Phishing scams like the “Hey, You Have a Problem” email are designed to exploit your fears and pressure you into making hasty decisions. By staying informed and following best practices for online security, you can protect yourself from these malicious schemes. Remember, when in doubt, it’s always better to be cautious and verify before taking action.

Phishing/Sextortion Email – For your own safety, I highly recommend reading this email

March 29, 2024April 23, 2024 AnuragLeave a comment

Phishing/Sextortion Email:

Subject: For your own safety, I highly recommend reading this email

Hello <name>,
You are in big trouble.
However, don't panic right away. Listen to me first, because there is always a way out.

You are now on the radar of an international group of hackers, and such things never end well for anyone.
I'm sure you've heard of Anonymous. Well, compared to us, they are a bunch of schoolboys.
We are a worldwide network of several thousand professionals, each with their own role.

Someone hacks corporate and government networks, someone cooperates with intelligence agencies on the most delicate tasks,
and someone (including me) deals with people like you to maintain the infrastructure of our group.
"What kind of people like me?" - that is the question you are probably asking yourself now.

The answer is simple: people who like to watch highly controversial and, shall we say,
unconventional pornography on the internet that most normal people would consider perverted.
But not you!

In order to leave you without any doubts, I'll explain how I found it out.
Two months ago, my colleagues and I installed spyware software on your computer and then gained access to all of your devices, including your phone.
It was easy - one of those many pop-ups on porn sites was our work.

I think you already understand that we would not write to an ordinary man who watches "vanilla" and even hardcore porn - there is nothing special about that.
But the things you're watching are beyond good and evil.
So after accessing your phone and computer cameras, we recorded you masturbating to extremely controversial videos.
There is a close-up footage of you and a little square on the right with the videos you're pleasing yourself.
However, as I said earlier, there is always a way out, because even the most degraded sinner deserves leniency.
You are lucky today because I am not a sadist who enjoys other people's suffering.
Only money matters to me.

Here is your salvation: you must transfer $1490 in Bitcoin to this BTC cryptocurrency wallet: 19VQ4UwfrMskCbRLPrzsaL6TUCYomNdvKt

You have exactly 48 hours to make the payment, so think less, and do more.
As soon as I receive confirmation of the transaction, I will delete all compromising content and permanently disable our computer worm.
Believe me, I always abide by gentleman's agreements. Even with people who are hardly gentlemen. Because it's nothing personal, just business.

If I do not receive a payment, I will send all videos of you to every person in your contact list, messengers and email.
Relatives, loved ones, colleagues, friends-everyone you've ever been in contact with will receive them.
You understand perfectly well that you will never be able to wash this stain on your reputation.
Everyone will remember you as sick as fuck.
Your life will be completely ruined, and, most likely, only a tightened noose around your neck will be able to save the day.

If you haven't dealt with crypto before, I suppose it won't be difficult for you to figure it all out.
Simply type in the "crypto exchange" into the search bar and pay with a credit card. Besides, based on your browser history, you are a savvy user.
When you want to, you can dig into the darkest depths of the Internet, so I'm sure you will be able to find out what is what.

Here is what my colleagues and I should warn you against:
...Do not reply to this email. Do you really think we are so stupid to be tracked by an email address? This is a temporary disposable email.
 As soon as I clicked "Send", it was gone for good.
...Forget about law-enforcement authorities. As soon as I see that you are trying to contact them, the compromising material will be published.
 Remember, I have access to all your devices, and I can even track your movements.
...Do not reset your devices to factory settings and do not try to get rid of your devices.
 It won't help in any way. Look above - my All-seeing eye is watching all your actions. It is easy to hunt you down.

I am sorry that we met in such circumstances. Probably, everything could be different if you had been more careful about what you are doing on the Internet.
Watch yourself from now on, because even such things that you previously considered insignificant can destroy your life in the future like a butterfly effect.
I hope this is goodbye forever. However, it depends on you.

P.S. The countdown is on. The choice is yours.

This is a phishing sextortion email scam spreading in last few days. I came across few blog posts and tweets mentioning same email content.

A phishing sextortion email is a specific type of malicious email that combines elements of both phishing and sextortion. In such emails, the sender typically claims to have compromising or explicit material of the recipient, often obtained through a supposed hack or malware installed on the recipient’s device. The email usually includes threats to release this material unless a ransom is paid, typically in cryptocurrency.

These emails often employ psychological manipulation and intimidation tactics to coerce the recipient into complying with the demands. They may include personal information about the recipient, such as their name, username, or password (which may have been obtained from previous data breaches), to make the threats seem more credible.

Email header:

Received: from CH3PR14MB6324.namprd14.prod.outlook.com (2603:10b6:610:14d::22)
 by MW4PR14MB5997.namprd14.prod.outlook.com with HTTPS; Tue, 26 Mar 2024
 20:58:35 +0000
Received: from MW4PR04CA0203.namprd04.prod.outlook.com (2603:10b6:303:86::28)
 by CH3PR14MB6324.namprd14.prod.outlook.com (2603:10b6:610:14d::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.32; Tue, 26 Mar
 2024 20:58:34 +0000
Received: from CO1NAM11FT116.eop-nam11.prod.protection.outlook.com
 (2603:10b6:303:86:cafe::ee) by MW4PR04CA0203.outlook.office365.com
 (2603:10b6:303:86::28) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.13 via Frontend
 Transport; Tue, 26 Mar 2024 20:58:33 +0000
Authentication-Results: spf=fail (sender IP is 45.233.98.42)
 smtp.mailfrom=hotmail.com; dkim=none (message not signed)
 header.d=none;dmarc=fail action=none header.from=hotmail.com;compauth=fail
 reason=001
Received-SPF: Fail (protection.outlook.com: domain of hotmail.com does not
 designate 45.233.98.42 as permitted sender) receiver=protection.outlook.com;
 client-ip=45.233.98.42; helo=[45.233.98.42];
Received: from [45.233.98.42] (45.233.98.42) by
 CO1NAM11FT116.mail.protection.outlook.com (10.13.174.243) with Microsoft SMTP
 Server id 15.20.7430.22 via Frontend Transport; Tue, 26 Mar 2024 20:58:32
 +0000

Email header shows this email has been sent from IP 45.233.98.22 from Brazil.

When searched on Mxtoolbox, found this IP address is already in blacklist on “s5h.net” and “SORBS SPAM“.

Scammers have demanded $1490 bitcoin to transfer to Crypto wallet 19VQ4UwfrMskCbRLPrzsaL6TUCYomNdvKt and when I have received this email I checked for this wallet, there were no transactions but unfortunately now I see 2 transactions that means 2 victims fell for it.

link to check transaction for this wallet: Blockchair

If you receive a phishing sextortion email, it’s essential to:

Stay calm: Remember that the sender’s threats may not be legitimate.
Avoid responding or engaging: Do not reply to the email or attempt to contact the sender.
Do not pay the ransom: Paying the ransom encourages further criminal activity and does not guarantee that the threats will stop.
Report the email: Report the email to your email provider as spam or phishing. You can also report it to law enforcement agencies or relevant authorities.

Trojan Agent Tesla – Malware Analysis

April 5, 2020February 8, 2025 Anurag4 Comments

Hash – 077f75ef7fdb1663e70c33e20d8d7c4383fa13fd95517fab8023fce526bf3a25

Family : Agent Tesla

Downloaded Sample Link: Click here

Signature: Microsoft Visual C# v7.0/ Basic.NET

Filename: UIhLdVHHlUAKoEOpjVAsXFlIQrgS.exe

VirusTotal score:

Malware behavior:

Steal browser information (URL, Usernames, Passwords)
Steal passwords for email clients.
Steal FTP Clients
Steal download manager passwords.
Collect OS and hardware information.

Browser Information:

When I debug the malware executable, Initially it creates a SQLite database to store collected information from victims machine.

Below are the tables getting created.

Tables created:

meta
logins
sqlite_sequence
stats
compromised_credentials

found it collected browsers data (Google chrome), that includes accessed URLs and related usernames and passwords.

database table logins stores all browser related information. Below are the table columns.

Apart from this, malware also look for all different types of browsers to steal data from it.

It look for below browsers:

Opera Browser
Yandex Browser
360 Browser
Iridium Browser
Comodo Dragon
Cool Novo
Chromium
Torch Browser
7Star
Amigo
Brave
CentBrowser
Chedot
Coccoc
Elements Browser
Epic Privacy
Kometa
Orbitum
Sputnik
Uran
Vivaldi
Citrio
Liebao Browser
Sleipnir 6
QIP Surf
Coowon

Below screenshot taken while debugging malware.

Malware also look for below email clients. I haven’t install any of them on my machine during analyzing this.

Email Clients:

Outlook
Thunderbird
Foxmail
Opera Mail
Pocomail
Claws-mail
Postbox

FTP Clients:

Malware grabs credentials from FTP clients as well. Below list.

FileZilla
Core FTP
SmartFTP
FTPGetter
FlashFXP

It also makes FTP web request. (Remote Server couldn’t find)

It uses smtp client to send information over the network using port 587 which indicates sending data from smtp client to a particular smtp Server through mail attachments.

Malware executable also make HTTPWebRequest which must be downloading SMTP client to transfer data to remote SMTP server.

unfortunately, it didn’t make any connection to any remote server address.

Summary:

Steal Browser Information including urls, usernames and passwords.
Steal email client credentials.
Steal credentials of FTP servers.
Computer information.

Thank you.

Malware Analysis, Phishing, and Email Scams

Cybersecurity Blog

Tag: CyberSecurity