Phishing and the .gov TLD
Analysis by Marshall Chen, Yi Lee, and Joe Wu
Brand owners frequently use SPF and DKIM to protect their brands from email forgery. For example, a brand owner could register the same domain name under multiple top-level domains (TLDs) (such as .com, .net, .org, etcetera) and announce SPF/DKIM records for all of these domains (even if they were not actively being used). While generally effective, there is one loophole: what about the .gov TLD?
This loophole was recently exploited in a massive phishing attack against American Express, which started on March 4. The attackers sent out emails that imitated American Express notifications, which contained a link to a phishing site. We identified more than 50 distinct phishing sites used in this spam run. These were hosted on various compromised domains, and all had the format of hxxp://{compromised website}/amerrricaneaxpress/security.html.
Figure 1. Phishing email (address and phishing URL highlighted)
So far, this has been a fairly ordinary attack. What we found unusual was one of the supposed email addresses used by the attacker. Three addresses were frequently used in this attack:
- AmericanExpress@welcome.aexp.com
- fraud@americanexpress.com
- noreplay@Americanexpress.gov
The first two domain names (aexp.com and americanexpress.com) are both registered by American Express, and have SPF/DKIM records published. Emails with these addresses would fail SPF verification, as their IP address would be inconsistent with the authentic ones in the SPF record.
In the third case, however, no SPF records would be published at all. Only US government bodies can register .gov domains. An SPF verification attempt would return none instead of fail, as there is no SPF record to authenticate at all (the domain is not even registered). Therefore, an email system checking for SPF records would not rule this message to be spam on those grounds alone. This may increase the risk that users would receive these spammed messages.
Our own sources identified more than 430,000 phishing mails sent from more than 4,600 IP addresses as part of this spam run. These IP addresses were located in more than 120 countries. This spam run took place from March 4 to March 11, with most of the senders located in the United States.
Figure 2. Distribution of spam-sending IPs by country
Best Practices
The lessons of this incident are two-fold: first, rolling out SPF/DKIM is helpful to any organization that wants to reduce the incidents of phishing spam that is sent out using their name. If an organization is not yet implementing SPF/DKIM for its , they should consider doing so as soon as is practical.
The second lesson is that while email authentication is useful, it is not a complete solution either. Email server administrators should keep other solutions in mind. Existing Trend Micro technologies such as Email and Web Reputation provide a more complete view of potential email threats.
Phishing URLs seen
The following is a list of the phishing URLs we saw associated with this attack:
- hxxp://{space}allemotocykle[.]pl/amerrricaneaxpress/security.html
- hxxp://{space}animalwelfare[.]ro/amerrricaneaxpress/security.html
- hxxp://{space}aspei[.]be/amerrricaneaxpress/security.html
- hxxp://{space}berhengs[.]com/amerrricaneaxpress/security.html
- hxxp://{space}bierzoimagina[.]com/amerrricaneaxpress/security.html
- hxxp://{space}campusnut[.]com/amerrricaneaxpress/security.html
- hxxp://{space}chirurgia-laparoscopica[.]it/amerrricaneaxpress/security.html
- hxxp://{space}creationgraphics[.]com/amerrricaneaxpress/security.html
- hxxp://{space}dembox[.]fr/amerrricaneaxpress/security.html
- hxxp://{space}domorisdeco[.]ro/amerrricaneaxpress/security.html
- hxxp://{space}ene-arhitectura[.]ro/amerrricaneaxpress/security.html
- hxxp://{space}fizza[.]ro/amerrricaneaxpress/security.html
- hxxp://{space}fraa8[.]com/amerrricaneaxpress/security.html
- hxxp://{space}harveyouellet[.]com/amerrricaneaxpress/security.html
- hxxp://{space}icmct[.]ro/amerrricaneaxpress/security.html
- hxxp://{space}made-in-tunisia[.]net/amerrricaneaxpress/security.html
- hxxp://{space}mariaclaret[.]edu[.]pe/amerrricaneaxpress/security.html
- hxxp://{space}mavisboya[.]com/amerrricaneaxpress/security.html
- hxxp://{space}metflex[.]uk[.]com/amerrricaneaxpress/security.html
- hxxp://{space}mobel800[.]com/amerrricaneaxpress/security.html
- hxxp://{space}motorsportsanalytics[.]com/amerrricaneaxpress/security.html
- hxxp://{space}mvccontrib[.]com/amerrricaneaxpress/security.html
- hxxp://{space}ndtcomplex[.]com/amerrricaneaxpress/security.html
- hxxp://{space}nexttopmodelinternational[.]com/amerrricaneaxpress/security.html
- hxxp://{space}nsyst[.]net/amerrricaneaxpress/security.html
- hxxp://{space}pelet[.]ro/amerrricaneaxpress/security.html
- hxxp://{space}peopleaffairs[.]net/amerrricaneaxpress/security.html
- hxxp://{space}raysapplemarkets[.]com/amerrricaneaxpress/security.html
- hxxp://{space}shermangraphics[.]com/amerrricaneaxpress/security.html
- hxxp://{space}spitalcuzavodaiasi[.]ro/amerrricaneaxpress/security.html
- hxxp://{space}SPRINGWELNESS[.]COM/amerrricaneaxpress/security.html
- hxxp://{space}starfishgrp[.]biz/amerrricaneaxpress/security.html
- hxxp://{space}straphael[.]org[.]uk/amerrricaneaxpress/security.html
- hxxp://{space}strongdogz[.]com/amerrricaneaxpress/security.html
- hxxp://{space}suluttoday[.]com/amerrricaneaxpress/security.html
- hxxp://{space}tabletpclaptops[.]net/amerrricaneaxpress/security.html
- hxxp://{space}test3[.]btl-studio[.]com/amerrricaneaxpress/security.html
- hxxp://{space}toolsandtools[.]com[.]co/amerrricaneaxpress/security.html
- hxxp://{space}truonghinh[.]vn/amerrricaneaxpress/security.html
- hxxp://{space}ULUGOLISI[.]COM/amerrricaneaxpress/security.html
- hxxp://{space}unmixd[.]com/amerrricaneaxpress/security.html
- hxxp://{space}valmartdoors[.]com/amerrricaneaxpress/security.html
- hxxp://{space}vapahi[.]com/amerrricaneaxpress/security.html
- hxxp://{space}westchem[.]ca/amerrricaneaxpress/security.html
- hxxp://{space}www[.]arnika-nmc[.]com/amerrricaneaxpress/security.html
- hxxp://{space}www[.]arsline[.]ch/amerrricaneaxpress/security.html
- hxxp://{space}www[.]cadworkz[.]com/amerrricaneaxpress/security.html
- hxxp://{space}www[.]casaviejo[.]com/amerrricaneaxpress/security.html
- hxxp://{space}www[.]harveyouellet[.]com/amerrricaneaxpress/security.html
- hxxp://{space}www[.]restaurantesdeasturias[.]com/amerrricaneaxpress/security.html
- hxxp://{space}www[.]rmckwt[.]com/amerrricaneaxpress/security.html
- hxxp://{space}www[.]ROMEOLONGISLAND[.]COM/amerrricaneaxpress/security.html
- hxxp://{space}www[.]sama-libya[.]com[.]ly/amerrricaneaxpress/security.html
- hxxp://{space}www[.]sodataltemuco[.]cl/amerrricaneaxpress/security.html
- hxxp://{space}www[.]TWJENGINEERING[.]COM/amerrricaneaxpress/security.html
Post from: Trendlabs Security Intelligence Blog – by Trend Micro
Read more: Phishing and the .gov TLD