Phishing and the .gov TLD

Analysis by Marshall Chen, Yi Lee, and Joe Wu

Brand owners frequently use SPF and DKIM to protect their brands from email forgery. For example, a brand owner could register the same domain name under multiple top-level domains (TLDs) (such as .com.net.org, etcetera) and announce SPF/DKIM records for all of these domains (even if they were not actively being used). While generally effective, there is one loophole: what about the .gov TLD?

This loophole was recently exploited in a massive phishing attack against American Express, which started on March 4. The attackers sent out emails that imitated American Express notifications, which contained a link to a phishing site. We identified more than 50 distinct phishing sites used in this spam run. These were hosted on various compromised domains, and all had the format of hxxp://{compromised website}/amerrricaneaxpress/security.html.

Figure 1. Phishing email (address and phishing URL highlighted)

So far, this has been a fairly ordinary attack. What we found unusual was one of the supposed email addresses used by the attacker. Three addresses were frequently used in this attack:

  • AmericanExpress@welcome.aexp.com
  • fraud@americanexpress.com
  • noreplay@Americanexpress.gov

The first two domain names (aexp.com and americanexpress.com) are both registered by American Express, and have SPF/DKIM records published. Emails with these addresses would fail SPF verification, as their IP address would be inconsistent with the authentic ones in the SPF record.

In the third case, however, no SPF records would be published at all. Only US government bodies can register .gov domains. An SPF verification attempt would return none instead of fail, as there is no SPF record to authenticate at all (the domain is not even registered). Therefore, an email system checking for SPF records would not rule this message to be spam on those grounds alone. This may increase the risk that users would receive these spammed messages.

Our own sources identified more than 430,000 phishing mails sent from more than 4,600 IP addresses as part of this spam run. These IP addresses were located in more than 120 countries. This spam run took place from March 4 to March 11, with most of the senders located in the United States.

Figure 2. Distribution of spam-sending IPs by country

Best Practices

The lessons of this incident are two-fold: first, rolling out SPF/DKIM is helpful to any organization that wants to reduce the incidents of phishing spam that is sent out using their name. If an organization is not yet implementing SPF/DKIM for its , they should consider doing so as soon as is practical.

The second lesson is that while email authentication is useful, it is not a complete solution either. Email server administrators should keep other solutions in mind. Existing Trend Micro technologies such as Email and Web Reputation provide a more complete view of potential email threats.

Phishing URLs seen

The following is a list of the phishing URLs we saw associated with this attack:

  1. hxxp://{space}allemotocykle[.]pl/amerrricaneaxpress/security.html
  2. hxxp://{space}animalwelfare[.]ro/amerrricaneaxpress/security.html
  3. hxxp://{space}aspei[.]be/amerrricaneaxpress/security.html
  4. hxxp://{space}berhengs[.]com/amerrricaneaxpress/security.html
  5. hxxp://{space}bierzoimagina[.]com/amerrricaneaxpress/security.html
  6. hxxp://{space}campusnut[.]com/amerrricaneaxpress/security.html
  7. hxxp://{space}chirurgia-laparoscopica[.]it/amerrricaneaxpress/security.html
  8. hxxp://{space}creationgraphics[.]com/amerrricaneaxpress/security.html
  9. hxxp://{space}dembox[.]fr/amerrricaneaxpress/security.html
  10. hxxp://{space}domorisdeco[.]ro/amerrricaneaxpress/security.html
  11. hxxp://{space}ene-arhitectura[.]ro/amerrricaneaxpress/security.html
  12. hxxp://{space}fizza[.]ro/amerrricaneaxpress/security.html
  13. hxxp://{space}fraa8[.]com/amerrricaneaxpress/security.html
  14. hxxp://{space}harveyouellet[.]com/amerrricaneaxpress/security.html
  15. hxxp://{space}icmct[.]ro/amerrricaneaxpress/security.html
  16. hxxp://{space}made-in-tunisia[.]net/amerrricaneaxpress/security.html
  17. hxxp://{space}mariaclaret[.]edu[.]pe/amerrricaneaxpress/security.html
  18. hxxp://{space}mavisboya[.]com/amerrricaneaxpress/security.html
  19. hxxp://{space}metflex[.]uk[.]com/amerrricaneaxpress/security.html
  20. hxxp://{space}mobel800[.]com/amerrricaneaxpress/security.html
  21. hxxp://{space}motorsportsanalytics[.]com/amerrricaneaxpress/security.html
  22. hxxp://{space}mvccontrib[.]com/amerrricaneaxpress/security.html
  23. hxxp://{space}ndtcomplex[.]com/amerrricaneaxpress/security.html
  24. hxxp://{space}nexttopmodelinternational[.]com/amerrricaneaxpress/security.html
  25. hxxp://{space}nsyst[.]net/amerrricaneaxpress/security.html
  26. hxxp://{space}pelet[.]ro/amerrricaneaxpress/security.html
  27. hxxp://{space}peopleaffairs[.]net/amerrricaneaxpress/security.html
  28. hxxp://{space}raysapplemarkets[.]com/amerrricaneaxpress/security.html
  29. hxxp://{space}shermangraphics[.]com/amerrricaneaxpress/security.html
  30. hxxp://{space}spitalcuzavodaiasi[.]ro/amerrricaneaxpress/security.html
  31. hxxp://{space}SPRINGWELNESS[.]COM/amerrricaneaxpress/security.html
  32. hxxp://{space}starfishgrp[.]biz/amerrricaneaxpress/security.html
  33. hxxp://{space}straphael[.]org[.]uk/amerrricaneaxpress/security.html
  34. hxxp://{space}strongdogz[.]com/amerrricaneaxpress/security.html
  35. hxxp://{space}suluttoday[.]com/amerrricaneaxpress/security.html
  36. hxxp://{space}tabletpclaptops[.]net/amerrricaneaxpress/security.html
  37. hxxp://{space}test3[.]btl-studio[.]com/amerrricaneaxpress/security.html
  38. hxxp://{space}toolsandtools[.]com[.]co/amerrricaneaxpress/security.html
  39. hxxp://{space}truonghinh[.]vn/amerrricaneaxpress/security.html
  40. hxxp://{space}ULUGOLISI[.]COM/amerrricaneaxpress/security.html
  41. hxxp://{space}unmixd[.]com/amerrricaneaxpress/security.html
  42. hxxp://{space}valmartdoors[.]com/amerrricaneaxpress/security.html
  43. hxxp://{space}vapahi[.]com/amerrricaneaxpress/security.html
  44. hxxp://{space}westchem[.]ca/amerrricaneaxpress/security.html
  45. hxxp://{space}www[.]arnika-nmc[.]com/amerrricaneaxpress/security.html
  46. hxxp://{space}www[.]arsline[.]ch/amerrricaneaxpress/security.html
  47. hxxp://{space}www[.]cadworkz[.]com/amerrricaneaxpress/security.html
  48. hxxp://{space}www[.]casaviejo[.]com/amerrricaneaxpress/security.html
  49. hxxp://{space}www[.]harveyouellet[.]com/amerrricaneaxpress/security.html
  50. hxxp://{space}www[.]restaurantesdeasturias[.]com/amerrricaneaxpress/security.html
  51. hxxp://{space}www[.]rmckwt[.]com/amerrricaneaxpress/security.html
  52. hxxp://{space}www[.]ROMEOLONGISLAND[.]COM/amerrricaneaxpress/security.html
  53. hxxp://{space}www[.]sama-libya[.]com[.]ly/amerrricaneaxpress/security.html
  54. hxxp://{space}www[.]sodataltemuco[.]cl/amerrricaneaxpress/security.html
  55. hxxp://{space}www[.]TWJENGINEERING[.]COM/amerrricaneaxpress/security.html

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Phishing and the .gov TLD

Read more: Phishing and the .gov TLD

Story added 23. March 2015, content source with full text you can find at link above.