K7

K7Blog

须知少年凌云志 曾许人间第一流.
proton
telegram

Warning: Beware of email phishing and scams

Story Background#

At the beginning of August, while out, my girlfriend carelessly lost an Apple phone. She immediately activated the Lost Mode and reported the phone card as lost and, after purchasing a new phone, enabled network data wipe.

Then today, I suddenly thought of this incident, and I had improved the code from the original DDOS cost is so low, 26 lines of code to complete the test a while ago, wondering if there were any phishing emails for Apple ID, to DDOS the phishing website.

Beware of Email Phishing + Scams#

First, I checked the messages for any phishing texts related to the lost phone and found none. Then I found a message from 189 email indicating that I had received some emails.

Snipaste_2024-09-16_18-43-59

Everyone pay attention to the three emails I marked; the first and second seem harmless, just some random characters, while the third is the phishing email itself.

Scam Emails#

First, let's look at the content of the first two emails:

Snipaste_2024-09-16_18-46-10
Snipaste_2024-09-16_18-47-11

The link displayed in the email directly points to www.pbc.gov.cn, which for an ordinary user might seem like a real website, and they might click on it.

We all know it can be displayed as:

<a href="https://www.k7blog.com">www.www.pbc.gov.cn<a>

but its peculiarity is not here. For example, if I copy the segment 【中国人民银行征信中心通知】 from the email, the content is actually as follows:

【畅愁丽呵胡活纶中里殴鲸举福亢国乐急闭人亮灿卡厕民察葱壳很乘钞银炼斌华撑毁行鸟盲公检炼积据征练亏断信讲疆据极弗罢阔中较饺蚂颗边鸽浆心局杆睛改痉镰痴闯通火币滥乐锰还知美诽构恨】

Let's look at it this way:

【.......中......国...人....民......银.....行.......征...信.......中.......心........通......知....】

Here, each dot represents an extra garbled character, using this method to obfuscate the email content to prevent interception. I really admire the intelligence and ingenuity of these people.

However, basically, these websites are no longer accessible, including the latest scam link sent in the email this morning.

Phishing Emails#

Snipaste_2024-09-16_19-02-47

Target website: appie.szhjmr.com Unfortunately, it is already inaccessible, and I couldn't find any content through historical resolution tools.

However, I found the domain history through an SEO query tool: https://seo.chinaz.com/szhjmr.com

The title is: Download the Jiuyou Sports App (Full Site) IOS/Android/Mobile APP Download, indicating that historically it was a black market website, and the domain was registered with GNAME, which is also about to expire.

The corresponding server IP: 168.76.114.42, and I found no effective information through fofa queries for the IP and domain.

I currently suspect that the domain was purchased from the GNAME second-hand market as a soon-to-expire domain, as GNAME does not require real-name verification and supports cryptocurrency payments, a quick swap.

From the email header, I obtained the following content:

X-Transaction-ID: 1b97a9970d4e4bfd92ab3ef43e1cea99
X-Real-From: [email protected]
X-Receive-IP: 117.57.106.35
X-MEDUSA-Status: 0
Sender: [email protected]

Sender IP: 117.57.106.35 from Anhui/Huaibei. The email prefix is a phone number. I queried the corresponding QQ LOL game character through a free social engineering bot but found no useful information, and it is unlikely that someone would use their own phone number to register an email to send these phishing emails.

Thus, this concludes the matter!

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.