Automated Pseudo-Google Phishing Mails

Phishing
1

I have been collecting these unbranded “Google-esque” messages for almost over a month now with multiple handles and I cleared out a few things out:

  • 1. Each e-mail contains an “invisible” string of text that can only be seen when formatting and HTML is disabled through a spam marker. (such as the one found in Thunderbird) I do not know what this string does, but here’s few word groups I collected from the sent emails:

    • auerbach piraeus physiology english trencher exposition rightly flavors chastising forthcoming ambient vaughan southern appalling stopper devoting subtitled craftsperson heroic

    bipartisan prompted monarchs rehearsal booksellers acclimating measle cough archer overhanging bees attributions negotiations damaged baffling

    spokesmen confirming deliverable balkanization unavailability seasonably riboflavin decompress consummation cask emmett restfully grail transports molochize nations tampers breakthroughs instabilities sidestep exaction insist skirt represses huey citation badness assigns refills organizational mottoes

    These are reminiscent of tags used in tech support popups to trick search engine indexing services so they are more likely to appear in results. Strings differ in length both as in the number of words and the letter count. Each string begins with the header "et:6", which appears right after the "location" and "copyright" statement.

  • 2. Each email will be sent under a random alias from a total vocabulary of 6 words: Administration, Support, Notification, Service, Accounts and Reminder. Here’s all the email addresses I received these emails from, with repeat offenders:

    • [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]

    While these are not all, there appears to be nothing out of the extraordinary here, randomly generated email handles from dumped data.

  • 3.

    The subject is customized based on the receiving end. If your email format is [email protected], the title of the email will appear as “Joe, Critical/Security alert for your (linked) account <random string of numbers>”. The first letter is always capitalized.

  • 4.

    Although there is no Google branding on any of the offending emails, the "physical location" statement found by the "copyright" notice is the address of Googleplex (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), the headquarters of the Google Corporation. Also the icon used in the body of the email is from Google's clip art set.

  • 5.

    All the hyperlinks on the emails lead to the same phishing site. Here's a short list of the addressed I have collected:

    • tradesinfo.com
    powerx.hoachatsaigon.vn
    torfinn.com
    hellofriends.in
    blog.nexvisionix.com
    adxland.com
    votepiranhas.com (this one appeared five times over five addresses with different HTML targets)
    blog.bong789.com (this one appeared twice)
    rotary100.org
    cgcldawahcenter.com
    tl886.com
    hdindonesia.xeemore.com

  • 6. For closing remarks, here’s some images and the VirusTotal analysis of that weird votepiranhas.com website:

    • https://imgur.com/a/u8LIF2n

    https://www.virustotal.com/de/url/d67ede9d8e16691986937991edbf08b6f09f5ed090acf671324af0037cbdfda0/analysis/

    Thank you for reading!

    2

    rotary100.org appears to be a genuine website by the 100th Rotary Guild of Arizona, however it doesn’t change the fact that http://rotary100.org/wp-content/cretant.html appears on a phishing email.

    3

    @1888TechLineOfficial#61793 Probable, adxland.com appears to be shoddly built “firm” website. ICANN data is classified, so I can’t make a comment on its legitimacy.

    ADX Land as a company appears to be based in China, and the lacking of a company lookup in mainland China makes it a hard sleight to pull. Will check the Hong Kong CR though, they might have something about it.

    4

    @1888TechLineOfficial#61793 It turns out that the Hong Kong CR is paid service and you need to pay actual operation fees to look at financial documents. I saw a file that could let me see who the current director is, but the system asks for a fee around 14 HKD for the online copy. Here’s two screenshots I scooped during my limited login time:

    https://imgur.com/a/KJRNwoc

    The good news is, ADX Land is registered in Hong Kong, which is much more reachable than PRC if it eventually comes down to an issue of legality.

    5

    It turns out all phishing links end up in either one of these three pages, the string of numbers in the end change based on the random string of numbers found in the subject of the email:

    http://dietlines-health.world/?a=401336&c=cpcdiet&s=280918 (PANAMA)
    http://healthlinesdiet.world/?a=401336&c=cpcdiet&s=280918 (PANAMA)
    http://burning-fats.world/?a=401336&c=cpcdiet&s=280918 (PANAMA)

    They are all hosted in Panama, and have "retracted details" on ICANN's look up.