Analysis of a URL in an Amazon phishing e-mail

phishingurl.txt

# URL in the phishing e-mail is https://t.co/tmI9IHHvTk?signature=newsletter&trackingid=dpx9Ve0JW3iV15k4k4itEmDGAuJQEpNq
# Times are UTC-7

$ wget -O /dev/null 'https://t.co/tmI9IHHvTk?signature=newsletter&trackingid=dpx9Ve0JW3iV15k4k4itEmDGAuJQEpNq'
--2022-03-18 13:30:42--  https://t.co/tmI9IHHvTk?signature=newsletter&trackingid=dpx9Ve0JW3iV15k4k4itEmDGAuJQEpNq
Resolving t.co (t.co)... 104.244.42.133, 104.244.42.197, 104.244.42.69, ...
Connecting to t.co (t.co)|104.244.42.133|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://linkedin.com/slink?code=gcfcUq57 [following]
--2022-03-18 13:30:42--  https://linkedin.com/slink?code=gcfcUq57
Resolving linkedin.com (linkedin.com)... 2620:1ec:21::14, 13.107.42.14
Connecting to linkedin.com (linkedin.com)|2620:1ec:21::14|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.linkedin.com/slink?code=gcfcUq57 [following]
--2022-03-18 13:30:42--  https://www.linkedin.com/slink?code=gcfcUq57
Resolving www.linkedin.com (www.linkedin.com)... 2620:1ec:21::14, 13.107.42.14
Connecting to www.linkedin.com (www.linkedin.com)|2620:1ec:21::14|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://uab.cubatao.sp.gov.br/wp-content/ImageData.php?minus=moon [following]
--2022-03-18 13:30:42--  https://uab.cubatao.sp.gov.br/wp-content/ImageData.php?minus=moon
Resolving uab.cubatao.sp.gov.br (uab.cubatao.sp.gov.br)... 179.108.87.39
Connecting to uab.cubatao.sp.gov.br (uab.cubatao.sp.gov.br)|179.108.87.39|:443... connected.
ERROR: The certificate of ‘uab.cubatao.sp.gov.br’ is not trusted.
ERROR: The certificate of ‘uab.cubatao.sp.gov.br’ doesn't have a known issuer.

# Not sure why the certificate is not trusted; it works in my browser (Firefox)

$ wget -O /dev/null --no-check-certificate 'https://uab.cubatao.sp.gov.br/wp-content/ImageData.php?minus=moon'
--2022-03-18 13:30:57--  https://uab.cubatao.sp.gov.br/wp-content/ImageData.php?minus=moon
Resolving uab.cubatao.sp.gov.br (uab.cubatao.sp.gov.br)... 179.108.87.39
Connecting to uab.cubatao.sp.gov.br (uab.cubatao.sp.gov.br)|179.108.87.39|:443... connected.
WARNING: The certificate of ‘uab.cubatao.sp.gov.br’ is not trusted.
WARNING: The certificate of ‘uab.cubatao.sp.gov.br’ doesn't have a known issuer.
HTTP request sent, awaiting response... 302 Found
Location: https://www.amazon.com/ [following]
--2022-03-18 13:30:59--  https://www.amazon.com/
Resolving www.amazon.com (www.amazon.com)... 162.219.225.118
Connecting to www.amazon.com (www.amazon.com)|162.219.225.118|:443... connected.
HTTP request sent, awaiting response... 503 Service Unavailable
2022-03-18 13:30:59 ERROR 503: Service Unavailable.

# Seems like we need to add a User-Agent header to get it to redirect to the phishing site

$ wget -O /dev/null --header='User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0' --no-check-certificate 'https://uab.cubatao.sp.gov.br/wp-content/ImageData.php?minus=moon'
--2022-03-18 13:32:07--  https://uab.cubatao.sp.gov.br/wp-content/ImageData.php?minus=moon
Resolving uab.cubatao.sp.gov.br (uab.cubatao.sp.gov.br)... 179.108.87.39
Connecting to uab.cubatao.sp.gov.br (uab.cubatao.sp.gov.br)|179.108.87.39|:443... connected.
WARNING: The certificate of ‘uab.cubatao.sp.gov.br’ is not trusted.
WARNING: The certificate of ‘uab.cubatao.sp.gov.br’ doesn't have a known issuer.
HTTP request sent, awaiting response... 302 Found
Location: https://www.alymzons.com/?return=&vid=6234ec4929e9cd1ce6616117 [following]
--2022-03-18 13:32:09--  https://www.alymzons.com/?return=&vid=6234ec4929e9cd1ce6616117
Resolving www.alymzons.com (www.alymzons.com)... 35.233.129.192
Connecting to www.alymzons.com (www.alymzons.com)|35.233.129.192|:443...

# Phishing site seems to be down