Last active
March 19, 2022 00:45
-
-
Save ObjectBoxPC/6dece204ffc216a8022325a1e341db4d to your computer and use it in GitHub Desktop.
Analysis of a URL in an Amazon phishing e-mail
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# URL in the phishing e-mail is https://t.co/tmI9IHHvTk?signature=newsletter&trackingid=dpx9Ve0JW3iV15k4k4itEmDGAuJQEpNq | |
# Times are UTC-7 | |
$ wget -O /dev/null 'https://t.co/tmI9IHHvTk?signature=newsletter&trackingid=dpx9Ve0JW3iV15k4k4itEmDGAuJQEpNq' | |
--2022-03-18 13:30:42-- https://t.co/tmI9IHHvTk?signature=newsletter&trackingid=dpx9Ve0JW3iV15k4k4itEmDGAuJQEpNq | |
Resolving t.co (t.co)... 104.244.42.133, 104.244.42.197, 104.244.42.69, ... | |
Connecting to t.co (t.co)|104.244.42.133|:443... connected. | |
HTTP request sent, awaiting response... 301 Moved Permanently | |
Location: https://linkedin.com/slink?code=gcfcUq57 [following] | |
--2022-03-18 13:30:42-- https://linkedin.com/slink?code=gcfcUq57 | |
Resolving linkedin.com (linkedin.com)... 2620:1ec:21::14, 13.107.42.14 | |
Connecting to linkedin.com (linkedin.com)|2620:1ec:21::14|:443... connected. | |
HTTP request sent, awaiting response... 301 Moved Permanently | |
Location: https://www.linkedin.com/slink?code=gcfcUq57 [following] | |
--2022-03-18 13:30:42-- https://www.linkedin.com/slink?code=gcfcUq57 | |
Resolving www.linkedin.com (www.linkedin.com)... 2620:1ec:21::14, 13.107.42.14 | |
Connecting to www.linkedin.com (www.linkedin.com)|2620:1ec:21::14|:443... connected. | |
HTTP request sent, awaiting response... 301 Moved Permanently | |
Location: https://uab.cubatao.sp.gov.br/wp-content/ImageData.php?minus=moon [following] | |
--2022-03-18 13:30:42-- https://uab.cubatao.sp.gov.br/wp-content/ImageData.php?minus=moon | |
Resolving uab.cubatao.sp.gov.br (uab.cubatao.sp.gov.br)... 179.108.87.39 | |
Connecting to uab.cubatao.sp.gov.br (uab.cubatao.sp.gov.br)|179.108.87.39|:443... connected. | |
ERROR: The certificate of ‘uab.cubatao.sp.gov.br’ is not trusted. | |
ERROR: The certificate of ‘uab.cubatao.sp.gov.br’ doesn't have a known issuer. | |
# Not sure why the certificate is not trusted; it works in my browser (Firefox) | |
$ wget -O /dev/null --no-check-certificate 'https://uab.cubatao.sp.gov.br/wp-content/ImageData.php?minus=moon' | |
--2022-03-18 13:30:57-- https://uab.cubatao.sp.gov.br/wp-content/ImageData.php?minus=moon | |
Resolving uab.cubatao.sp.gov.br (uab.cubatao.sp.gov.br)... 179.108.87.39 | |
Connecting to uab.cubatao.sp.gov.br (uab.cubatao.sp.gov.br)|179.108.87.39|:443... connected. | |
WARNING: The certificate of ‘uab.cubatao.sp.gov.br’ is not trusted. | |
WARNING: The certificate of ‘uab.cubatao.sp.gov.br’ doesn't have a known issuer. | |
HTTP request sent, awaiting response... 302 Found | |
Location: https://www.amazon.com/ [following] | |
--2022-03-18 13:30:59-- https://www.amazon.com/ | |
Resolving www.amazon.com (www.amazon.com)... 162.219.225.118 | |
Connecting to www.amazon.com (www.amazon.com)|162.219.225.118|:443... connected. | |
HTTP request sent, awaiting response... 503 Service Unavailable | |
2022-03-18 13:30:59 ERROR 503: Service Unavailable. | |
# Seems like we need to add a User-Agent header to get it to redirect to the phishing site | |
$ wget -O /dev/null --header='User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0' --no-check-certificate 'https://uab.cubatao.sp.gov.br/wp-content/ImageData.php?minus=moon' | |
--2022-03-18 13:32:07-- https://uab.cubatao.sp.gov.br/wp-content/ImageData.php?minus=moon | |
Resolving uab.cubatao.sp.gov.br (uab.cubatao.sp.gov.br)... 179.108.87.39 | |
Connecting to uab.cubatao.sp.gov.br (uab.cubatao.sp.gov.br)|179.108.87.39|:443... connected. | |
WARNING: The certificate of ‘uab.cubatao.sp.gov.br’ is not trusted. | |
WARNING: The certificate of ‘uab.cubatao.sp.gov.br’ doesn't have a known issuer. | |
HTTP request sent, awaiting response... 302 Found | |
Location: https://www.alymzons.com/?return=&vid=6234ec4929e9cd1ce6616117 [following] | |
--2022-03-18 13:32:09-- https://www.alymzons.com/?return=&vid=6234ec4929e9cd1ce6616117 | |
Resolving www.alymzons.com (www.alymzons.com)... 35.233.129.192 | |
Connecting to www.alymzons.com (www.alymzons.com)|35.233.129.192|:443... | |
# Phishing site seems to be down |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment