1、概述
案例来自同事的HVV现场,感觉邮件里面有些有意思的点,分享一下。
点击里面的“点此登录完成本次迁移”以后就会跳转到下面的链接:https://admin-1312705177.cos-website.ap-nanjing.myqcloud.com/
2、分析
2.1、发件人分析
发件人非常多,统计了一下如下所示:
这么多感觉是伪造发件人实现的,
|
嵊州三鼎涂料科技有限公司 |
|
|
昆山市大数据资源管理中心 |
|
|
雾联智能技术(上海)有限公司 |
|
|
北京亚联美讯科技发展有限公司 |
|
|
北京艾唯博瑞科技有限公司 |
|
|
四川上力商业管理集团有限公司 |
|
|
中庆投资控股(集团)有限责任公司 |
|
|
上海交通大学 |
|
|
杭州市人民政府办公厅 |
|
|
湖南三湘银行股份有限公司 |
|
|
北京食安观察科技有限公司 |
|
|
广州市唯衣网络科技有限公司 |
|
|
深圳习习网络科技有限公司 |
|
|
中南财经政法大学 |
|
2.2、邮件分析
2.2.1、发件人
里面比较有意思的点在于,发件人为"[email protected](昆山大数据资源中心)",并且其IP为222.92.84.166,确实为mail.ks.gov.cn这个政府的邮件IP,突然有一种邮件服务器被日了的感觉。
Received: from mail.ks.gov.cn ([222.92.84.166])by spam02.xxx.com with ESMTP id 27JLSInE085978for <[email protected]>; Sat, 20 Aug 2022 05:28:18 +0800 (+08)(envelope-from [email protected])X-MAILFROM: <[email protected]>X-RCPTTO: <[email protected]>X-FROMIP: 182.118.233.54X-Spammark-Scaned: 1X-EQAUTHUSER: ksswwxbX-Received: hn.kd.ny.adsl,182.118.233.54,20220820042010Received: from hn.kd.ny.adsl (HELO ehucctv.com) ([email protected])by localhost with SMTP; 19 Aug 2022 20:20:10 -0000X-Priority: 1X-Mailer: FRTtKwEVi 12Disposition-Notification-To: [email protected]From: "=?utf-8?Q?Administrator?=" <[email protected]>To: "=?utf-8?Q?zhu?=" <[email protected]>Subject: =?utf-8?Q?=E9=80=9A=E7=9F=A5=E5=90=84=E9=83=A8=E9=97=A8?=Message-ID: <[email protected]>Date: Sat, 20 Aug 2022 05:01:36 +0800Content-Type: text/html;charset="utf-8"Content-Transfer-Encoding: quoted-printableX-HQIP: 127.0.0.1X-ASRC_FPT_MALICIOUS: MALICIOUS FPT 692b8f4c1727288f895097008916493b419296ce2605616a66709271c12d2e59 (106)Received-SPF: none (spam02.xxx.com: domain of [email protected] does not designate permitted sender hosts)X-DNSRBL:X-MAIL: spam02.xxx.com 27JLSInE085978<HTML><HEAD></HEAD><BODY><DIVclass=3Dqmbox><DIVclass=3Dxm_compose_origin_mail_container><DIV=20style=3D'FONT-SIZE: 14px; FONT-FAMILY: ==E5=BE=AE=E8=BD=AF=E9=9B=85=E9=BB=91,Verdana,"Microsoft =Yahei",SimSun,sans-serif; LINE-HEIGHT: 1.6'><DIVid=3Dntes-pcmail-forward-contentclass=3D"J-cc =ntes-mailmaster-quote"=20style=3D"PADDING-BOTTOM: 1px; PADDING-TOP: 1px"><DIV><DIV><TABLEclass=3DMsoNormalTable=20style=3D"WIDTH: 462pt; BACKGROUND: #e4f2fa; mso-cellspacing: 2.2pt; =mso-yfti-tbllook: 1184; mso-padding-alt: 0cm 0cm 0cm 0cm"=20cellSpacing=3D3 cellPadding=3D0 width=3D616 border=3D0><TBODY><TRstyle=3D"mso-yfti-irow:0; mso-yfti-firstrow:yes; mso-yfti-lastrow: =yes"><TD=20style=3D"BORDER-TOP: #d4d0c8; BORDER-RIGHT: #d4d0c8; BORDER-BOTTOM: =#d4d0c8; PADDING-BOTTOM: 0cm; PADDING-TOP: 0cm; PADDING-LEFT: 0cm; =BORDER-LEFT: #d4d0c8; PADDING-RIGHT: 0cm; BACKGROUND-COLOR: transparent"><DIV><TABLEclass=3DMsoNormalTable=20style=3D"BORDER-TOP: #95bed7 1pt solid; BORDER-RIGHT: #95bed7 1pt =solid; WIDTH: 457.5pt; BACKGROUND: white; BORDER-BOTTOM: #95bed7 1pt =solid; BORDER-LEFT: #95bed7 1pt solid; mso-cellspacing: 0cm; =mso-yfti-tbllook: 1184; mso-padding-alt: 0cm 0cm 0cm 0cm; mso-border-alt: =solid #95BED7 .75pt"=20cellSpacing=3D0 cellPadding=3D0 width=3D610 border=3D1><TBODY><TRclass=3DfirstRow=20style=3D"HEIGHT: 66pt; mso-yfti-irow: 0; mso-yfti-firstrow: yes"><TD=20style=3D"BORDER-TOP: #95bed7; HEIGHT: 66pt; BORDER-RIGHT: =#95bed7; BACKGROUND: lightskyblue; BORDER-BOTTOM: #95bed7; PADDING-BOTTOM: =0cm; PADDING-TOP: 0cm; PADDING-LEFT: 0cm; BORDER-LEFT: #95bed7; =PADDING-RIGHT: 0cm"=20vAlign=3Dtop><Palign=3Dcenter><FONT =size=3D6>=E9=82=AE=E7=AE=B1=E7=B3=BB=E7=BB=9F=E9=80=9A=E7=9F=A5</FONT></P><=/TD></TR><TRstyle=3D"mso-yfti-irow:1"><TD=20style=3D"BORDER-TOP: #95bed7; BORDER-RIGHT: #95bed7; =BORDER-BOTTOM: #95bed7; PADDING-BOTTOM: 22.5pt; PADDING-TOP: 22.5pt; =PADDING-LEFT: 37.5pt; BORDER-LEFT: #95bed7; PADDING-RIGHT: 37.5pt; =BACKGROUND-COLOR: transparent"><Pstyle=3D"LINE-HEIGHT:16.5pt"><STRONG><SPAN=20style=3D"FONT-SIZE: 10.5pt; FONT-FAMILY: SimSun; COLOR: black; =mso-bidi-font-family: SimSun; mso-color-alt: =windowtext">=E4=BA=B2=E7=88=B1=E7=9A=84=E7=94=A8=E6=88=B7=EF=BC=9A</SPAN></=STRONG><FONT=20face=3D=E5=AE=8B=E4=BD=93><SPAN=20style=3D"FONT-SIZE: 10.5pt; COLOR: black; mso-color-alt: =windowtext"></SPAN><SPAN=20lang=3DEN-US style=3D"FONT-SIZE: 10.5pt"></SPAN></FONT></P><Pstyle=3D"LINE-HEIGHT:16.5pt; TEXT-INDENT: =0.75pt"><STRONG><SPAN=20style=3D"FONT-SIZE: 10.5pt; FONT-FAMILY: SimSun; COLOR: =#333333; mso-bidi-font-family: =SimSun">=E4=B8=BA=E4=BA=86=E5=8A=A0=E5=BC=BA=E7=BD=91=E7=BB=9C=E5=AE=89=E5==85=A8=E7=AE=A1=E7=90=86=EF=BC=8C=E6=8F=90=E9=AB=98=E9=82=AE=E4=BB=B6=E7=B3==BB=E7=BB=9F=E7=9A=84=E5=AE=89=E5=85=A8=E6=80=A7=E5=92=8C=E7=A8=B3=E5=AE=9A==E6=80=A7=EF=BC=8C=E4=BF=9D=E9=9A=9C=E6=94=B6=E5=8F=91=E7=95=85=E9=80=9A=EF==BC=8C=E4=B8=BA=E7=94=A8=E6=88=B7=E6=8F=90=E4=BE=9B=E4=BC=98=E8=B4=A8=E7=9A==84=E6=9C=8D=E5=8A=A1=EF=BC=8C=E7=8E=B0=E5=8D=B3=E5=B0=86=E5=90=AF=E7=94=A8==E6=96=B0=E7=89=88=E7=B3=BB=E7=BB=9F=EF=BC=8C=E6=9C=89=E5=85=B3=E4=BA=8B=E9==A1=B9=E9=80=9A=E7=9F=A5=E5=A6=82=E4=B8=8B=EF=BC=9A</SPAN></STRONG><SPAN=20lang=3DEN-US style=3D"FONT-SIZE: 10.5pt; COLOR: =#333333"></SPAN></P><Pstyle=3D"LINE-HEIGHT:16.5pt; TEXT-INDENT: =0.75pt"><STRONG><SPAN=20style=3D"FONT-SIZE: 10.5pt; FONT-FAMILY: SimSun; COLOR: =#333333; mso-bidi-font-family: SimSun">1.</SPAN></STRONG><STRONG><SPAN=20style=3D"FONT-SIZE: 10.5pt; FONT-FAMILY: SimSun; COLOR: =#333333; mso-bidi-font-family: =SimSun">=E7=94=A8=E6=88=B7=E9=9C=80=E7=99=BB=E5=BD=95=E6=96=B0=E9=82=AE=E4==BB=B6=E7=B3=BB=E7=BB=9F=E5=B0=86=E5=8E=9F=E6=9C=89=E6=95=B0=E6=8D=AE=E8=BF==81=E7=A7=BB=E8=87=B3=E6=96=B0=E7=B3=BB=E7=BB=9F=E3=80=82</SPAN></STRONG><S=PAN=20lang=3DEN-US style=3D"FONT-SIZE: 10.5pt; COLOR: =#333333"></SPAN></P><Pstyle=3D"LINE-HEIGHT:16.5pt; TEXT-INDENT: =0.75pt"><STRONG><SPAN=20style=3D"FONT-SIZE: 10.5pt; FONT-FAMILY: SimSun; COLOR: =#333333; mso-bidi-font-family: SimSun">2.</SPAN></STRONG><STRONG><SPAN=20style=3D"FONT-SIZE: 10.5pt; FONT-FAMILY: SimSun; COLOR: =#333333; mso-bidi-font-family: =SimSun">=E6=9C=AA=E8=BF=81=E7=A7=BB=E6=95=B0=E6=8D=AE=E7=9A=84=E7=94=A8=E6==88=B7=EF=BC=8C=E7=B3=BB=E7=BB=9F=E5=B0=86=E5=85=B6=E8=AE=A4=E5=AE=9A=E4=B8==BA=E6=97=A0=E4=BA=BA=E4=BD=BF=E7=94=A8=E7=9A=84=E8=B4=A6=E6=88=B7=E5=B9=B6==E5=81=9C=E6=AD=A2=E6=9C=8D=E5=8A=A1=E3=80=82</SPAN></STRONG><SPAN=20lang=3DEN-US style=3D"FONT-SIZE: 10.5pt; COLOR: =#333333"></SPAN></P><Pstyle=3D"LINE-HEIGHT:16.5pt; TEXT-INDENT: =0.75pt"><STRONG><SPAN=20style=3D"FONT-SIZE: 10.5pt; FONT-FAMILY: SimSun; COLOR: =#333333; mso-bidi-font-family: SimSun">3.</SPAN></STRONG><STRONG><SPAN=20style=3D"FONT-SIZE: 10.5pt; FONT-FAMILY: SimSun; COLOR: =#333333; mso-bidi-font-family: =SimSun">=E5=8D=87=E7=BA=A7=E5=90=8E=E7=94=A8=E6=88=B7=E5=90=8D=E5=92=8C=E5==AF=86=E7=A0=81=E5=9D=87=E4=B8=8D=E5=8F=98=EF=BC=8C=E7=94=A8=E6=88=B7=E6=97==A0=E9=9C=80=E4=BF=AE=E6=94=B9=E5=AE=A2=E6=88=B7=E7=AB=AF=E8=BD=AF=E4=BB=B6==E8=AE=BE=E7=BD=AE=E3=80=82</SPAN></STRONG><SPAN=20lang=3DEN-US style=3D"FONT-SIZE: 10.5pt; COLOR: =#333333"></SPAN></P><Pstyle=3D"MARGIN-LEFT:11.25pt; LINE-HEIGHT: =16.5pt"><STRONG><SPAN=20style=3D"FONT-SIZE: 10.5pt; FONT-FAMILY: SimSun; COLOR: =#333333; mso-bidi-font-family: SimSun"><A=20=href=3D"https://admin-1312705177.cos-website.ap-nanjing.myqcloud.com/"><SPA=N><SPAN><FONT=20=color=3D#0000ff>=E7=82=B9=E6=AD=A4=E7=99=BB=E5=BD=95=E5=AE=8C=E6=88=90=E6==9C=AC=E6=AC=A1=E8=BF=81=E7=A7=BB</FONT></SPAN></SPAN></A></SPAN></STRONG><=SPAN=20lang=3DEN-US=20style=3D"FONT-SIZE: 10.5pt; COLOR: #333333"></SPAN></P></TD></TR><TRstyle=3D"HEIGHT:37.5pt; mso-yfti-irow:2"><TD=20style=3D"BORDER-TOP: #95bed7; HEIGHT: 37.5pt; BORDER-RIGHT: =#95bed7; BORDER-BOTTOM: #95bed7; PADDING-BOTTOM: 0cm; PADDING-TOP: 0cm; =PADDING-LEFT: 0cm; BORDER-LEFT: #95bed7; PADDING-RIGHT: 41.25pt; =BACKGROUND-COLOR: transparent"=20vAlign=3Dtop><Pstyle=3D"TEXT-ALIGN:right"><FONT =face=3D=E5=AE=8B=E4=BD=93><SPAN=20style=3D"FONT-SIZE: 10.5pt; COLOR: black; mso-color-alt: =windowtext">=E7=89=B9=E6=AD=A4=E9=80=9A=E7=9F=A5</SPAN><SPAN=20lang=3DEN-US style=3D"FONT-SIZE: 10.5pt"></SPAN></FONT></P><Pstyle=3D"TEXT-ALIGN:right"><FONT =face=3D=E5=AE=8B=E4=BD=93><SPAN=20style=3D"FONT-SIZE: 10.5pt; COLOR: black; mso-color-alt: =windowtext">2022-08-16</SPAN></FONT></P></TD></TR><TRstyle=3D"HEIGHT:9pt; mso-yfti-irow:3; mso-yfti-lastrow:yes"><TD=20style=3D"BORDER-TOP: #95bed7; HEIGHT: 9pt; BORDER-RIGHT: =#95bed7; WIDTH: 457.5pt; BORDER-BOTTOM: #95bed7; PADDING-BOTTOM: 0cm; =PADDING-TOP: 0cm; PADDING-LEFT: 0cm; BORDER-LEFT: #95bed7; PADDING-RIGHT: =0cm; BACKGROUND-COLOR: transparent"=20=width=3D610></TD></TR></TBODY></TABLE></DIV></TD></TR></TBODY></TABLE></DIV=><Pclass=3DMsoNormalstyle=3D"MARGIN:0cm"><SPAN=20lang=3DEN-US></SPAN></P></DIV></DIV></DIV><SPAN=20class=3Dxm_compose_origin_mail_container_sign style=3D"DISPLAY: =none"></SPAN></DIV><STYLE>.qmbox font {line-height: 1.6;}=2Eqmbox ul,.qmbox ol {padding-left: 20px;list-style-position: inside;}</STYLE></DIV></BODY></HTML>
2.2.2、X-FROMIP
邮件里面可以看到有X-FROMIP这个字段,这个字段表示其发件人的真实IP
这样再结合前面的信息就可以推演出其攻击方式了:
from mail.ks.gov.cn ([222.92.84.166])X-MAILFROM: <ksswwxb@ks.gov.cn>X-FROMIP: 182.118.233.54
2.2.3、我们使用AI来分析一下
2.3、伪造发件人
效果如下:
根据测试发现里面大部分是可以伪造发件人的,这样的话感觉攻击者没必要利用钓鱼获得的账号密码来钓鱼了,但是这种方式也存在几个问题:可能会被邮件网关类安全设备拦截,可以获得攻击者的相关身份
3、溯源
这个字段表示发送后邮件以后推送一个回执,如下所示:
根据上面的信息可以获取到攻击者的下面信息:
X-FROMIP: 182.118.233.54
X-Received: hn.kd.ny.adsl,182.118.233.54,20220820042010
Disposition-Notification-To: [email protected]
可得
owner:王*洋
qq邮箱:[email protected]
手机号:19939073761
QQID:何时才能暴富
微信ID:毛豆
支付宝ID:向阳
所属性质:涉及范围巨大的黑灰产钓鱼
原文始发于微信公众号(Ice ThirdSpace):应急响应案例30-钓鱼应急与溯源
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论