kolekcija trenutnih spam kampanja na srpskom jeziku (april 2024)

[milos_rs]

Nisam davno, prethodna tema: kolekcija trenutnih spam kampanja na srpskom jeziku (avgust 2023)

Uglavnom sve je izmešano ovde kad se malo zagrebe ispod površine, šalje se sa kompromitovanih naloga iz raznih zemalja, from mejl nema veze sa stvarnošću, ime je uglavnom pokupljeno iz potpisa koji se stavlja u mejl a koji je nađen ko zna gde da bi izgledalo kao legitimno, ali je sve sklepano.

* 1 *

   

Code:

Return-Path: <[email protected]>
Received: from [93.123.39.45] (port=58549 helo=theme.gigatal.com)
    by cp11.ulimitserver.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.96.2)
    (envelope-from <[email protected]>)
From: XXXXXX <[email protected]>

* 2 *

Ovo je običan marketing spam poslat sa sopstvenog naloga firme, zašto iko ovo pokušava u današnje doba...

   

Code:

Return-Path: <[email protected]>
Received: from smtp.outgoing.loopia.se ([93.188.3.38]:17121)
Received: from webmail.loopia.se (unknown [172.22.212.9])
    (Authenticated sender: [email protected])
    by s934.loopia.se (Postfix) with ESMTPA id 4AA1C7CEA5C
User-Agent: Loopia Webmail/1.6.3
X-Sender: [email protected]

* 3 *

   

Code:

Return-Path: <[email protected]>
Received: from server.maderasriosegura.com ([212.227.37.135]:52522)
    by cp11.ulimitserver.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    (Exim 4.96.2)
    (envelope-from <[email protected]>)
Received: from webmail.maderasriosegura.com (localhost.localdomain [IPv6:::1])
    by server.maderasriosegura.com (Postfix) with ESMTPSA id D3B4C6730C;
    Wed, 17 Apr 2024 10:13:24 +0200 (CEST)
X-Sender: [email protected]
From: =?UTF-8?Q?Sa=C5=A1a_=C5=BDivkovi=C4=87?=
    <[email protected]>

attachment:

   
https://www.virustotal.com/gui/file/6c8e...28c51c4253

* 4 *

   

Code:

Return-path: <[email protected]>
Received: from mta02-zimbra.pimec.net ([51.254.92.177]:41066)
    by cp11.ulimitserver.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.96.2)
    (envelope-from <[email protected]>)
Received: from mta02-zimbra.pimec.net ([127.0.0.1])
    by localhost (mta02-zimbra.pimec.net [127.0.0.1]) (amavis, port 10026)
    with ESMTP id 0bQd47WxP99l; Thu, 18 Apr 2024 09:54:30 +0200 (CEST)
Received: from mailbox04-zimbra.pimec.net (unknown [172.16.89.11])
    by mta02-zimbra.pimec.net (Postfix) with ESMTP id 315556181B;
    Thu, 18 Apr 2024 09:54:26 +0200 (CEST)
From: nabavka <[email protected]>

attachment:

   
https://www.virustotal.com/gui/file/0bff...26e440e475

* 5 *

   

Code:

Return-Path: <[email protected]>
Received: from correo.sentidocomun.es ([54.217.206.198]:34648)
    by cp11.ulimitserver.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.96.2)
    (envelope-from <[email protected]>)
    id 1rytkL-0007lH-2a
    Mon, 22 Apr 2024 15:30:15 +0200
Received: from correo.sentidocomun.es (localhost [IPv6:::1])
    by correo.sentidocomun.es (Postfix) with ESMTPA id 0091C18E003C;
    Mon, 22 Apr 2024 13:32:16 +0000 (GMT)
From: Stevan Prekrat <[email protected]>

attachment:

   
https://www.virustotal.com/gui/file/b5bb...8579600b59

* 6 *
   

Code:

Return-Path: <[email protected]>
Received: from mail.omegapharmacy.gr ([65.108.151.223]:40416)
    by cp11.ulimitserver.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    (Exim 4.96.2)
    (envelope-from <[email protected]>)
Received: from webmail.omegapharmacy.gr (localhost.localdomain [IPv6:::1])
    by mail.omegapharmacy.gr (Postfix) with ESMTPSA id CBB7181E27;
    Wed, 24 Apr 2024 05:18:38 +0000 (UTC)
From: Karolina <[email protected]>
Reply-To: [email protected]
User-Agent: Roundcube Webmail/1.4.13

attachment:

   
https://www.virustotal.com/gui/file/6df1...6fd786bd7c

* 7 *
ovaj nije na srpskom ali je zanimljiv jer se pretvara da je iz Zagreba. Ima SHTML fajl u attachmentu koji sadrži u sebi lažnu webmail stranicu koja traži user i šifru. Nisam viđao ovaj način phishinga ranije, uglavnom ti samo daju link na koji odeš i na tom linku je lažna stranica a ne u priloženom fajlu.

Ima obfuskacije u kodu ali na kraju šalje podatke na owanemnoicsecure .com/cP_webmail/attachment/billions.php koji je još uvek aktivan u trenutku pisanja ovoga.

Zašto shtml? verovatno jer mnogi branioci blokiraju .html kao ekstenziju attachmenta a shtml je malo korišćen pa se zaboravi, dakle treba blokirati i ovo.


   

Code:

Return-Path: <[email protected]>
Received: from score.dgchebao.com ([194.169.172.86]:47066)
    by cp11.ulimitserver.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.96.2)
    (envelope-from <[email protected]>)
From: Manuel Kyra <[email protected]>

attachment, virustotal nije imao ovaj konkretan fajl pa ga je morao analizirati, ali ga prepoznaje kao ono što jeste posle analize:

   
https://www.virustotal.com/gui/file/6136...1d8f4c8d72

* 8 *
   

Code:

Return-Path: <[email protected]>
Received: from cloudhost-8454699.us-midwest-2.nxcli.net ([192.190.220.159]:29848)
    by cp11.ulimitserver.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    (Exim 4.96.2)
    (envelope-from <[email protected]>)
Received: from [154.127.53.176] ([154.127.53.176])
    by cloudhost-8454699.us-midwest-2.nxcli.net with ESMTPSA
    id 2AElH+TRK2a4RQAAOqlhkQ
    (envelope-from <[email protected]>)
From: "Igor Filipovic" <[email protected]>

attachment:

   
https://www.virustotal.com/gui/file/790e...b021908bf3