Nya Candy

Nya Candy

aka. Nya Crypto FSD(Fish Stack Developer) working at @rss3 with friends, Cɾყρƚσ Adventurer. candinya.eth
misskey
HomeArchivesNFTs

Analysis of (Partial) Phishing Email Attack Targeting ENS Holders

#安全#ENS627
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
Received a suspicious email claiming ENS domain will expire, threatening to click a renewal button. Identified as phishing email, sender used a non-legitimate domain. Clicked unsubscribe link leading to a suspicious website. Investigated domain and found it was registered recently. Attempted to access the website but was redirected to ENS main site. Reflecting on the experience as a security exercise and emphasizing caution with financial matters. Suggested using different email prefixes for public and private accounts. Hoping to avoid receiving phishing emails in the future.

Introduction#

I received a strange email in my inbox, stating that my ENS candinya.eth will expire in 24 hours. It threatened me, saying that this would be my last renewal opportunity, and left a huge button prompting me to "renew."

image

But I found it strange - I registered this ENS for more than a year, and besides, I already set a reminder for renewal on my calendar. How could it suddenly be expiring?

Analysis#

When I looked at the sender column, I was sure that this was a phishing email. The sender didn't even bother to fake a domain name like ens.domains and directly used the email address [email protected].

I checked the email source and confirmed that the email was sent from the server amenominakanushi.okuizumo.ne.jp (okuizumo.ne.jp [211.12.232.201]), and it passed DKIM/SPF signature verification. If its signature didn't pass, my email system would automatically block it. But since the signature is valid, it should be the result of the attacker abusing this email address.

Before we focus on the large renewal button below, let's start with an appetizer - did you see the Unsubscribe from this email link at the bottom? Let's guess where it leads.

image

https://google.com/unsubscribe

Well, it's hard to say, but I find it quite amusing.

But the attacker obviously doesn't want us to "unsubscribe" from this email. It wants us to click on that big renewal button, leading us into its carefully crafted scam trap. So let's go along with its intentions and see what it's up to.

The button itself is nothing special, just a simple styled <a> tag. The interesting part is the link it points to - a redirect link starting with bing.com. Using legitimate domain names for redirection is a very common attack technique. We've seen similar incidents before, where a logout redirect to YouTube was used to redirect to an attack website. So with a little trick, we can find out the website behind this link.

image

It points to archivodigital[dot]org/venezuela-centro-de-computacion-afoco-2003/.

After obtaining the domain name, the first thing to do is some security investigation. Using a WHOIS lookup, we can see that this domain was registered on December 14, 2020, with NameSilo as the registrar and CloudFlare as the NS resolver (classic behavior of abusing CF to hide).

image

But using CF doesn't mean it's foolproof. It's common to encounter situations where an nginx server uses CF's certificate but doesn't block fallback on port 443, resulting in the hostname of the first SSL-encrypted site's certificate being leaked. So let's continue searching for this root domain, and we find three servers:

image

Oh, they're Russian servers. Could this be encountering the legendary Russian hackers? But I doubt any dumb hacker would be foolish enough to use their own servers. It's probably a setup.

Taking a quick look at the raw data, it's not hard to see that these are just small-time thieves. One obvious characteristic is that their default page is a 302 redirect to an ENS error page, but this domain is obviously not an ENS working domain. So there's only one possibility: these servers are indeed owned by the attackers, and they set up a seemingly seamless barrier to prevent unrelated people (such as sniffers or crawlers) from entering.

image

But we have an invitation, don't we? (laughs)

Open a secure browser (preferably Tor, but for some reason, my Tor isn't working today, so I'll just use a private mode FireFox), enter the link, and hit enter!

And then... it redirects to the ENS main site, but fails to open 🤡

I tried several browsers, and even clicking the original update button in the email didn't work. It all just goes back to the original ENS page, as if this email is not an attack, but just a genuine ENS reminder.

I don't know why, but I'm quite shocked.

Review#

Although I couldn't dig up more information, this can still be considered a rare opportunity for a security drill: What if the attacker doesn't run away next time? What if the attacker disguises the sender or actually sends the email right before the expiration time? When it comes to financial security, it's better to be overly cautious.

As for my email, since it's my public email, I suspect that the attacker saw my GitHub account associated with my ENS and obtained my email information from there. For the renewal reminder email set by the official ENS, I use a different prefix, which not only helps distinguish the source for classification into email folders but also serves as a small security measure.

Of course, it would be best if we didn't receive phishing emails at all. Although this type is indeed more interesting than those dumb phishing emails with a QR code on their faces.

(End)

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.