Compromised squareup/amazonses account phish

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Compromised squareup/amazonses account phish

Alex Regan
Hi,

This phish appears to have been routed through Amazon but DKIM signed
by squareup. Is this a compromised squareup.com account?

https://pastebin.com/CxvULHF6

From [hidden email]
 Wed Jun 13 13:00:20 2018
From: INVOICE# <[hidden email]>
Reply-To: "Advanced Consulting & Treatment, LLC"
<[hidden email]>

Thanks,
Alex
Reply | Threaded
Open this post in threaded view
|

Re: Compromised squareup/amazonses account phish

Bill Cole
On 13 Jun 2018, at 15:20 (-0400), Alex wrote:

> Hi,
>
> This phish appears to have been routed through Amazon but DKIM signed
> by squareup. Is this a compromised squareup.com account?

For a loose definition of "compromised," yes. Possession of a Square
account is not evidence of ethical integrity.


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steadier Work: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: Compromised squareup/amazonses account phish

David Jones
In reply to this post by Alex Regan
On 06/13/2018 02:20 PM, Alex wrote:

> Hi,
>
> This phish appears to have been routed through Amazon but DKIM signed
> by squareup. Is this a compromised squareup.com account?
>
> https://pastebin.com/CxvULHF6
>
>  From [hidden email]
>   Wed Jun 13 13:00:20 2018
> From: INVOICE# <[hidden email]>
> Reply-To: "Advanced Consulting & Treatment, LLC"
> <[hidden email]>
>
> Thanks,
> Alex
>

Compromised accounts or bad customers are going to happen with any
system.  If you see one or two here or there, report them to SpamCop and
maybe directly to their abuse contact and move on.  If you start seeing
a pattern of abuse that they are not handling, then start working on a
way to block the individual sender within that platform.  If it's a
major platform like amazoneses.com, then it could cause too much
collateral damage to block the whole platform.

On that particular email in pastebin, my SA would not have blocked it
either but you may want to bump up the score of DCC_CHECK a bit or make
a meta rule with DCC_CHECK and DRUGS_DIET to add a point or so.  Also,
now that IP is not hitting RCVD_IN_HOSTKARMA_W so your scoring may come
close to blocking that same email today.

I am adding some characteristics of that email to my local rules to
block them going forward.  For example:

- INVOICE in all caps is suspicious in the Subject -- add 1 point
- INVOICE in the From:name is suspicious -- add 1 point
- Combo of Invoice and DRUGS_DIET should never hit in a real Invoice
email so adding a couple of points for that.

Now that email is hitting a score of 9.3 on my local SA so thanks for
the spample.

Invoice phishing emails have become very bad the past 6 months which has
caused me the most work to stay on top of them.  I have had to take the
approach of potentially over blocking them to be on the safe side then
whitelist the good ones since these are causing major economical damage
in finance departments from social engineering.

--
David Jones