For more phishing samples, see my phishy email collection.
This is a great phishing attack, designed to look like a routine invoice. No doubt, the attached spreadsheet includes a nasty surprise. Don’t fall for it. I give this one an A-. Ya never know what you might find when chasing email headers. This one came from the US Department of Defense and routed through Armenia.
Details below the screenshot.
Relevant portion of the email header
To look at the email header in Outlook, click File…Properties. Email headers have a treasure-trove of routing and diagnostic information.
.
.
.
Received: from 178.160.250.142 by
mail2016.infrasupport.local (10.10.10.14) with Microsoft SMTP Server id
15.1.1531.3 via Frontend Transport; Mon, 26 Oct 2020 12:50:22 -0500
Received: from LYEIDOP.smtprelay.gslb.es.oneadp.com (LYEIDOP.smtprelay.gslb.es.oneadp.com
[26.110.198.75]) by with SMTP id
3fb06ys5gfgrutt.4.20201026215022; Mon, 26 Oct 2020 21:50:22 +0400
To: gregscott@infrasupportetc.com
Subject: ADP Payroll Invoice(s) 26-OCT-2020: 374166618
Message-ID: 43d115e0-897c-3b46-1ae5-@smtprelay.gslb.es.oneadp.com
Date: Mon, 26 Oct 2020 21:50:22 +0400
From: run.payroll.invoice@adp.com
.
.
.
This one claimed to start inside ADP and relay through an intermediate server. But a whois lookup on IP Address 26.110.198.75 shows it really came from the United States Department of Defense. Gulp – let that sink in.
Yep, Apparently, somebody compromised a government computer, forged a fake name to impersonate ADP, and used it to ensnare gullible businesses. Our tax dollars at work. Here is the entire whois output.
I generated this with the linux whois command. Whois information is also available by querying the whois website.
[root@www ~]# whois 26.110.198.75 [Querying whois.arin.net] [whois.arin.net] # ARIN WHOIS data and services are subject to the Terms of Use available at: https://www.arin.net/resources/registry/whois/tou/ # If you see inaccuracies in the results, please report at https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # Copyright 1997-2020, American Registry for Internet Numbers, Ltd. # NetRange: 26.0.0.0 - 26.255.255.255 CIDR: 26.0.0.0/8 NetName: DISANET26 NetHandle: NET-26-0-0-0-1 Parent: () NetType: Direct Allocation OriginAS: Organization: DoD Network Information Center (DNIC) RegDate: 1995-05-01 Updated: 2009-06-19 Ref: https://rdap.arin.net/registry/ip/26.0.0.0 OrgName: DoD Network Information Center OrgId: DNIC Address: 3990 E. Broad Street City: Columbus StateProv: OH PostalCode: 43218 Country: US RegDate: Updated: 2011-08-17 Ref: https://rdap.arin.net/registry/entity/DNIC OrgTechHandle: MIL-HSTMST-ARIN OrgTechName: Network DoD OrgTechPhone: +1-844-347-2457 OrgTechEmail: disa.columbus.ns.mbx.hostmaster-dod-nic@mail.mil OrgTechRef: https://rdap.arin.net/registry/entity/MIL-HSTMST-ARIN OrgTechHandle: REGIS10-ARIN OrgTechName: Registration OrgTechPhone: +1-844-347-2457 OrgTechEmail: disa.columbus.ns.mbx.arin-registrations@mail.mil OrgTechRef: https://rdap.arin.net/registry/entity/REGIS10-ARIN OrgAbuseHandle: REGIS10-ARIN OrgAbuseName: Registration OrgAbusePhone: +1-844-347-2457 OrgAbuseEmail: disa.columbus.ns.mbx.arin-registrations@mail.mil OrgAbuseRef: https://rdap.arin.net/registry/entity/REGIS10-ARIN # ARIN WHOIS data and services are subject to the Terms of Use available at: https://www.arin.net/resources/registry/whois/tou/ # If you see inaccuracies in the results, please report at https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # Copyright 1997-2020, American Registry for Internet Numbers, Ltd. # [root@www ~]#
What about the intermediate relay server? As long as we’ve gone to the trouble, may as well check it out too. First, a whois lookup for IP Address 178.160.250.142. This just keeps getting better. The intermediate relay server is in Armenia. Here is the complete whois output.
[root@www ~]# whois 178.160.250.142 [Querying whois.ripe.net] [whois.ripe.net] % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '178.160.128.0 - 178.160.255.255' % Abuse contact for '178.160.128.0 - 178.160.255.255' is 'abuse@beeline.am' inetnum: 178.160.128.0 - 178.160.255.255 netname: AM-ARMENTEL-20100122 country: AM org: ORG-ATCh1-RIPE admin-c: ANOD1-RIPE tech-c: ANOD1-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-by: ARMENTEL-MNT mnt-routes: ARMENTEL-MNT created: 2010-01-22T15:00:00Z last-modified: 2016-09-22T11:29:34Z source: RIPE # Filtered organisation: ORG-ATCh1-RIPE org-name: VEON Armenia CJSC org-type: LIR address: 2 Aharonian street address: 0014 address: Yerevan address: ARMENIA phone: +37410289787 fax-no: +37410289770 abuse-c: AR14046-RIPE admin-c: AA5090-RIPE admin-c: AH5263-RIPE mnt-ref: ARMENTEL-MNT mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT mnt-by: ARMENTEL-MNT created: 2004-04-17T10:58:03Z last-modified: 2018-01-15T09:30:05Z source: RIPE # Filtered role: Armentel Network Operational Division role address: 24/1 Azatoutyan Ave. address: Yerevan 0014 address: Republic of Armenia abuse-mailbox: abuse@beeline.am admin-c: AA5090-RIPE tech-c: AA5090-RIPE nic-hdl: ANOD1-RIPE created: 2010-01-18T09:02:39Z last-modified: 2016-04-05T12:05:03Z mnt-by: RIPE-NCC-LOCKED-MNT source: RIPE # Filtered % Information related to '178.160.248.0/22AS12297' route: 178.160.248.0/22 descr: "VEON Armenia" CJSC origin: AS12297 mnt-by: ARMENTEL-MNT created: 2020-05-22T12:53:14Z last-modified: 2020-05-22T13:10:59Z source: RIPE % This query was served by the RIPE Database Query Service version 1.98 (ANGUS) [root@www ~]#
Trackbacks/Pingbacks