In early 2016, my girlfriend reached out to me with what seemed to be an interesting little puzzle. She began receiving a slew of emails. The emails were pretty clearly broad-targetted phishing scams and all directed at her AOL email address. over the course of a few months, she got maybe twenty-five emails, nearly identical but from unique addresses all from the Yahoo domain. Both of us were curious as to the motive and identity of the robot attacker so we took a little dive into the emails starting with the first one she received from tristan***@yahoo.com. I've reproduced the image of the email below. Note: I had her forward the message to my disposable (ironically) Yahoo email account.
It's a pretty standard-looking phish with a potentially malicious link posed as an error redirect. The email address being pretty legitimate and demographically relevant to her home of San Jose, CA, I can imagine it was pretty successful in the wild. A short list of the emails we received:
- tristan****@yahoo.com
- lori***[email protected]
- mar***[email protected]
- r****[email protected]
- ariana****@yahoo.com
One of these email addresses was familiar to my girlfriend so her guess was that one of her coworkers at the university had been compromised and from there, the scam branched out across each compromised account's known addresses. For example, many of these accounts were only attached to my girlfriend through mutual mailing lists. However mechanism of spread is never enough. We had to investigate the origin and motive of the attack
Before booting up my skiddie Kali box, I took a look at the HTML email to see where the link was heading and if there was any indication of authorship. It seemed barebones except for a value name that seemed to be an arbitrarily creepy string.
"television production team learned The Secret It was imperative"
Uhh. What 'Secret' and what did this phishing email have to do with a television production team? It didn't even seem like the value was doing anything. The markup is below.
I was sufficiently confused and a little bit edging toward the notion that this was some sort of conspiracy. I gave the internet a chance to explain. A quick search of the phrase turned up a text-searchable PDF of The Secret by Rhonda Byrne. On page x of the foreward the string can be found. After looking at the markup of the other emails (below) and finding they lifted random parts of the Secret and a couple other self-help PDFs.
"the Universe likes speed Dont delay Dont second guess"
"you are asking for it And you are certainly not helping them You"
"seminars for thousands of particiapants His focus is to help men and"
"predominant state is love the law of attraction or the law of love"
The Secret really seems creepy out of context. Well then what is metruki? gomipoko? the names of those value pairs. Some random Japanese-sounding obfuscation tactic? Is it spam-detection avoidance somehow? I've only recently begun to dig into the tactics used to filter out spam emails. Yahoo certainly hasn't been the best in my experience.
I decided to go ahead and see where that nasty link led. I pulled up my Kali box and dove headlong only to find what appeared to be a fake TMZ news site covered in adware. I poked around "weightlosscareer.com" and still felt a little uneasy about why the bot that generated the emails would choose New Age PDFs as source material for evading spam-detection.
I dug around the website's hosting IP (Chinese, allegedly) and did some skiddie scanning to find a bunch of default NGINX splash pages. I think I stopped playing around in order to go work on homework and totally forgot about this little puzzle until recently.
It isn't until after the Yahoo compromise broke the news that I realized what may have caused this uptick in spambots from Yahoo addresses. Were these accounts compromised during their data breach. Is this common knowledge? I never read much about what happened to those billion accounts that were slipped into the seedy bits of the internet. Or was this just a phishing scam that happened to infect the personal email accounts of workers at San Jose State University? Anyway, I just thought this was a cool and a little off-kilter dig around the web. -28/02/17