A quick follow on from the Malware spreading campaign abusing the Mailchimp system to send emails with links to various malwares including Gootkit Banking Trojan and Ursnif Banking Trojan.
I didn’t see any Mailchimp malware yesterday 15 March 2018. But I did receive 1 email from a different ESP ( Email Sending Provider ) or SMTP service provider, Sendgrid. The handful of well known legitimate major ESPs tend to be whitelisted in many email filtering systems, so allowing emails sent through them to be delivered in a more guaranteed manner. There are however hundreds of ESPs who are just thinly disguised spam factories under the guise of a legitimate marketing email provider service.
I am not sure if this is the start of a new abusive campaign switching to Sendgrid or just a one off. I am led to believe that the original Mailchimp abusive campaign started with Apple Phishing emails in a similar way to this one, so I feel it is worth keeping one eye open and being aware that this might be the start of these criminals switching to a new sending or relaying service.
I am assuming ( from the email header information ) that this came via a compromised or fraudulently set up account on the dedicated Aruba SAS server and either use an existing Sendgrid account linked to that server account, or more likely the criminals signed up for a free trial that allows them to send up to to 40,000 emails within the 30 day free trial period.
It is virtually impossible for any email admin to block Sendgrid, because so many legitimate & needed emails come via them. My mail server receives about 100 emails each day via Sendgrid with about 97%-98% being genuinely signed up for mailing lists, Charity donation confirmation receipts and order confirmations from a whole range of companies, both large and small. The odd 2-3 % of “spam” are marketing emails from so called legitimate companies who somehow are using a database of “found email addresses” .
This phishing email is quite interesting for several reasons, mainly the use of Sendgrid to ensure delivery and the way it bounces & redirects through so many links & chains before arriving on the final phishing site ( Which was down before I started my investigation, although known about by several of the anti-phishing organisations and Anti-virus companies who have the site blocked).
Lets look at the chain
Starts with the link in the email to:
https://connect.googleforwork.com/external-link.jspa?url=https%3A%2F%2Fdrhouse-forum.de%2Fbin ( this is a genuine Google site connected to the Google cloud service. It was the home for Google Apps for work, now called Gsuite)
Many security researchers have complained for years to no avail about the ability for scammers, phishers, malware spreaders and criminals in general to use Google services as an open relay to partially mask the resulting URL and make it appear more legitimate. Very few url filtering services will block any Google service or domain.
which redirects to:
which redirects to:
Which redirected to
The email looks like
I have seen a few other similar Apple phishing campaigns recently about transferring GSX or Atlas certificates, but they all hit spam filters in some way.
These are obviously aimed at companies who are Apple Partners who repair, service or sell Apple products. A criminal gaining unauthorised access to the GSX portal would have access to a massive amount of data about customers and Apple products
|220.127.116.11||o1.30n.fshared.sendgrid.net||Denver||Colorado||US||AS11377 SendGrid, Inc.|
|18.104.22.168||host140-215-36-89.serverdedicati.aruba.it||Paris||Ile-de-France||FR||AS199653 Aruba SAS|
Received: from o1.30n.fshared.sendgrid.net ([22.214.171.124]:16748)
by knight.knighthosting.co.uk with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
for firstname.lastname@example.org; Thu, 15 Mar 2018 09:07:55 +0000
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=sendgrid.me;
s=smtpapi; bh=gwMupSgSWnBkVwEEQonCkYb6lLI=; b=JIRhVd4+gWcKIT1pko
Received: by filter0001p2las1.sendgrid.net with SMTP id filter0001p2las1-4113-5AAA33A8-B
2018-03-15 08:49:44.526986737 +0000 UTC
Received: from FRO (host140-215-36-89.serverdedicati.aruba.it [126.96.36.199])
by ismtpd0004p1lon1.sendgrid.net (SG) with ESMTP id E2D7jLXDQjGpF8U_PyQd2w
for <email@example.com>; Thu, 15 Mar 2018 08:49:44.093 +0000 (UTC)
From: “Apple Authorized Provider Service” <firstname.lastname@example.org>
Subject: Apple – GSX informations transfer request has been approved
Date: Thu, 15 Mar 2018 08:49:44 +0000 (UTC)