2018-04-19 - Anatomy of a Phish

Suspicious Email...

User submits a suspicious email.

Subject: Fwd: Wire Transfer Initiated

Wire Transfer is about to be initiated,
Please Confirm Attached Invoice.

Open Invoice | Download Invoice
Open Invoice (https://invoibnvdswa(.)com/outlookwa/outlookdee/login.php?cmd=login_submit&id=snip_real_long_hex&session=snip_real_long_hex)
| Download Invoice (https://invoibnvdswa(.)com/outlookwa/outlookdee/login.php?cmd=login_submit&id=snip_real_long_hex&session=snip_real_long_hex)


Malory Niceperson

Director of Finance
Respectable University

(An unsubscribe link from mailchimp)

Visiting the root

First off, I wasn't going to visit any links with what could have potentially been tracking information in them; so I just visited the root of the site.

The Site had a Valid Cert

On the first visit to this root page chrome did display a "(lock) Secure" icon. It did have a "valid" certificate; I took the above screenshot after I had wandered around about:

Certificate

-----BEGIN CERTIFICATE-----
MIIGeTCCBWGgAwIBAgIRAIipsrRegihYkMrHOqYowpcwDQYJKoZIhvcNAQELBQAw
cjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMRAwDgYDVQQHEwdIb3VzdG9uMRUw
EwYDVQQKEwxjUGFuZWwsIEluYy4xLTArBgNVBAMTJGNQYW5lbCwgSW5jLiBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xODA0MTgwMDAwMDBaFw0xODA3MTcyMzU5
NTlaMBsxGTAXBgNVBAMTEGludm9pYm52ZHN3YS5jb20wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQClYiLFcvKVCIgeeAc76N8M6W7gBtXdwnaP2W6dH/Ea
NOKsgdxaavNAe7u8w5n7qoJFJDWSN0EDg/IeROyiRAvJEqT897TeYhdrVEQykMfj
08ApaiYbFvev1w6Wpd8tCslU5HBIWnRpLLBHqlmJO9qv+wxdtYGAhUGc4ACZ7Pxv
jU11QDmr1CR2RCXDYc+COC90y3xchqD0uwkkx3ZfhsMWuSqaoWxPRjuzkg8mdWcw
SA8cnAqwdCpiN8ZAPh6sOFJfziA6Cyql/P6sCEy0nHqy02fD7CoP67AujJeDSw++
2yV8NGQ3eEz2sG6N7FnLSlpz3fAAQNaljyiVV/ODd019AgMBAAGjggNfMIIDWzAf
BgNVHSMEGDAWgBR+A1plQWunfgrhuJ0I6h2OHWrHZTAdBgNVHQ4EFgQUbUSCsgVu
WLAhZW3HxTe9FQ7ilW4wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGy
MQECAjQwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9D
UFMwCAYGZ4EMAQIBMEwGA1UdHwRFMEMwQaA/oD2GO2h0dHA6Ly9jcmwuY29tb2Rv
Y2EuY29tL2NQYW5lbEluY0NlcnRpZmljYXRpb25BdXRob3JpdHkuY3JsMH0GCCsG
AQUFBwEBBHEwbzBHBggrBgEFBQcwAoY7aHR0cDovL2NydC5jb21vZG9jYS5jb20v
Y1BhbmVsSW5jQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcnQwJAYIKwYBBQUHMAGG
GGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTCBtgYDVR0RBIGuMIGrghBpbnZvaWJu
dmRzd2EuY29tgh1hdXRvZGlzY292ZXIuaW52b2libnZkc3dhLmNvbYIXY3BhbmVs
Lmludm9pYm52ZHN3YS5jb22CFW1haWwuaW52b2libnZkc3dhLmNvbYIYd2ViZGlz
ay5pbnZvaWJudmRzd2EuY29tghh3ZWJtYWlsLmludm9pYm52ZHN3YS5jb22CFHd3
dy5pbnZvaWJudmRzd2EuY29tMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUA7ku9
t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFi2Zq7dAAABAMARjBEAiA8
0ii4N5XvlzyOZfolWfj9JuzWv051fTvQPlXkE5pDSwIgd2FCot15Hsh5GK0EpnXA
vRKeO72e4RthrWilg2jEsacAdgDbdK/uyynssf7KPnFtLOW5qrs294Rxg8ddnU83
th+/ZAAAAWLZmq5EAAAEAwBHMEUCIB78nCzYlXdiziyVqOfjffGbdDtUayAG/NrI
KnDyR+lKAiEA3TUYR1MPMvP6QXbGqbkhndr6TihtmddjO9dgSI2EX+swDQYJKoZI
hvcNAQELBQADggEBABvDhRRHMvNY3d/uUvXTxye/hj/go5QOrCbNI7j6c7zHIZcT
YWK1kvTdMXS6O1YJOvgm5dLA2YmKWsdyz2PfupxNJ6r0mzh3FSGhuWUxQ+Ptd4Fo
FMmOvweaKV6fRDT6l/xB167YCuQ7d2b3XVUzXTLpPxz27nv0Gre4lQXyMcA74Q55
2EO8rZCpTAELLLDW5xaiCZrlpgvVHsn6yWlxTLd2Mb8eMOV3PwhPtjkbYf9+2zWO
M9IGqHfVmsrZ5fTmyVCEQBlDUR0dAoUf7ST+HEd65RR+U1zAKlsLRlxA7JO8xsxx
MFQO4K0FOH+sNrLfdzG6io2JaUGL11pFwwYjHqE=
-----END CERTIFICATE-----

Output from openssl

openssl x509 -text -noout -in cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            88:a9:b2:b4:5e:82:28:58:90:ca:c7:3a:a6:28:c2:97
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority
        Validity
            Not Before: Apr 18 00:00:00 2018 GMT
            Not After : Jul 17 23:59:59 2018 GMT
        Subject: CN=invoibnvdswa.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a5:62:22:c5:72:f2:95:08:88:1e:78:07:3b:e8:
                    df:0c:e9:6e:e0:06:d5:dd:c2:76:8f:d9:6e:9d:1f:
                    f1:1a:34:e2:ac:81:dc:5a:6a:f3:40:7b:bb:bc:c3:
                    99:fb:aa:82:45:24:35:92:37:41:03:83:f2:1e:44:
                    ec:a2:44:0b:c9:12:a4:fc:f7:b4:de:62:17:6b:54:
                    44:32:90:c7:e3:d3:c0:29:6a:26:1b:16:f7:af:d7:
                    0e:96:a5:df:2d:0a:c9:54:e4:70:48:5a:74:69:2c:
                    b0:47:aa:59:89:3b:da:af:fb:0c:5d:b5:81:80:85:
                    41:9c:e0:00:99:ec:fc:6f:8d:4d:75:40:39:ab:d4:
                    24:76:44:25:c3:61:cf:82:38:2f:74:cb:7c:5c:86:
                    a0:f4:bb:09:24:c7:76:5f:86:c3:16:b9:2a:9a:a1:
                    6c:4f:46:3b:b3:92:0f:26:75:67:30:48:0f:1c:9c:
                    0a:b0:74:2a:62:37:c6:40:3e:1e:ac:38:52:5f:ce:
                    20:3a:0b:2a:a5:fc:fe:ac:08:4c:b4:9c:7a:b2:d3:
                    67:c3:ec:2a:0f:eb:b0:2e:8c:97:83:4b:0f:be:db:
                    25:7c:34:64:37:78:4c:f6:b0:6e:8d:ec:59:cb:4a:
                    5a:73:dd:f0:00:40:d6:a5:8f:28:95:57:f3:83:77:
                    4d:7d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:7E:03:5A:65:41:6B:A7:7E:0A:E1:B8:9D:08:EA:1D:8E:1D:6A:C7:65

            X509v3 Subject Key Identifier: 
                6D:44:82:B2:05:6E:58:B0:21:65:6D:C7:C5:37:BD:15:0E:E2:95:6E
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.6449.1.2.2.52
                  CPS: https://secure.comodo.com/CPS
                Policy: 2.23.140.1.2.1

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.comodoca.com/cPanelIncCertificationAuthority.crl

            Authority Information Access: 
                CA Issuers - URI:http://crt.comodoca.com/cPanelIncCertificationAuthority.crt
                OCSP - URI:http://ocsp.comodoca.com

            X509v3 Subject Alternative Name: 
                DNS:invoibnvdswa.com, DNS:autodiscover.invoibnvdswa.com, DNS:cpanel.invoibnvdswa.com, DNS:mail.invoibnvdswa.com, DNS:webdisk.invoibnvdswa.com, DNS:webmail.invoibnvdswa.com, DNS:www.invoibnvdswa.com
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : EE:4B:BD:B7:75:CE:60:BA:E1:42:69:1F:AB:E1:9E:66:
                                A3:0F:7E:5F:B0:72:D8:83:00:C4:7B:89:7A:A8:FD:CB
                    Timestamp : Apr 18 16:33:39.188 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:3C:D2:28:B8:37:95:EF:97:3C:8E:65:FA:
                                25:59:F8:FD:26:EC:D6:BF:4E:75:7D:3B:D0:3E:55:E4:
                                13:9A:43:4B:02:20:77:61:42:A2:DD:79:1E:C8:79:18:
                                AD:04:A6:75:C0:BD:12:9E:3B:BD:9E:E1:1B:61:AD:68:
                                A5:83:68:C4:B1:A7
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : DB:74:AF:EE:CB:29:EC:B1:FE:CA:3E:71:6D:2C:E5:B9:
                                AA:BB:36:F7:84:71:83:C7:5D:9D:4F:37:B6:1F:BF:64
                    Timestamp : Apr 18 16:33:35.812 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:1E:FC:9C:2C:D8:95:77:62:CE:2C:95:A8:
                                E7:E3:7D:F1:9B:74:3B:54:6B:20:06:FC:DA:C8:2A:70:
                                F2:47:E9:4A:02:21:00:DD:35:18:47:53:0F:32:F3:FA:
                                41:76:C6:A9:B9:21:9D:DA:FA:4E:28:6D:99:D7:63:3B:
                                D7:60:48:8D:84:5F:EB
    Signature Algorithm: sha256WithRSAEncryption
         1b:c3:85:14:47:32:f3:58:dd:df:ee:52:f5:d3:c7:27:bf:86:
         3f:e0:a3:94:0e:ac:26:cd:23:b8:fa:73:bc:c7:21:97:13:61:
         62:b5:92:f4:dd:31:74:ba:3b:56:09:3a:f8:26:e5:d2:c0:d9:
         89:8a:5a:c7:72:cf:63:df:ba:9c:4d:27:aa:f4:9b:38:77:15:
         21:a1:b9:65:31:43:e3:ed:77:81:68:14:c9:8e:bf:07:9a:29:
         5e:9f:44:34:fa:97:fc:41:d7:ae:d8:0a:e4:3b:77:66:f7:5d:
         55:33:5d:32:e9:3f:1c:f6:ee:7b:f4:1a:b7:b8:95:05:f2:31:
         c0:3b:e1:0e:79:d8:43:bc:ad:90:a9:4c:01:0b:2c:b0:d6:e7:
         16:a2:09:9a:e5:a6:0b:d5:1e:c9:fa:c9:69:71:4c:b7:76:31:
         bf:1e:30:e5:77:3f:08:4f:b6:39:1b:61:ff:7e:db:35:8e:33:
         d2:06:a8:77:d5:9a:ca:d9:e5:f4:e6:c9:50:84:40:19:43:51:
         1d:1d:02:85:1f:ed:24:fe:1c:47:7a:e5:14:7e:53:5c:c0:2a:
         5b:0b:46:5c:40:ec:93:bc:c6:cc:71:30:54:0e:e0:ad:05:38:
         7f:ac:36:b2:df:77:31:ba:8a:8d:89:69:41:8b:d7:5a:45:c3:
         06:23:1e:a1

A Warning from Chrome

After I clicked on what I thought would take me to the login screen I got a warning from Chrome (so, that was nice):

Ignoring Chrome's Warning:

I was greeted by a page that, when resized, the prompt for the credentials didn't re-center itself.

Links for resetting your password, and questions, etc, went back to the same page.

Entered a Username.  Enter Password

After you enter your username you're prompted to enter your password.

"Forgot password" link on this didn't go anywhere either.  The form didn't correctly reinsert the value for "username" when I clicked on it.

Re-enter Your Password

Once you submit a password they ask you to enter it again:

Go to live.com

Then they dump you back onto live.com after the entire ordeal:

Notice how the dialogue box is correctly centered.  Also, the date at the bottom left is correct.