An Internet user contacted me earlier on Facebook with a screenshot showing what looked like an email from firstname.lastname@example.org. It’s only when I reached home in the evening that I was able to analyze.
The content shows an image link that most probably will open to somewhere outside govmu.org. The funny part is the Google Docs mention (which is a fake footer). I had nostalgic moments.
Let’s analyze the email header.
x-store-info:4r51+eLowCe79NzwdU2kR3P+ctWZsO+J Authentication-Results: hotmail.com; spf=none (sender IP is 209.165.xxx.xxx) email@example.com; dkim=none header.d=psc.govmu.org; x-hmca=none firstname.lastname@example.org
I hid the sender IP address on purpose ^^
When I ran an IP lookup, it came out that the location of that address is the United States, while the Mauritian Government email servers reside in Mauritius itself.
Next, the header says spf=none. However, a few months ago I was delighted to find the Government finally implemented SPF & DKIM. I did a quick check and govmu.org responds positive for SPF while psc.govmu.org fails. The following test shows that there are no MX record for psc.govmu.org; therefore the email could not have originated from a designated email server.
; <<>> DiG 9.8.3-P1 <<>> MX psc.govmu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40672 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;psc.govmu.org. IN MX ;; AUTHORITY SECTION: govmu.org. 156 IN SOA pdns05.domaincontrol.com. dns.jomax.net. 2015012000 28800 7200 604800 600 ;; Query time: 199 msec ;; SERVER: 126.96.36.199#53(188.8.131.52) ;; WHEN: Thu Jan 22 20:57:45 2015 ;; MSG SIZE rcvd: 104
Please ignore the SOA part of govmu.org, I know it raises eyebrows to see a Government purchasing a domain name at GoDaddy. Well… erhmm…
Finally, a look at the email content source.
<img src=3D"http://www.graphicsfuel.com/wp-content= /uploads/2012/03/folder-icon-512x512.png" alt=3D"Folder Logo" style=3D"vertical-align:middle;width:15px;height:15px;"> </td> <td style=3D"vertical-align:top;padding-bottom:7px;fo= nt-size:16px;padding-left:5px;"> <a rel=3D"nofollow" target=3D"_blank" href= =3D"http://mu-doc-gov.ho33.com/proposall/online.htm" = style=3D"vertical-align:middle;text-decorat= ion:none;color:#1154cc;">Proposal</a> </pre>A code excerpt copied as it appears in the email sourceSo, the folder icon that we see in the screenshot above is actually pulled from a WordPress blog at graphicsfuel.com. The text Proposal is a link to a non-govmu.org address, where a subdomain mu-doc-gov.ho33.com has been created. The spammers did put some effort. I should thank Yudish for providing me the header details from the email he received. Later, however when I checked my email spambox, I happened to have received it too. Million dollar question now, where did the spammers get so many Mauritian email addresses? O.o<td style=3D"padding:0;color:#808080;font-size:11p= x;" valign=3D"middle">Google Docs makes it easy to create, store and share = online documents, spreadsheets and presentations.. </td> <td style=3D"text-align:right;" valign=3D"middle"> <a rel=3D"nofollow" target=3D"_blank" href=3D"h= ttps://drive.google.com"> <img src=3D"http://upload.wikimedia.org/wikip= edia/commons/5/51/Google.png" alt=3D"Google Logo" style=3D"border:0;vertical-align:middle;padding-top:12px;padding-bottom:= 4px;margin-left:34px; width:150px;height:50px;" >This part might make some people giggle as it appears the Google Docs footer had to pull the Google logo from Wikipedia. Folks have been discussing this incident in the Mauritius Internet Users mailing list. I sent a phishing alert to CERT-MU through their vulnerability email as their Incident Reporting Tool is a nonsense; something which I voiced in the Cyber Security Conference. Hmm, but it seems like no one is interested in improving that. Well, folks, CERT-MU says it or not, just be on guard if you receive emails from anything.govmu.org.