In my previous post, I wrote about Basic Hints to Identify a Gumtree Spoofed email, which is an introduction and the context of this post.
In this post I’m writing about what I found in the URL linked by that spoofed email.
This post, as the previous one related with this topic, doesn’t bring any hacking technique, again, I’m not a hacker, I’m another common geek guy, hence don’t expect to read a new kind of attack or hacking trend, just a little bit more technical stuff of what I just did for fun when I received that email.
The first thing that I did, was taking a look to the raw format of the email, however as I already expected, nothing important was there, SPF passed how it was expected because the email sender address is a gmail one, hence Google isn’t going to ban itself if the email has been sent through their servers and nobody is going to use a gmail email address to send through other servers than the official ones because nobody gets any value of it; if somebody wants to do that, is because they want to send you an email with the domain address that they try to fake the original sender, in this case would be Gumtree not gmail.
Moreover in this case the content of the email was encoded in base64, so it was easy to see the domain name where the link is pointing, just hovering with the mouse and taking a look to the bottom of the browser window than decode the base64. Anyway, the content was the next
I got the link, nonetheless, I don’t trust too much to visit the link straightaway without taking a look a little bit what behind it without a usual browser, just in case that they could take advantage of some security hole; although I’d probably browser it at the end, I prefer to have a roughly idea what scripts and URLs includes.
curl the URL
After that I realised that they used a URL in the middle to redirect to the proper site,
curl doesn’t manage redirections by default, then I followed the redirection with
Why did they do all of these? I don’t know the right answer, I haven’t built it ;P, however I guess that they did for these reasons:
imageshelps to sidetrack the spam filters.
Due that, I decided to
curl the URL and filter the content (with
grep) that could harm, however it’s not the only one, but finding out
<script> tags and
src attributes will show what in the page may be dangerous with no much effort.
Great, just only some css and one image, moreover they are linked to Gumtree domain (sa.gumtree.com), then if we trust in Gumtree, we know that they shouldn’t contain any malicious stuff.
As we can see the web site try to simulate Gumtree login form; have you got the point of the URL? they added Gumtree domain name into it to mislead the visitor and try to get him/her to believe that he/she is in a Gumtree web page, but clearly it’s at the end in the query string part of the URL so it doesn’t apply to the domain name.
I could press the button to go to that URL, however I preferred to load the URL straightaway and see how good they built it.
Clearly, no quality at all, they didn’t implement any check, the URL could be loaded by GET than POST and the Gumtree domain in the URL is just a visual misleading.
We see that the page after that it’s the interesting one for them, they want to collect our credit/debit card details, basically from where they make money after all their effort; I applied the same technique than previously and I loaded the URL straightaway, I’m feeling a little bit safe with it, but I don’t have any strong technical argument to do it.
And that’s it, they should get that they want, then they show you the expected message and redirect you to Gumtree home page to avoid that the victim realises of their domain, just in case that he/she hasn’t before, and lose the income.
Phishing emails are something that still existing; nowadays, I guess that less people get haunted with those however they probably get some, even though the rate should be low, to build a fake Gumtree one is easy and cheap in terms of look & feel and the place to store the data collected for those forms.
As an advise, check always the entire URL of the browser and don’t get distracted by a part of the URL and ask yourself to check thoroughly to see if you can see any strange thing before sending any credit/debit card information.