I received a phish email, and by hovering over the clickable button I see an address beginning with the root URL “<name>.i”. I open another window and type just this URL in the address bar. It takes me to the home page of a legitimate (and completely unrelated) business.
Is there any point in forwarding the phish email to this company? Does the use of their URL mean the phisher is someone in the company, or can anyone just include a company’s URL within their own address?
If it helps, the clickable phish address had a long string following the root URL along the lines of: /lang.php?key=z%2B…*then the long string of numbers and letters ending in *%3D.
Just to be clear, I did not open the email (I used preview) and I know not to actually click anything in a phish email.
The % stuff is “percent encoding” of additional parts of the URL. It’s legitimately used to encode spaces in file names so that they can be passed into URLs, but it can encode any character.
What you had was might have been a URL to a completely-different site, and the right-hand part of it was encoded to hide it.
If only some parts after the top-level domain name were encoded, there might be a piece of malware in the company’s site taking requests for these specific addresses and forwarding them to the phisher’s site. The part after a ? in a URL is parameters: basically extra instructions for some script or other.
Phishing addresses often have legitimate-looking components in them, but with a bogus root URL making the rest of the string essentially meaningless - e.g., “www,urscrewd.it/www.fedex.com/tracking/yourpackage/somenumberstringhere” [deliberately busted string there] - wrap all that in a FedEx package tracking email and many users won’t notice the bogus part of the string.
But if you’ve legitimately stripped it down to the root URL and it comes up at a legit company… the only thing I can think of is that they’re one step ahead of you and are redirecting root inquiries to that plausible destination.
Do a WHOIS on the root domain. You may have to try several providers and dig to get past registration redirects etc.
Amateur Barbarian: This is an Italian condominium management company. When I looked up the root domain on WHOIS a person’s name is listed as registrant and as organization.
The company, root URL and owner’s name all look legitimate as far as I can tell.
I just ran it through URL Encode and Decode, and there are only two characters that were actually encoded, %2B which is a plus sign, and %3D which is an equals sign. Less obvious than I had hoped.
This LOOKS like a script called “lang” is running on the Studio David server, which takes the value provided after “key=” and does something. However, the web server could be configured to check every request to the Studio David site, and redirect the phishing ones elsewhere to display a different page, and Studio David would know nothing about it. Lots of different ways to do it…
This would require access to Studio David’s hosting account, deliberate or unwitting. (ISTR reading of malware on web servers…)
And another thought… the script called lang could be running there legitimately, but it could be badly-constructed so that handing it that specific key would cause it to do something Bad…
The result of the URL decode is a base64 encoded string. Decoding that returns load on non-printable hex. Base64 is often used to encode a string that has been encrypted.
I’ll second Sunspace’s suggestion that it could be a legitimate script that’s being misused. I can very easily imagine a language selection script being abused by creating a bogus language page that redirects to a malware page.
And absolutely inform the site administrator if you think his/her site is being used for phishing. How else will he know his site’s been hacked?
Yes, I plan to today. I’m trying to come up with a subject line that will get serious attention. I’m also considering whether to use English or “broken” Italian via Google translator.
From a machine that is going to be wiped I went to the URL. It tried to download a zip file called USPS_Label_US_ and the rest of the name had my town and zipcode
Opening it with 7-zip for viewing gave me a file called USPS_Label_US_Toms_River_08753.exe
I’d rather not in fear of it attacking other systems on my network at home. I did run it through virustotal and only McAfee says there is something suspicions. Virustotal does show the app try to open port 123 to 64.4.10.33