Phishing email passwords of domain owners
A small digression, the domains are registered to mail on mail.ru, but I have not used this mailbox for a long time and it costs to send to gmail. Registrar - R01.
The letter “ Complaint about the domain my-domain.ru ” comes with this general content:
And on the phone you can see that there are some investments, but krivenki. I decided to take a closer look at the computer. Here the fun began.
Here's how the letter looked in the browser:
Sender - the sender stands as info@r01.ru and it is not indicated that the letter was sent through another domain, that is, you might think that the message really came from the registrar.
Attachment design - mail.ru mail (to which it is registered domain) and the attachment is stylized for this service, but on gmail it also guarded me.
When trying to follow the links - the document opened for a couple of seconds and then offered to enter the password from my mail.ru mailbox. But laziness in entering the password won, I just “took a screenshot” of the page while it was open and read the contents already in the picture, then, in principle, everything fell into place. In the file there is water without specifics and the registrar is R01 (the letter was sent correctly), and in the file they indicate the center. After that, I already looked where they offer to enter the password, I dug up two addresses:
Guys, by the way, it’s worth noting that they quickly track the entered passwords, because the answer I received almost instantly came to my password:
In this whole story, I was only confused by one point - why didn’t gmail indicate that the message was sent not from r01.ru ?! The newsletter goes with sweb, about which I notified them and received a response that measures have been taken (which I do not know). For the inquisitive:
The letter “ Complaint about the domain my-domain.ru ” comes with this general content:
Hello, dear customer.
The Registrar P01 received a complaint against the domain my-domain.ru from the IP address 46.18.200.45. This appeal has been assigned the number AM35930.
We inform you that the complaint was found to be unfounded, since the circumstances indicated by the author of the complaint did not find confirmation.
Based on the foregoing, sanctions on the domain my-domain.ru will not be applied.
The file with the text of the complaint is attached to this letter.
And on the phone you can see that there are some investments, but krivenki. I decided to take a closer look at the computer. Here the fun began.
Here's how the letter looked in the browser:
Sender - the sender stands as info@r01.ru and it is not indicated that the letter was sent through another domain, that is, you might think that the message really came from the registrar.
Attachment design - mail.ru mail (to which it is registered domain) and the attachment is stylized for this service, but on gmail it also guarded me.
When trying to follow the links - the document opened for a couple of seconds and then offered to enter the password from my mail.ru mailbox. But laziness in entering the password won, I just “took a screenshot” of the page while it was open and read the contents already in the picture, then, in principle, everything fell into place. In the file there is water without specifics and the registrar is R01 (the letter was sent correctly), and in the file they indicate the center. After that, I already looked where they offer to enter the password, I dug up two addresses:
- for mail.ru - mail.ru.104194064068438755363301999438882211.xyz
- for Yandex - docviewer.yandex.ru.10859155697777473566221838775384.xyz - at this link google chrome already displays a warning about a phishing site
Guys, by the way, it’s worth noting that they quickly track the entered passwords, because the answer I received almost instantly came to my password:
In this whole story, I was only confused by one point - why didn’t gmail indicate that the message was sent not from r01.ru ?! The newsletter goes with sweb, about which I notified them and received a response that measures have been taken (which I do not know). For the inquisitive:
letter source
Delivered-To: d***y@gmail.com
Received: by 10.28.25.130 with SMTP id 124csp1612639wmz;
Mon, 14 Dec 2015 02:59:36 -0800 (PST)
X-Received: by 10.112.160.33 with SMTP id xh1mr12911366lbb.67.1450090776287;
Mon, 14 Dec 2015 02:59:36 -0800 (PST)
Return-Path:
Received: from mx70.mail.ru (mx70.mail.ru. [94.100.176.84])
by mx.google.com with ESMTPS id vo10si16785629lbb.137.2015.12.14.02.5.5.35
for
(version = TLS1_2 cipher = ECDHE-RSA-AES128-GCM-SHA256 bits = 128/128);
Mon, 14 Dec 2015 02:59:36 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning belebeycru@vh234.sweb.ru does not designate 94.100.176.84 as permitted sender) client-ip = 94.100.176.84;
Authentication-Results: mx.google.com;
spf = softfail (google.com: domain of transitioning belebeycru@vh234.sweb.ru does not designate 94.100.176.84 as permitted sender) smtp.mailfrom=belebeycru@vh234.sweb.ru;
dmarc = fail (p = NONE dis = NONE) header.from = r01.ru
Received: from [77.222.56.130] (ident = mail)
by mx70.mail.ru with local (envelope-from )
id 1a8Qqt-0001M2-Ay
for d***y@gmail.com; Mon, 14 Dec 2015 13:59:35 +0300
X-ResentFrom:
X-MailRu-Forward: 1
Authentication-Results: mxs.mail.ru; spf = pass (mx70.mail.ru: domain of vh234.sweb.ru designates 77.222.56.130 as permitted sender) smtp.mailfrom=belebeycru@vh234.sweb.ru smtp.helo = vh234.sweb.ru
Received-SPF: pass (mx70.mail.ru: domain of vh234.sweb.ru designates 77.222.56.130 as permitted sender) client-ip = 77.222.56.130; envelope-from=belebeycru@vh234.sweb.ru; helo = vh234.sweb.ru;
Received: from vh234.sweb.ru ([77.222.56.130]: 53758)
by mx70.mail.ru with esmtp (envelope-from )
id 1a8Qqs-0001Kw-Qa
for d***y@mail.ru; Mon, 14 Dec 2015 13:59:35 +0300
X-Mru-BL: 0: 0
X-Mru-TLS: TLSv1.2: AES128-SHA
X-Mru-BadRcptsCount: 0
X-Mru-PTR: vh234.sweb.ru
X-Mru-NR: 1
X-Mru-OF: Linux (Ethernet or modem)
X-Mru-RC: RU
Received: from belebeycru by vh234.sweb.ru with local (Exim 4.84)
(envelope-from )
id 1a8Qqs-003gGZ-Lj
for d***y@mail.ru; Mon, 14 Dec 2015 13:59:34 +0300
To: d***y@mail.ru
Subject: Complaint about the domain my-domain.ru
MIME-Version: 1.0
Content-type: text / html; charset = windows-1251
From: R01.RU
Message-Id:
Date: Mon, 14 Dec 2015 13:59:34 +0300
X-Sender-Uid: 11827
X-DMARC-Policy: none
X-DMARC-Result: fail
X-Mras: Ok
X-Mru-Authenticated-Sender: belebeycru@vh234.sweb.ru
X-Spam: undefined
X-DMARC-Policy: none
X-DMARC-Result: fail
X-Mras: Ok
X-Mru-Authenticated-Sender: belebeycru@vh234.sweb.ru
Hello, dear customer.
...