So I opened the attachment, now what?
August 29, 2018 10:21 PM Subscribe
I was forwarded a (most likely) malicious e-mail, and I opened the attachment. Now what?
I was on a Windows 10 computer. I was forwarded an e-mail, opened it in Chrome, clicked on the .htm attachment, it opened a new tab in Chrome and nothing was there and I realized...hmmm, this isn't right. I went back to the e-mail and saw that it was clearly phishing or something. I disconnected my computer from the network and wifi, ran anti-virus software twice, went into Chrome advanced settings and deleted everything saved there, and reset all of my passwords. IT at work says I'm safe.
Am I safe? Anything else I should do? Anything I CAN do?
Yes, I'm terrible.
I was on a Windows 10 computer. I was forwarded an e-mail, opened it in Chrome, clicked on the .htm attachment, it opened a new tab in Chrome and nothing was there and I realized...hmmm, this isn't right. I went back to the e-mail and saw that it was clearly phishing or something. I disconnected my computer from the network and wifi, ran anti-virus software twice, went into Chrome advanced settings and deleted everything saved there, and reset all of my passwords. IT at work says I'm safe.
Am I safe? Anything else I should do? Anything I CAN do?
Yes, I'm terrible.
I think you're very likely OK. Modern browsers - Chrome included - do a pretty solid job of sandboxing local html files. If the file was malicious, it was likely targeting IE6 or other obsolete browsers.
posted by kickingtheground at 10:29 PM on August 29, 2018 [2 favorites]
posted by kickingtheground at 10:29 PM on August 29, 2018 [2 favorites]
Also, if it was "clearly phishing" and you didn't enter any passwords, the most likely thing is that you've just been the target of a phishing attempt that you've detected and (non-)responded appropriately to, and that work IT's assessment is correct.
There's a lot of emphasis placed on Never Opening The Attachment but that doesn't give attachments mystical powers. Send me a copy and I'll tell you what powers it does have. Most likely: none beyond masquerading as somebody else's login page.
posted by flabdablet at 10:35 PM on August 29, 2018 [3 favorites]
There's a lot of emphasis placed on Never Opening The Attachment but that doesn't give attachments mystical powers. Send me a copy and I'll tell you what powers it does have. Most likely: none beyond masquerading as somebody else's login page.
posted by flabdablet at 10:35 PM on August 29, 2018 [3 favorites]
OK, so the bad news is that it's not nothing, it's a bunch of obfuscated Javascript that does something. Currently de-obfuscating it to find out what that might be.
posted by flabdablet at 11:33 PM on August 30, 2018 [1 favorite]
posted by flabdablet at 11:33 PM on August 30, 2018 [1 favorite]
Best answer: Near as I can tell, all the script does is unpack a facsimile of a Google Docs page showing a document called "Proof of Payment.jpg" with a "View Document" link underneath it (to tie in with the "Can't open this but is this the receipt?" narrative in the original email). Clicking on the link brings up a facsimile of a Google sign-in page, asking for an email address, password and phone number.
Entering youwish@example.com for the email address, hunter2 for the password and 555-1234 for the phone number causes a HTTP POST request to /sno3034854958435454y6/doc.php at host 4f139.f139434.96.lt, with the query string yasse=youwish%40example.com&yasspp=hunter2&fon=555-1234.
The browser's network log then gets cleared to make it harder to see that this POST request has happened, and the fake sign-in page is then replaced by the one at http://example.com (i.e. the website associated with the supplied email address). So if you were naive enough to enter your Gmail credentials at the fake sign-in page, what you'd see would look enough like a failed sign-in attempt that you probably wouldn't think about it much, but your Gmail address and password, along with the phone number you probably use for 2FA, would have been sent along to a Latvian-registered web server controlled by phisherpholk.
That's the extent of it, as far as I can tell. I could find no evidence that the script leaves anything behind on the local computer or does anything nefarious to it beyond making it present the phishing attempt.
The person who sent you this mail apparently did so from a Gmail address. If that is actually somebody known to you, there is a good chance that that Gmail address is now controlled by weird phish people and that a heads-up from you would be appreciated.
posted by flabdablet at 1:04 AM on August 31, 2018 [8 favorites]
Entering youwish@example.com for the email address, hunter2 for the password and 555-1234 for the phone number causes a HTTP POST request to /sno3034854958435454y6/doc.php at host 4f139.f139434.96.lt, with the query string yasse=youwish%40example.com&yasspp=hunter2&fon=555-1234.
The browser's network log then gets cleared to make it harder to see that this POST request has happened, and the fake sign-in page is then replaced by the one at http://example.com (i.e. the website associated with the supplied email address). So if you were naive enough to enter your Gmail credentials at the fake sign-in page, what you'd see would look enough like a failed sign-in attempt that you probably wouldn't think about it much, but your Gmail address and password, along with the phone number you probably use for 2FA, would have been sent along to a Latvian-registered web server controlled by phisherpholk.
That's the extent of it, as far as I can tell. I could find no evidence that the script leaves anything behind on the local computer or does anything nefarious to it beyond making it present the phishing attempt.
The person who sent you this mail apparently did so from a Gmail address. If that is actually somebody known to you, there is a good chance that that Gmail address is now controlled by weird phish people and that a heads-up from you would be appreciated.
posted by flabdablet at 1:04 AM on August 31, 2018 [8 favorites]
This thread is closed to new comments.
posted by flabdablet at 10:29 PM on August 29, 2018 [2 favorites]