这是 Amazon Business 电子邮件网络钓鱼吗?

信息安全 网络钓鱼 电子邮件欺骗
2021-08-31 03:54:16

今天,我收到一条声称来自亚马逊的消息。 截屏 通常,我可以从远处发现网络钓鱼电子邮件。(我在 ISP 的 Abuse & NOC 部门工作。)但是这个似乎有点不对劲。如果是网络钓鱼,那就太可怕了。

我知道它不是真的的一个提示是它被发送到 {the A in Q&A}@eoni.com 的地址,该地址没有 Kenneth(它是我们的 ISP 的技术支持地址,它也提供域托管)。他们使用该地址的事实使我认为该地址可能已被自动收集(可能是whois)。很有可能我们托管的域之一是为名为 Kenneth 的客户提供的,并且该域在某处的 whois 记录中有我们的联系地址。我们托管了足够多的域,仅凭名字不足以找到所述域名并查看 whois 记录。

在滥用部门,我想知道这是否真实(所以如果不是,我可以报告它/如果它是网络钓鱼,可能阻止它在我们的网络上工作)。

这是标题:

Return-Path: <01010157e278aa63-283a615a-b603-4300-8c6f-8426b3978f81-000000@us-west-2.amazonses.com>
Delivered-To: {a in Q&A}@eoni.com
Received: (qmail 8542 invoked from network); 20 Oct 2016 14:22:22 -0000
Received: from a27-163.smtp-out.us-west-2.amazonses.com (HELO a27-163.smtp-out.us-west-2.amazonses.com) (54.240.27.163)
    by adam6.eoni.com with (AES128-SHA encrypted) SMTP
    (9d6af486-96d0-11e6-bacc-001e67492cec); Thu, 20 Oct 2016 07:22:22 -0700
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
    s=iapqtturmhylirl6i5t3a2ps2ewsadsl; d=business.amazon.com;
    t=1476973341;
    h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type:List-Unsubscribe;
    bh=CqDwwona4ZmOCsT+zgi3DKmE5lkxklMdpT65fdXrB1c=;
    b=UAkSuvsci14jfOFm+fW8S5l3ntdIbESTZB8eHvo6+itz4xiYy9sxXQ1RoXIJIGq9
    3ny5HJIKyI6wkjKRWnX6TQ3EHhDqDFlkB75Z1NzHNlp/5NUA8cEa6ua+wq1sWdyG33o
    k5gn5Kkz3v72uQMAhT6Dqq/3DSW9ipDMzrHF12Fs=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
    s=gdwg2y3kokkkj5a55z2ilkup5wp5hhxx; d=amazonses.com; t=1476973341;
    h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type:List-Unsubscribe:Feedback-ID;
    bh=CqDwwona4ZmOCsT+zgi3DKmE5lkxklMdpT65fdXrB1c=;
    b=BdhqUbp6t3dhXe83M3isFcjV2hXaT6rAhCxPN/WXWepJngjhi1EO3Sgd5SbkaEjj
    6dzzlfljD+nKTJH2r9Kd1COeXqc5tgSeMEmVYV1TpmIRhc1fU9RUULRKG4ojxs0msSb
    RDRzSCa83Se484s7KDNwb5LWixFn7jo3oL7DFKx0=
Message-ID: <01010157e278aa63-283a615a-b603-4300-8c6f-8426b3978f81-000000@us-west-2.amazonses.com>
Date: Thu, 20 Oct 2016 14:22:21 +0000
Subject: Free Upgrade to Amazon Business Account
From: Amazon <no-reply@business.amazon.com>
To: {A in Q&A}@eoni.com
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="_=_swift_v4_1476973341_6e5cebc34b840a2a68132f6e212fdc76_=_"
X-Pardot-Route: 113:54552:359489270
List-Unsubscribe: <http://www.amazonbusiness.com/unsubscribe/u/54552/6674f6c0dd8377b4a26688a664718cffd707396fd788791d186acab4a81bd210/359489270>
X-Report-Abuse-To: abuse@pd25.com
X-SES-Outgoing: 2016.10.20-54.240.27.163
Feedback-ID: 1.us-west-2.DslCQSzKRwSQ0bYxCfi+GcY39H31l7QrR+kFUIOTrc4=:AmazonSES
X-MagicMail-OS: Inactive
X-MagicMail-UUID: 9d6af486-96d0-11e6-bacc-001e67492cec
X-MagicMail-SourceIP: 54.240.27.163
X-MagicMail-RegexMatch: 0
X-MagicMail-EnvelopeFrom: <01010157e278aa63-283a615a-b603-4300-8c6f-8426b3978f81-000000@us-west-2.amazonses.com>
X-MagicMail-Original-Destination: {A in Q&A}@eoni.com
X-MagicMail-Quarantine: Yes

查看标题,我发现它来自我认为是 AWS 电子邮件服务。(任何人都可以购买并发送电子邮件)。所以这并不能让我相信它是亚马逊。我看到有关 Pardot 的资料,这是一个 salesforce B2B 营销自动化系统。这似乎很奇怪,它不会在亚马逊内部,但他们可以使用这样的系统。所以不知道该怎么想。

如果这是一次攻击,它必须以某种方式起作用。链接在哪里?

创建我的帐户:http://www.amazonbusiness.com/e/54552/gistration-start-ref-b2b-e459b/jt2hvr/359489270

退订:http://www.amazonbusiness.com/preferences/?ehash=6674f6c0dd8377b4a26688a664718cffd707396fd788791d186acab4a81bd210&email_id=359489270

更新电子邮件首选项:http://www.amazonbusiness.com/preferences/?ehash=6674f6c0dd8377b4a26688a664718cffd707396fd788791d186acab4a81bd210&email_id=359489270

这些都没有 SSL,但创建我的帐户重定向到:

https://www.amazon.com/ap/signin?openid.return_to=https%3A%2F%2Fwww.amazon.com%2Fbb%2Fregistration%2Fconfirmation%2Fref%3Db2b_reg_st_rd&openid.identity=http%3A%2F%2Fspecs.openid .net%2Fauth%2F2.0%2Fidentifier_select&openid.assoc_handle=usflex&openid.mode=checkid_setup&marketPlaceId=ATVPDKIKX0DER&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&pageId=authportal_b2b_login&openid.ns=http%3 %2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.pape.max_auth_age=0&siteState=pageFlowType%3DLOGIN%2CclientContext%3D168-4326428-9305323%2CsourceUrl%3Dhttps%253A%252F%252Fwww.amazon.com%252Fbb%252F注册%252Fconfirmation%252Fref%253Db2b_reg_st_rd%2Csignature%3DLXjj2FO0jmvxdiEVn0vZfa3j2BZbIE4j3D&ref_=null

好的,这个 amazonbusiness.com 域托管在哪里?谁拥有这个名字?亚马逊肯定会在 AWS 上托管他们所有的网站,对吧?

dig a  www.amazonbusiness.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> a www.amazonbusiness.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58074
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.amazonbusiness.com.        IN  A

;; ANSWER SECTION:
www.amazonbusiness.com. 820 IN  CNAME   go.pardot.com.
go.pardot.com.      7199    IN  CNAME   pi.pardot.com.
pi.pardot.com.      29  IN  CNAME   pi-dfw.pardot.com.
pi-dfw.pardot.com.  29  IN  CNAME   pi-dfw-lb1.pardot.com.
pi-dfw-lb1.pardot.com.  899 IN  A   136.147.104.32

;; Query time: 57 msec
;; SERVER: 192.168.88.1#53(192.168.88.1)
;; WHEN: Thu Oct 20 08:21:50 PDT 2016
;; MSG SIZE  rcvd: 143

将其与 amazon.com 本身进行比较:

dig a amazon.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> a amazon.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40326
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;amazon.com.            IN  A

;; ANSWER SECTION:
amazon.com.     23  IN  A   54.239.25.208
amazon.com.     23  IN  A   54.239.17.7
amazon.com.     23  IN  A   54.239.26.128
amazon.com.     23  IN  A   54.239.25.192
amazon.com.     23  IN  A   54.239.17.6
amazon.com.     23  IN  A   54.239.25.200

;; Query time: 1 msec
;; SERVER: 192.168.88.1#53(192.168.88.1)
;; WHEN: Thu Oct 20 09:02:34 PDT 2016
;; MSG SIZE  rcvd: 124

好的,那么谁拥有可能是假网站的 IP 地址空间:

whois 136.147.104.32

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=136.147.104.32?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       136.147.0.0 - 136.147.255.255
CIDR:           136.147.0.0/16
NetName:        SFDC-3
NetHandle:      NET-136-147-0-0-1
Parent:         NET136 (NET-136-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS14340
Organization:   Salesforce.com, Inc. (SALESF-3)
RegDate:        2012-02-24
Updated:        2014-07-14
Ref:            https://whois.arin.net/rest/net/NET-136-147-0-0-1


OrgName:        Salesforce.com, Inc.
OrgId:          SALESF-3
Address:        1 Market Street
Address:        Suite 300
City:           San Francisco
StateProv:      CA
PostalCode:     94105
Country:        US
RegDate:        1999-11-30
Updated:        2014-11-20
Ref:            https://whois.arin.net/rest/org/SALESF-3


OrgAbuseHandle: NOC1403-ARIN
OrgAbuseName:   Network Operations Center
OrgAbusePhone:  +1-415-901-7000 
OrgAbuseEmail:  arin@salesforce.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/NOC1403-ARIN

OrgNOCHandle: NOC1403-ARIN
OrgNOCName:   Network Operations Center
OrgNOCPhone:  +1-415-901-7000 
OrgNOCEmail:  arin@salesforce.com
OrgNOCRef:    https://whois.arin.net/rest/poc/NOC1403-ARIN

OrgAbuseHandle: SAN76-ARIN
OrgAbuseName:   Salesforce Abuse NOC
OrgAbusePhone:  +1-703-463-3219 
OrgAbuseEmail:  abuse@salesforce.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/SAN76-ARIN

OrgTechHandle: NOC1403-ARIN
OrgTechName:   Network Operations Center
OrgTechPhone:  +1-415-901-7000 
OrgTechEmail:  arin@salesforce.com
OrgTechRef:    https://whois.arin.net/rest/poc/NOC1403-ARIN

RNOCHandle: NOC1403-ARIN
RNOCName:   Network Operations Center
RNOCPhone:  +1-415-901-7000 
RNOCEmail:  arin@salesforce.com
RNOCRef:    https://whois.arin.net/rest/poc/NOC1403-ARIN

RAbuseHandle: SAN76-ARIN
RAbuseName:   Salesforce Abuse NOC
RAbusePhone:  +1-703-463-3219 
RAbuseEmail:  abuse@salesforce.com
RAbuseRef:    https://whois.arin.net/rest/poc/SAN76-ARIN

RTechHandle: NOC1403-ARIN
RTechName:   Network Operations Center
RTechPhone:  +1-415-901-7000 
RTechEmail:  arin@salesforce.com
RTechRef:    https://whois.arin.net/rest/poc/NOC1403-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#

所以不在 AWS 上。与谁拥有托管 Amazon.com 的 IP 地址空间进行比较:

whois 54.239.26.128

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=54.239.26.128?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       54.224.0.0 - 54.239.255.255
CIDR:           54.224.0.0/12
NetName:        AMAZON-2011L
NetHandle:      NET-54-224-0-0-1
Parent:         NET54 (NET-54-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS16509
Organization:   Amazon Technologies Inc. (AT-88-Z)
RegDate:        2012-03-01
Updated:        2012-04-02
Ref:            https://whois.arin.net/rest/net/NET-54-224-0-0-1


OrgName:        Amazon Technologies Inc.
OrgId:          AT-88-Z
Address:        410 Terry Ave N.
City:           Seattle
StateProv:      WA
PostalCode:     98109
Country:        US
RegDate:        2011-12-08
Updated:        2014-10-20
Comment:        All abuse reports MUST include:
Comment:        * src IP
Comment:        * dest IP (your IP)
Comment:        * dest port
Comment:        * Accurate date/timestamp and timezone of activity
Comment:        * Intensity/frequency (short log extracts)
Comment:        * Your contact details (phone and email) Without these we will be unable to identify the correct owner of the IP address at that point in time.
Ref:            https://whois.arin.net/rest/org/AT-88-Z


OrgTechHandle: ANO24-ARIN
OrgTechName:   Amazon EC2 Network Operations
OrgTechPhone:  +1-206-266-4064 
OrgTechEmail:  amzn-noc-contact@amazon.com
OrgTechRef:    https://whois.arin.net/rest/poc/ANO24-ARIN

OrgAbuseHandle: AEA8-ARIN
OrgAbuseName:   Amazon EC2 Abuse
OrgAbusePhone:  +1-206-266-4064 
OrgAbuseEmail:  abuse@amazonaws.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/AEA8-ARIN

OrgNOCHandle: AANO1-ARIN
OrgNOCName:   Amazon AWS Network Operations
OrgNOCPhone:  +1-206-266-4064 
OrgNOCEmail:  amzn-noc-contact@amazon.com
OrgNOCRef:    https://whois.arin.net/rest/poc/AANO1-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#

所以 Amazon.com 在 AWS 上,就像我想象的那样。

在这一点上,我不确定这封电子邮件是否是假的。是吗?如果是这样,它是如何工作的?它似乎在用 OpenID 做一些事情,那里发生了什么?我怎么能确定将来呢?

4个回答

网络钓鱼;我收到了几乎一模一样的电子邮件。我能够与亚马逊核实它不是从他们那里发送的,应该被视为恶意的。

我收到的电子邮件是从“no-reply@business.amazon.com”发送的。它与图形的外观略有不同,第一行的措辞也不同,但它包含相同的链接,并通过操作指示的相同可疑路径路由,然后登陆有效的亚马逊登录页面。

我将电子邮件发送到亚马逊,然后通过电话与他们联系,他们确定这不是他们发送的。亚马逊表示,他们会记录每一次通信。如果您就收到的电子邮件与他们联系,他们可以快速验证该电子邮件是否由他们发送。

我希望这有助于消除任何关于它是否是网络钓鱼的问题。

我想是的,我刚刚访问了http://amazonbusiness.com,它 302 将我重定向到https://www.amazon.com/gp/help/customer/display.html/?nodeId=508510这不是业务页面。

当我谷歌亚马逊业务时,搜索结果是https://www.amazon.com/business并重定向到https://www.amazon.com/b2b/info/amazon-business?layout=landing这非常亚马逊商业页面。

这些人很好。

URL amazonbusiness.com 确实是一个合法的亚马逊域。ICANN 为该 URL 和 amazon.com 显示相同的注册人信息。

如果注册详细信息被欺骗,他们都有相同的主机管理员电话和电子邮件。所以你可以问他们它是否是一个有效的亚马逊域。

我相信它也是网络钓鱼,但除了能够跟踪从哪个电子邮件/IP 地址打开哪个 id 之外,我不确定它的目标是什么。您单击的所有链接都会将您带到该页面。

或者可能是试图让受害者涌入亚马逊?一位同事最近收到了其中的一些,下面是带有 URL 的创建帐户链接,该链接只是重定向到合法的亚马逊网站。

http://www.amazonbusiness.com/e/54552/gistration-start-ref-b2b-e607a/lmkxl6/429776533 请注意末尾的数字无关紧要,实际上我认为他们将所有内容重定向到具有不同路径的合法亚马逊网站。

但是,嘿!如果一个真正的企业向我发送电子邮件以进行帐户升级(这意味着我已经有一个帐户),我还需要创建帐户吗?这里有点奇怪。

这可能是一个实验,看看它可以接触到多少受害者,而不是试图窃取登录详细信息?可能正在准备针对点击者的第 2 阶段攻击(因此受害者的网络钓鱼意识最低)。

其它你可能感兴趣的问题
上一篇如何查找证书颁发机构 CAA 记录值? 下一篇linux 支持签名的二进制文件吗?