Content

An Analysis of 3,000 Malware Email Addresses

While analyzing malware 24/7, we decided to continue our collection of email addresses found in malicious code. With the help of SiteLock's Sig Q Team we tripled our existing collection of malware email addresses to over 3,000. Looking at the data we get to see the prefered email providers of phishers, key words in malicious email addresses, and the spoofed From: addresses used by bad actors. Finally, we capitalized on a test address and unregistered domain to get a look inside the end of the phishing process.

The full list of 3,060 email addresses list is on GitHub and can be used as indicators of compromise, particularly for website security. The list mainly consists of phishing addresses, with addresses from web shells, defacements, and other miscellaneous files rounding out the 3,000.

The majority of email addresses were collected from phishing infections -- disposable email addresses used to receive pilfered credentials. Below is an example of a phishing infection. It's a PHP file written or uploaded to a site that collects and sends unwary victims' email addresses and passwords to the malicious actors email address, hopful101@zoho[.]com.

Phishing Example

Looking at the addresses, nearly two-thirds of the 3,000, 61 percent, used the gmail.com domain clearly showing Gmail is the webmail provider phishers prefer. Other mainstream webmail services trail far behind, with all Yahoo and Hotmail domains at 7 percent and 5 percent respectively.

Of note, comparing the initial 1,000 malware email addresses, Yandex use has almost doubled from 2 percent to almost 4 percent.

One interesting observation is the proclivity of phishers to use an iteration of the word ‘result' in receiving email addresses. There were 88 email addresses with a form of result in the collection.

Sample of Addresses Containing ‘result'

[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

Also of note is the use of ‘customer-support' in the spoofed From: address from phishing mailers. Here there were seven iterations.

Addresses Containing ‘customer-support'

customer-support@moneyi

customer-support@mrs

customer-support@online

customer-support@Spammers

[email protected]

customer-support@trex

customer-support@usaa,com

A particular email address from a phishing infection caught our attention, [email protected]. The file was part of a L33bo phishing kit and the email address was a placeholder for the To: address. We noticed the domain, l33bo.website, was unregistered and registered it. We then added a catchall for all email to the domain.

What we found were mostly test messages from the bad actors using the kit. There were a few legitimate results from botched installs, which were promptly deleted, and many bounces mostly to [email protected].

Sample of L33bo Catchall Email (Apparently researchers prefer Gmail too.)

Note the Abuse email professing that the phishing form was assaulted with foul language. We will add pagez and [email protected] to the malware email list after publication of this article.

One of the most interesting emails the catchall caught was a solicitation for access to compromised cPanels and web shells. Prices were $5 for cPanel and $4 for web shells, 3-day warranty included.

Solicitation for cPanel and Web Shell Access

As ephemeral as email addresses in malware are, their value in catching existing infections and providing insight into the endpoint of compromises can't be discounted. The tactics of phishers are brought more to light by aggregating this possibly overlooked data -- the predominant use of Gmail shows phishers sway to the service like the wider public, and commonalities in recipient and spoofed From: addresses can be gleaned. And an unexpected insight emerged from the simple registration of a domain. SiteLock will continue to improve its technology and threat intelligence by finding new and new ways to look at data.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.