Attention! Phishing of registration data NIC.ru
In the morning I found in my mailbox a letter from nic.ru with the following text allegedly from ru-cont@nic.ru, gmail did not doubt the sender's authenticity:
Inside the link, of course, there was a link to the phishing site bethesdabiblechapel.net/sav/img/zmpbkbkhso.html?zmpbkbkhso=26ddd45b02859e836d13d4b9fde34281
This would be a completely trivial matter, not worth attention if it were not for the gmail check bypass. And the thing turned out to be as follows:
and
Asleep, I almost went under the link, trusting the postal service in matters of identification of the sender's authenticity, in connection with which I want to once again recommend not to lose vigilance even when it comes to familiar and reliable systems.
The technical support of the registrar was told that they received a lot of calls and the security service is dealing with this incident. As I understand it, the SMTP mail servers of the registrar were used by attackers to send phishing emails in order to bypass the sender's authentication mechanisms built into mail services. All the attention and accuracy!
Hello,
12-APR-2015 You have ordered the RU-CENTER service Change of domain name administratormicrosoft.com.
')
The service will be provided within 72 hours.
The right to administer themicrosoft.comdomain name will be transferred to 60093 / NIC-D.
Link to confirm or cancel:
www.nic.ru/manager/admin_change.cgi?key=SiYK73RJesO3f8cnIH29-26ddd45b02859e836d13d4b9fde34281
Inside the link, of course, there was a link to the phishing site bethesdabiblechapel.net/sav/img/zmpbkbkhso.html?zmpbkbkhso=26ddd45b02859e836d13d4b9fde34281
This would be a completely trivial matter, not worth attention if it were not for the gmail check bypass. And the thing turned out to be as follows:
Return-Path: <vectorin@vh163.sweb.ru>
Received: from mf1-1.nic.ru (mf1-1.nic.ru. [109.70.27.132])
and
Received-SPF: softfail (google.com: domain of transitioning vectorin@vh163.sweb.ru does not designate 109.70.27.132 as permitted sender) client-ip = 109.70.27.132;
Authentication-Results: mx.google.com;
spf = softfail (google.com: domain of transitioning vectorin@vh163.sweb.ru does not designate 109.70.27.132 as permitted sender) smtp.mail=vectorin@vh163.sweb.ru
Received: from vh163.sweb.ru ([77.222.42.167])
by mf1-1.nic.ru with esmtp (RIPN)
Asleep, I almost went under the link, trusting the postal service in matters of identification of the sender's authenticity, in connection with which I want to once again recommend not to lose vigilance even when it comes to familiar and reliable systems.
The technical support of the registrar was told that they received a lot of calls and the security service is dealing with this incident. As I understand it, the SMTP mail servers of the registrar were used by attackers to send phishing emails in order to bypass the sender's authentication mechanisms built into mail services. All the attention and accuracy!
Source: https://habr.com/ru/post/255587/
All Articles