Phishing of mail passwords for domain owners

A small digression, domains are registered to mail on mail.ru, but I haven’t been using this box for a long time and it is worth sending to gmail. Registrar - R01.

The letter “ Complaint to the domain my-domain-domain.ru ” of this general content comes :

Hello, dear customer.
Registrar P01 from IP-address 46.18.200.45 received a complaint about the domain my-domain.ru. This request was assigned the number AM35930.
We inform you that the complaint was found to be unfounded, since the circumstances indicated by the author of the complaint did not find confirmation.
Based on the foregoing, the sanctions for the domain my-domain.ru will not be applied.
The file with the text of the complaint is attached to this letter.

And on the phone you can see that there are some attachments, but crooked. I decided to look more closely at the computer. Here the fun began.

Here is how the letter looked in the browser:
')

The sender - the sender is as info@r01.ru and it is not indicated that the letter was sent through another domain, i.e. you might think that a valid letter came from the registrar

The design of the attachment is mail.ru mail (for which the domain is registered) and the attachment is styled for this service, but on gmail it alerted me.

When I tried to click on links, the document opened for a couple of seconds and then offered to enter the password from my mailbox on mail.ru. But I was too lazy to enter the password, I just “skipped the page” while it was open and read the content already in the picture, it was in principle that everything fell into place. In the file there is water without specifics and my registrar is R01 (the letter was sent correctly), and in the file they indicate ru - center. After that I’ve already looked where I’m prompted to enter a password, I’ve dug up two addresses:

for mail.ru - mail.ru.104194064068438755363301999438882211.xyz
for Yandex - docviewer.yandex.ru.10859155697777473566221838775384.xyz - this google chrome link already issues a warning about a phishing site

Guys, by the way, it should be noted pretty quickly track the entered passwords, because the answer to my entered password almost immediately came:

In this whole story, only one thing confuses me - why didn’t gmail indicate that the email was not sent to r01.ru ?! The newsletter comes with a sweb, of which I notified them and received an answer that measures were taken (which I do not know). For inquisitive:

letter source

 Delivered-To: d***y@gmail.com
 Received: by 10.28.25.130 with SMTP id 124csp1612639wmz;
         Mon, Dec 14, 2015 02:59:36 -0800 (PST)
 X-Received: by 10.112.160.33 with SMTP id xh1mr12911366lbb.67.1450090776287;
         Mon, Dec 14, 2015 02:59:36 -0800 (PST)
 Return-Path: <belebeycru@vh234.sweb.ru>
 Received: from mx70.mail.ru (mx70.mail.ru. [94.100.176.84])
         by mx.google.com with ESMTPS id vo10si16785629lbb.137.2015.12.12.02.02.59.35
         for <d *** y@gmail.com>
         (version = TLS1_2 cipher = ECDHE-RSA-AES128-GCM-SHA256 bits = 128/128);
         Mon, Dec 14, 2015 02:59:36 -0800 (PST)
 Received-SPF: softfail (google.com: domain of transitioning belebeycru@vh234.sweb.ru does not designate 94.100.176.84 as permitted sender) client-ip = 94.100.176.84;
 Authentication-Results: mx.google.com;
        spf = softfail (google.com: domain of transitioning belebeycru@vh234.sweb.ru does not designate 94.100.176.84 as permitted sender) smtp.mailfrom=belebeycru@vh234.sweb.ru;
        dmarc = fail (p = NONE dis = NONE) header.from = r01.ru
 Received: from [77.222.56.130] (ident = mail)
	 by mx70.mail.ru with local (envelope-from <belebeycru@vh234.sweb.ru>)
	 id 1a8Qqt-0001M2-Ay
	 for d***y@gmail.com;  Mon, Dec 14 2015 13:59:35 +0300
 X-ResentFrom: <d *** y@mail.ru>
 X-MailRu-Forward: 1
 Authentication-Results: mxs.mail.ru;  spf = pass (mx70.mail.ru: domain of designates 77.222.56.130 as permitted sender) smtp.mailfrom=belebeycru@vh234.sweb.ru smtp.helo = vh234.sweb.ru
 Received-SPF: pass (mx70.mail.ru: domain of vh234.sweb.ru designates 77.222.56.130 as permitted sender) client-ip = 77.222.56.130;  envelope-from=belebeycru@vh234.sweb.ru;  helo = vh234.sweb.ru;
 Received: from vh234.sweb.ru ([77.222.56.130]: 53758)
	 by mx70.mail.ru with esmtp (envelope-from <belebeycru@vh234.sweb.ru>)
	 id 1a8Qqs-0001Kw-Qa
	 for d***y@mail.ru;  Mon, Dec 14 2015 13:59:35 +0300
 X-Mru-BL: 0: 0
 X-Mru-TLS: TLSv1.2: AES128-SHA
 X-Mru-BadRcptsCount: 0
 X-Mru-PTR: vh234.sweb.ru
 X-Mru-NR: 1
 X-Mru-OF: Linux (Ethernet or modem)
 X-Mru-RC: RU
 Received: from belebeycru by vh234.sweb.ru with local (Exim 4.84)
	 (envelope-from <belebeycru@vh234.sweb.ru>)
	 id 1a8Qqs-003gGZ-Lj
	 for d***y@mail.ru;  Mon, Dec 14, 2015 1:59:34 PM +0300
 To: d***y@mail.ru
 Subject: Complaint against the domain my-domain.ru
 MIME-Version: 1.0
 Content-type: text / html;  charset = windows-1251
 From: R01.RU <info@r01.ru>
 Message-Id: <E1a8Qqs-003gGZ-Lj@vh234.sweb.ru>
 Date: Mon, 14 Dec 2015 13:59:34 +0300
 X-Sender-Uid: 11827
 X-DMARC-Policy: none
 X-DMARC-Result: fail
 X-Mras: Ok
 X-Mru-Authenticated-Sender: belebeycru@vh234.sweb.ru
 X-Spam: undefined
 X-DMARC-Policy: none
 X-DMARC-Result: fail
 X-Mras: Ok
 X-Mru-Authenticated-Sender: belebeycru@vh234.sweb.ru

 Hello, dear customer. <br> ...

Source: https://habr.com/ru/post/356964/

All Articles

Phishing of mail passwords for domain owners

More articles: