Start#
I received a strange email in my inbox, saying that my ENS candinya.eth
will expire in 24 hours. It threatened me that this would be my last renewal opportunity and left a huge button for me to click to "renew".
But I found it strange - I registered this ENS for more than a year, and besides, I have already set a reminder for renewal on my calendar. How could it suddenly expire?
Analysis#
When I looked at the sender column, I was sure that this was a phishing email. The sender didn't even bother to fake a domain name like ens.domains
and directly used the email address [email protected]
.
I checked the email source and confirmed that the email was sent from the server amenominakanushi.okuizumo.ne.jp (okuizumo.ne.jp [211.12.232.201])
and passed DKIM/SPF signature verification. If its signature didn't pass, my email system would automatically block it. But since the signature is valid, it should be the result of the attacker abusing this email.
Before we focus on the large renewal button below, let's start with an appetizer - did you see the Unsubscribe from this email
link at the bottom? Let's guess where it leads.
https://google.com/unsubscribe
Well, it's hard to say, but I find it quite funny.
But the attacker obviously doesn't want us to "unsubscribe" from this email. It wants us to click that big renewal button and lead us into its carefully crafted scam trap. So let's go along with its intention and see what it's up to.
The button itself is nothing special, just a simple styled <a>
tag. The interesting part is the link it points to - a redirect link starting with bing.com
. Using a legitimate domain for redirection is a very common attack technique. We have previously analyzed an event where a logout redirect to YouTube was used to redirect to an attack website. So with a little trick, we can find out what website this link is pointing to.
It points to archivodigital[dot]org/venezuela-centro-de-computacion-afoco-2003/
.
After obtaining the domain name, the first thing to do is to conduct a security investigation. Using a WHOIS query, we can see that this domain was registered on December 14, 2020, with NameSilo as the registrar and CloudFlare as the NS resolver (another classic case of abusing CF to hide the attacker's identity).
However, using CF doesn't mean it's foolproof. It's common to encounter situations where an nginx server uses CF's certificate but doesn't block fallback on port 443, resulting in the hostname of the first site with SSL encryption being leaked. So let's continue searching for this root domain, and we find three servers:
Oh, they are Russian servers. Could this be a encounter with the legendary Russian hackers? But I guess no idiotic hacker would be foolish enough to use their own servers. It's probably a setup.
Taking a quick look at the raw data, it's not difficult to see that these are just petty thieves. One obvious characteristic is that their default page is a 302 redirect to an ENS error page, but this domain is obviously not a working domain under ENS. So there is only one possibility: they are indeed the attacker's servers, and they have set up a seemingly seamless barrier to prevent unrelated people (such as sniffers or crawlers) from entering.
But we have an invitation letter (lol).
Open a secure browser (preferably Tor, but for some reason, my Tor is not in a good mood today and can't connect, so I have to use a private mode FireFox), enter the link, and press Enter!
And then... I was redirected to the ENS main site, and it failed 🤡
I tried several browsers, and even clicking the original update button in the email didn't work. They all redirected back to the original ENS page, as if this email was not an attack, but just a genuine reminder from ENS.
I don't know why, but I'm deeply shocked.
Review#
Although I couldn't dig out more information, this can still be considered a rare opportunity for a security drill: What if the attacker doesn't run away next time? What if the attacker disguises the sender's identity or actually sends the email just before the expiration time? When it comes to financial security, it's never too cautious.
As for my email, since this is my public email, I suspect that the attacker saw my GitHub account marked on my ENS and obtained the email information from there. For the renewal reminder email set by ENS, I use a different prefix, which makes it easier to distinguish where it comes from and categorize it into email folders for organization. It's also a small security measure.
Of course, it would be best if we didn't receive phishing emails at all. Although this one is indeed more interesting than those dumb phishing emails with a QR code covering their faces.
(End)