Home
Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

Every morning my first job of the day over a nice cup of coldbrew coffee is to go through the emails received over night. Occasionally I find a gem in the midst of the noise received from the internets. This morning I received the following email in the Security Operations mailbox:
screenshotfrom2016-10-0406-39-07
European Health Insurance Card? I am sure I have one so I do need to get a new one? Whats this email all about?
I felt this needed looking into a little more and as many people are getting hit by ransomware these days, I thought it might be a good idea to go step by step how I look into emails I don't expect and how I examine them in a safe and secure manner.
All emails start with a risk score of zero out of ten. For every check we perform, if the test fails then we assign two points to the score and for a partial fail we assign one point.
So to start we have a risk of 0/10.

Initial View

Quite interesting from a security point of view as it made it through the usual malware and virus scanners and then passed through the usual junk filters. So as it made it this far, I thought it fair game to look into it a little deeper.
The email has come into our SecOps@ email box, a box used by analysts to communicate with clients and receive suspicous files and emails for analysis.
As this is an unsolicited email, we can start the risk score off at 2/10.
The first task in handling this email, run it through virus total to have a look and see what if the community has reported anything on it.
 
screenshotfrom2016-10-0406-42-26-2
 
We can see from this that Virustotal show this email as clean. Thats interesting, could this be a real email?
With Virustotal reporting it clean, we leave the score at 2/10.
The Virustotal analysis page is here.
The company that has sent this is Aceso Healthcare Services. A quick search on companies house shows a number of businesses called Aceso but none of them are Aceso Healthcare Services.
So for this email, we have a risk of 4/10 now.
Next stop is to check the credit reference agencies.
screenshotfrom2016-10-0407-23-10-3
CreditSafe has no record of such a company. Noe we have a risk score of 6/10 and can call this a Scam.
So lets go a little deeper. Lets click the link in a sandbox environment.

Opening the Email Fully

Going to the site in a safe manner means bring up a virtual machine running Linux and then running a web browser that will simply render the page but not run any javascript, flash or other code. Here is what we find:
screenshotfrom2016-10-0406-45-48-4
 

Looking Deeper at the Site

The site looks good and is rather convincing. My first observation is there is no HTTPS so the URL bar is not containing the green padlock.
Secondly, this is a scam site. The scammers even announce the fact.
screenshotfrom2016-10-0406-48-37-5
With 2 points for the lack of a secure connection when exchanging formation and 1 point for announcing this is in fact a scam, the score is racking up for this email.
Risk score: 9/10
But as we are doing an indepth look, lets look at the source code of the page. The entire page is a form which, when you click on the button calls a PHP script called payment-process.php.
Once you payment-process.php runs it redirects you to a paypal payment page where the ID of the scammer starts to be revealed.
 
screenshotfrom2016-10-0407-42-43-6
We can add a further 2 points for use of personal paypal page and a further bonus point for the use of a free email address in the merchant paypal address:
mukulchawala86@yahoo.com
So there we have it, a final risk score of: 12/10

Conclusion

While not a malicious site per-se, as you can obtain the same for free direct from the government, and with a risk score of 12/10 this fits nicely into our Scam box.