Skip to main content

Not So Safe Safelinks

Today I got a phishing email for my gatech account. It was nothing special and easy to identify as phishing. So why blog about it? Because today I decided to test out safelinks. Why not, right? It's Microsoft, and they make a habit of telling me that I should use Edge because it is safer than Chrome and Firefox.

I clicked on the safelink that was hosted on eur03.safelinks.protection.outlook.com and it opened in Edge. Wait, why did I have to hit a European safelink server Microsoft, if I am in the USA? I don't remember authorizing you to do that, but then again, who cares about us in the US.

The safelink redirected successfully to logins.gatech.com which is a shameless phishing site. It pulls resources from gatech.edu but has a self hosted JS file that has the same URL path as the one in the buzzport login page. It's a clever phish and it would likely defeat most users.

So that made me mad. I put on my Cyber cape and started to dig. The IP is hosted on AWS:

Name:    login.gatechs.com
Address:  52.21.141.80

Of course it is, because Bezos doesn't seem to give a crap about people using his elastic network for crime. I could send email to AWS like I've done in the past, but all I would get is another form letter saying they would look into it. Yeah, good job. High five.

I tried whois on ICANN and didn't get anything. It's got private registration of course. Wouldn't really matter these days since GDPR pretty much erased most of the registry data for non-US people. Again, nobody cares about people from the US these days.

Just to note, Chrome correctly identifies the site as a phishing site and it stops my navigation. Firefox? Yeah, same thing. Edge? nope, not with safelinks and not without (direct navigation per se).

Why does it matter that my safelink server was in Europe? Well, it was actually in the UK; I did a tracert from my windoze box to see where it lead:

Name:    eur03.safelinks.protection.outlook.com
Addresses:  104.47.8.28
          104.47.9.28

 17   593 ms   409 ms   199 ms  be-7-0.ibr01.nyc30.ntwk.msn.net [104.44.4.34]0
18   189 ms   198 ms   199 ms  be-11-0.ibr01.lon30.ntwk.msn.net [104.44.5.105]

That's NY to London.  Ian Flemming would be so proud. I will leave it up to you to infer where that link was leading and why. Just remember there is some alphabet agency that buys stuff from another alphabet agency ... Maybe, lads, you could offer us some useful service when you take our browsing history. Maybe a service to prevent us from being attacked by b-rate hackers. I am sure you'll knock on my door again, wearing those nifty Sherlock Holmes outfits. Oh, note how Outlook can connect to gmail now? Just wanted to drive-by that little tidbit.

Meanwhile, Edge is clearly the loser here. I've stopped using Edge and will continue to relish in my decision to up the security game of my desktop.

I didn't pull their JS as I am not really interested in looking at it. I did look at the header on the email and found another domain:

login.gatech-web.net

That one is bound on the same IP as the gatechs.com domain, also on AWS. The email originated out of that login.gatech-web.net domain:

Received: from login.gatech-web.net (HELO ip-10-0-0-204.ec2.internal) ([52.21.141.80])
X-PyPhish: Sent via PyPhish

Yeah, PyPhish, a tool given to the internet by Red Team Security? Who knows, but it's another tool that has been polished by professionals and now it's used by criminals. Thanks.

Addendum. I gave SafeLinks another chance. Got a phish email for my hotmail account and went forward with clicking on the SafeLinks link. Guess what? Not blocked by SafeLinks. Good thing both Firefox AND McAfee blocked the redirect site and labeled it as Malicious Rating: RED.

Come on Microsoft. You can do better than this. At least that SafeLinks proxy url was in North America instead of Europe.



Popular posts from this blog

How To Cancel ATT Uverse

I was a subscriber to the AT&T Uverse service for a little over 2 years. In that time, we had experienced good service for the first year, and then it sucked. After 12 months, or there in, the service degraded quickly, and would stop working all together at times. At first it would die for a short period of time, usually when we were not home. Then it would get progressively worst, until there was an entire week of no service. We had technicians at the house trying to fix the service, but it would repeat the behavior quite consistently.

On January 15th we finally gave up and switched to a lesser service, COX TV and Internet. In the past we had cable service and it was always reliable, but not as good as the AT&T digital service. COX doesn't have nearly as many HD channels, but that's not enough. We needed internet to be reliable, and AT&T couldn't deliver that.

Cancelling the AT&T service was a nightmare. Try to find anything about such things on their web si…

Splunk To root or Not To root

Today I added some add-ons to my splunk and did some sysadmin on the server. Restarted and noted the splunkd was not running. Ahh, well, that's typical. Starting the splunk daemon is easy enough:

Start Splunk - from the people who made splunk.

There are two ways to start splunk, as you can read from above. One is to run the "splunk" process from your root shell after logging in. This will run splunk as root. The other is to use the nifty systemctl service script to daemonize the process.

Prior to today, I had the same problem and ran the splunk process as root. This was foolish. If you happen to have once started splunk as root, and then successfully started splunk as the "splunk" user, you will find that your splunk login page is empty. You get the background picture, but no input controls.

Damn. Google that, nada. Damn again.

Today, I learned alot more about selinux and permissions and labels, so I investigated the "web_service" log (/opt/splunk/var/…

Host Species Barrier to Influenza Virus Infections

The title of this entry was taken from a paper written by Thijs Kuiken, Edward C. Holmes, John McCauley, Guus F. Rimmelzwaan, Catherine S. Williams, and Bryan T. Grenfell. This paper appeared in SCIENCE Volume 312, pp 394 – 397. If you have the gumption to really know how viral infections cross the species barrier, then this is the paper for you. It’s written as a “perspective” rather than as a technical publication, which means there isn’t a bunch of jargon in it.

You can also contact the authors of the paper at t.kuiken@erasmusmc.nl.

A particularly interesting quote taken from the paper:

“It is well established that, as the proportion of susceptibles in the population, s, drops (as individuals become infected, then recover), the number of secondary cases per infection, R, also drops: R = s * R0. If R is less than 1, as is currently the case for H5N1 virus in humans, an infection will not cause a major epidemic.” (pg. 312) The value, R0, “is the number of secondary cases produced when a…