At work yesterday we got a couple of phishing email claiming to be traffic infringements, nothing too remarkable about that. But interestingly this time the links in the emails to Bitly, a url shortener service that redirects traffic instead of going directly to some hacked site hosting malware.
With Bitly URLs you can simply put a + sign on the end of any link it will take you to a page of statistics rather than redirect you. The URLs from the phishing emails (with a plus sign added) were:
We can see the first time either link was followed was around 21:00UTC wich is 05:00 AWST (Western Australia time) and it dies off pretty quickly suggesting that these campaigns move from one URL to another very quicly rather than spamming out the same URL all day1. It also shows that most traffic is from Australia which you would expect given that the was claiming to be an infringement form the West Australia Police.
Most of the traffic is direct access, this not surprising seeing that people are coming from email rather than another source such as twitter. Although there is a fair amount coming from localhost:5272. I’m not sure what that is, but a quick google search suggest it’s Xeams spam filter is following links in emails to check if they are malicious.
The spoofed address this came from was email@example.com, I'd be guessing they picked that one because it looks almost legitimate and data.gov.au doesn't have dmarc or even an SPF record2. I was also surprised to find that in the footer of the email, the links were not malicious. There was one to the about West Australian Police and it really pointed to the about West Australian Police page. It was just in the body of the email that there were malicious links.
It's posible that the spammers have setup their campaign to send emails early in the morning for their target timezone. I remember hearing from a legitimate (double opt-in) email marketing group that first thing in the morning was the most effective time to send emails because it will be a the top of people inbox as they are having their morning coffee. ↩
I was really surprised to find that, I know a couple of the folks that helped set it up and they were pretty switched on types. ↩