web-dev-qa-db-fra.com

Quelle est l'importance de cette attaque de texte modifiée par X-CU: FAKECU?

Un utilisateur a cliqué sur le lien de cet e-mail et a entré ses informations d'identification, pensant que le message était légitime. Cependant, le lien n'a pas redirigé vers le faux site, et à la place, leur client de messagerie les a envoyés vers le lien tel qu'il était affiché (le portail Web du vrai serveur de messagerie).

Qu'est-ce que c'est (de l'email brut) X-CU-modified: FAKECU Text https: //mail.dept.example.com/ to https: //gradingzimbra.000webhostapp.com/

Et quel type de clients de messagerie iraient réellement sur le faux site Web?

Le message semble être dupliqué en HTML, mais ne semble pas s'afficher dans le courrier de l'utilisateur Apple ou dans mon courrier Google Apps lorsque le courriel d'origine m'a été transmis.

Je ne sais pas pourquoi il n'est pas allé au spam pour l'utilisateur, et je ne veux pas envoyer d'avertissement inutile si cette attaque n'est pas réellement efficace. C'est ça?

Original Message

Message ID  <[email protected]>
Created at: Thu, Sep 26, 2019 at 12:59 PM (Delivered after 7 seconds)
From:   "[email protected]" <[email protected]> Using Zimbra 6.0.0_RC1_1684.RHEL5 (zclient/6.0.0_RC1_1684.RHEL5)
To: 
Subject:    FOR ALL USER !!
SPF:    NEUTRAL with IP 128.b.c.d Learn more


Download Original   Copy to clipboard   
Delivered-To: [email protected]
Received: by 2002:a02:a119:0:0:0:0:0 with SMTP id f25csp2412359jag;
        Thu, 26 Sep 2019 10:00:02 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzfEjcMNIfl22lzB/LJ5Fh5yGrFWMGw9MPMkzUFnZnVmFTP+kqrft7Vmfd6VduO6bJHSXb/
X-Received: by 2002:a37:a544:: with SMTP id o65mr4262426qke.422.1569517202451;
        Thu, 26 Sep 2019 10:00:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1569517202; cv=none;
        d=google.com; s=arc-20160816;
        b=In55GzFNV3oDe+r4J7H4DRMa13eVGkjJrAf4J6UOxr7GyOvR299PuAI+L0t29DQkR
         Jy7+wQNHh0LOJUwm1ilNJisGyTu9F2ZYO4Zz+N74Y4VTa7nR2kzRaL9Gj2aZPrzl7AK8
         m6ck9kvqTdrtBzf1vkaJdOfbOWKzPkZPYyH3Cx0buS8pzMaBqgF+Qlo2vEu4SuY0vfTi
         JMnhk0xxbgsm9TYxrqsM+68QQNRfrIE89nUni7aWF8RFSzIXYHX9/+ikjfYYmlguHcu3
         ljUnMyz2rPWabkUdvm8EEZs7JL4y4jrKXQGGo4iRts48CWrWy6mJ/FCr28Z1E2JfwkWE
         qnLQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=to:mime-version:subject:message-id:reply-to:from:date;
        bh=0C1ERzO2hJ1Gd5BjS+y2OCbaEwwYX8Typ8cL6/mkJwA=;
        b=kEBII9kQXej2zV9T4NIvZqT3DXkSOngnV65ud7Mg/Fu3zIL+6ztbptLl/gcmMt+Zlu
         VHaTkRSRs3/0heij/rMMXrWqXStwqwYadLbGMdSdM8c6TXqkTX9S12P6XzCQ0HJ+HSpn
         yQ/H+klxw6vXt2EpYPRW7gBkhQMAuixOefS1y5zSvu3FxWGnuij97txDy5D4qCwQkTM
         AyHaCKPD8TiCYCf4V9Qxt3wNPAyxZSshOVRMR7BqdAZWpN0cmzEf60xu4OlShuiHmZ23
         X88XHhBYkgxViHw3dfTxVJLADiLJIjJDCQ5yhgq+Ffvp+uKSl7ZAyLta0aa6rVIjHk4B
         n8GA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=neutral (google.com: 128.b.f.e is neither permitted nor denied by domain of [email protected]) [email protected]
Return-Path: <[email protected]>
Received: from inprodmail06.cc.example.com (inprodmail06.cc.example.com. [128.b.c.d])
        by mx.google.com with ESMTPS id l8si2249383qkj.114.2019.09.26.10.00.00
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 26 Sep 2019 10:00:01 -0700 (PDT)
Received-SPF: neutral (google.com: 128.b.f.g is neither permitted nor denied by domain of [email protected]) client-ip=128.b.f.g;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 128.b.f.g is neither permitted nor denied by domain of [email protected]) [email protected]
Received: from dept.example.com (paradox.dept.example.com [128.b.f.g]) by inprodmail06.cc.example.com (8.14.4/8.14.4) with ESMTP id x8QGxw1i010520 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 26 Sep 2019 12:59:58 -0400
Received: from localhost (localhost [127.0.0.1]) by dept.example.com (Postfix) with ESMTP id 79621401790; Thu, 26 Sep 2019 12:59:47 -0400 (EDT)
X-Virus-Scanned: amavisd-new at dept.example.com
Received: from dept.example.com ([127.0.0.1]) by localhost (dept.example.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RDcz4Gx9SWav; Thu, 26 Sep 2019 12:59:46 -0400 (EDT)
Received: from mail.metrocat.com (mail.metrocat.com [203.130.129.172]) by dept.example.com (Postfix) with ESMTP id 958BB40178F; Thu, 26 Sep 2019 12:59:45 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.metrocat.com (Postfix) with ESMTP id 2D3821E805E; Thu, 26 Sep 2019 23:59:55 +0700 (ICT)
X-Virus-Scanned: amavisd-new at metrocat.com
Received: from mail.metrocat.com ([127.0.0.1]) by localhost (mail.metrocat.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x2nHz3R7dvL1; Thu, 26 Sep 2019 23:59:54 +0700 (ICT)
Received: from mail.metrocat.com (mail.metrocat.com [203.130.129.172]) by mail.metrocat.com (Postfix) with ESMTP id 832671D8015; Thu, 26 Sep 2019 23:59:54 +0700 (ICT)
Date: Thu, 26 Sep 2019 23:59:54 +0700 (ICT)
From: "[email protected]" <[email protected]>
Reply-To: "[email protected]" <[email protected]>
Message-ID: <[email protected]>
Subject: FOR ALL USER !!
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_2519_3754648.1569517194412"
X-Originating-IP: [105.112.96.85]
X-Mailer: Zimbra 6.0.0_RC1_1684.RHEL5 (zclient/6.0.0_RC1_1684.RHEL5)
To: undisclosed-recipients:;
X-CU-modified: FAKECU Text https: //mail.dept.example.com/ to https: //gradingzimbra.000webhostapp.com/
X-Spam-Score: 3.502 (***) CU_PHISH_42 CU_SUBJECT_BANGBANG HTML_MESSAGE HTTPS_HTTP_MISMATCH KHOP_HELO_FCRDNS SUBJ_ALL_CAPS TVD_PH_BODY_ACCOUNTS_PRE CU_SPF_neutral
X-Scanned-By: MIMEDefang 2.84 on 128.b.c.d

------=_Part_2519_3754648.1569517194412
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

    Zimbra Mail Support your account has been
successfully updated to the latest version of Zimbra mail server with 2G 8.0.8
additional space on the web. You can now access the latest 8.0.8 version of the
Zimbra email by clicking on the links below protected administrator, sign in
with your username and password to access the latest version 8.0.8 of the
software code open Zimbra server email server and client devices to messaging
and collaboration faster.

https://mail.dept.example.com/

Greetings,

Tim Zimbra Webmail.
------=_Part_2519_3754648.1569517194412
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<html><head><style> body {height: 100%; color:#000000; font-size:12pt; font-family:Times New Roman,helvetica,clean,sans-serif;}</style></head><body><p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:
normal;background:white"><span style="font-size:12.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;
mso-fareast-font-family:&quot;Times New Roman&quot;;color:#222222"><span style="mso-spacerun:yes">&nbsp;&nbsp;&nbsp; </span>Zimbra Mail Support your account has been
successfully updated to the latest version of Zimbra mail server with 2G 8.0.8
additional space on the web. You can now access the latest 8.0.8 version of the
Zimbra email by clicking on the links below protected administrator, sign in
with your username and password to access the latest version 8.0.8 of the
software code open Zimbra server email server and client devices to messaging
and collaboration faster.<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:
normal;background:white"><span style="font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;
color:#0070C0"><!-- <a href="https://gradingzimbra.000webhostapp.com/"> --><span style="color:#0070C0">https://mail.dept.example.com/</span><!-- </a> --></span><span style="font-size:12.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;mso-fareast-font-family:
&quot;Times New Roman&quot;;color:#222222"><o:p></o:p></span></p>

<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:
normal;background:white"><span style="font-size:12.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;
mso-fareast-font-family:&quot;Times New Roman&quot;;color:#222222">Greetings,<o:p></o:p></span></p>

<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:
normal;background:white"><span style="font-size:12.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;
mso-fareast-font-family:&quot;Times New Roman&quot;;color:#222222">Tim Zimbra Webmail.<o:p></o:p></span></p></body></html>
------=_Part_2519_3754648.1569517194412--
7
Louis Waweru

D'après ma compréhension, le message a essayé à l'origine de tromper l'utilisateur en cliquant sur un lien apparemment attendu (comme indiqué dans le texte) qui est en réalité un lien différent (attribut href dans le lien réel), c'est-à-dire quelque chose comme

<a href=http://attacker> 
http://example.com 
</a>

Cette astuce a été neutralisée avec succès par une passerelle de messagerie sécurisée en commentant la mauvaise référence:

<!-- <a href=http://attacker> -->
http://example.com 
<!-- </a>  -->

La passerelle de messagerie sécurisée a ajouté des informations sur ce qu'elle faisait dans la version non standard X-CU-modified champ de l'en-tête du courrier.

En raison de cette neutralisation, l'astuce de l'attaquant ne fonctionnait plus, c'est-à-dire que l'utilisateur se terminait tout au plus sur le site indiqué et non sur le site voulu par l'attaquant. Ainsi, vous n'avez plus à vous en préoccuper. Mais vous pourriez remercier votre service informatique d'avoir réussi à vous protéger.

18
Steffen Ullrich