"OVH: Domain suspension", analysis of the phishing campaign

Lïa Desmousseaux de Givré

Lïa Desmousseaux de Givré

Phishing

In this context, we have recently witnessed a phishing email in which cybercriminals impersonate OVH. This has given us the opportunity to analyze the attack and the underlying technology.

In this article, we will present in detail the attack and how to protect yourself from it. We will also delve into the techniques used to bypass anti-phishing filters that allow these fraudulent emails to arrive directly in your inbox.

Explanation of the attack

OVH is a French company that provides services including hosting or domain name registration.

The purpose of this phishing attack is to use OVH's identity and claim that the victim's domain name will be suspended during the day.

To avoid this, the victim is asked to immediately pay the bill, with the link conveniently provided in the email.

Of course, the link leads to a fraudulent website, which directly leads to a payment form where the victim can enter their credit card information.

By entering their information, the victim ends up stuck on a page simulating the 3D Secure confirmation.

Finally, they will be blocked and therefore end the interaction.

Playing on urgency

This is a well-known psychological tactic used by hackers as well as marketing services. Playing on urgency pushes for quick decision making.

The suspension of the domain name implies the unavailability of the victim's website and potentially economic or reputational consequences for them.

Impersonating OVH

Here, all elements are carefully crafted to make you believe it is an official communication from OVH: the email logos, the color code of the payment page, and even the OVH Cloud logo welcoming you before the payment page loads!

How to detect phishing?

Some emails require critical action, such as entering personal information, paying a bill, making a transfer, opening an attachment, or transmitting information.

As innocuous as the email may seem, this type of action can have serious consequences.

When an email requires critical action from you, you must be suspicious and discerning and adopt a cautious behavior.

The first thing that should raise your suspicion is that it is odd to receive such an urgent email with unprecedented suspension threats.

Indeed, if your domain renewal date is approaching, you should know how much time you have left and may have even set your domain to renew automatically, making this type of email unexpected.

Furthermore, there are observable points easily proving the fraud. In our case:

  1. Remove any doubt about the status of your domain name. Log in manually—without clicking on the link provided in the email—to your OVH dashboard to check the status of your domain name and any outstanding invoices. It is recommended to call OVH if you still have doubts: the idea is to contact OVH directly through communication channels you control rather than using means provided via a suspicious email.
  2. In the email, always check the sender. In our case, the email sender is not OVH, and the domain name does not match.

In the email header, check the sender's address.

  1. Still in the email, hover over the payment form link with your mouse: the link does not match the one written in the email.

By hovering over the link with the mouse, we can see that the domains do not match.

Ideally, these steps should be sufficient for you to proceed to the next step: report the email as fraudulent.

If you know what you are doing and are curious, you can also click on the link to see what is behind it.

Once on the page, you will once again realize that the domain name does not belong to OVH.

You will notice that the SSL certificate—the small padlock on the left side of the address bar—indicates that your connection to the site is secure. However, be careful, this does not imply that it is a legitimate site. It simply informs you that you are exchanging your information in an encrypted manner...with a cybercriminal.

The right behavior when receiving this type of phishing email

Once detected, it is important to report the attack promptly to prevent its propagation.

In a company, we train employees to report such emails to the competent departments—IT or security—to inform all other employees and limit the spread of the attack.

In the case of a mass attack targeting private individuals, you can simply use the reporting feature of your email inbox.

By clicking on "Report phishing," you report the fraudulent emails and also slow down the progress and chances of success of the attack among other people.

Report suspicious emails as phishing attempts and warn others if necessary, in order to protect your data and that of other users who may be less attentive than you.

Detailed technical analysis

At Arsen, we create phishing campaigns to train employees to adopt and integrate the right behaviors in real situations and in the long term.

Thus, we closely follow the techniques used by cybercriminals to bypass spam and phishing filters.

In this section, we will explore the techniques used in this attack to overcome technical protections and answer the question: how does this type of campaign bypass anti-phishing filters?

Multiple domain names and hosting for a single attack

Multiple domain names and servers are used for this attack.

If we click on the email link, we are directed to a first domain (A) which redirects us to a domain (B) which in turn loads an iFrame—from another domain (C).

The credit card capture form—the essential part of the attack—is loaded from the last domain (C), further protecting it from scanning by protection tools.

The age of the domain names varies.

A domain that has been active for several years usually benefits from a positive reputation, especially if it has been used by a legitimate site.

Obfuscation of content

To bypass detection of suspicious logos and content, the elements of the phishing campaign are encrypted.

Some characters in the email are encoded in Quoted-Printable:

The Quoted-Printable encoding of "Pоur lе réасtіνеr, on vous invite à remplir manuellement le formulaire de" (translation: "To reactivate it, you are invited to manually fill out the form")

The page source code is encoded in Base64 to prevent immediate readability by detection tools.

The images are also encrypted in Base64, making it more difficult to detect logos—and therefore identity theft.

Finally, the font is also encoded in Base64. This reduces the chances of identity theft detection.

Random file names

To confuse the tracks, the resources needed to display web pages have randomly generated names.

In order to go further

By doing some research, we have found traces of this scam that has been going on for some time:

Similar attacks detected on URLScan.io

Once again, Italian domains are predominant.

Conclusion

This article perfectly illustrates a phishing technique used to collect credit card numbers.

Straight to the point, it doesn't even need to worry about bypassing multifactor authentication.

These card numbers can be used on sites that do not activate the 3D Secure standard or sold on the black market.

This attack, although having easily detectable suspicious elements, is likely to succeed if the victim is not attentive or minimally trained to recognize it.

Let us not forget that the motive is plausible, the text does not contain spelling mistakes, and the anti-spam filters are not triggered. Therefore, it is very easy to fall for it when dealing with a large number of emails in a short amount of time.

How to effectively protect yourself from this type of attack? The only real defense is overall acclimation and training of employees.

At Arsen, we combine simulation and e-learning to enable companies to adapt and acclimate and make employees an active element in the protection of businesses rather than a security vulnerability.

Don't miss an article

No spam, ever. We'll never share your email address and you can opt out at any time.