I’ve been made aware of a new phishing email campaign that poses as the UK mobile phone company ‘EE‘.
This article aims to identify typical attributes of a phishing email and more specifically show you what the EE phishing email looks like so that you or your friends and family don’t become a victim as a result.
Disclaimer: This article and the information within has been gathered and shown for informational purposes only. Please don’t try and follow the links contained within the email.
Phishing Email Analysis
Here is a look at the email:
The very first thing that I noticed was the suspicious email address: firstname.lastname@example.org
As you can clearly see, there is no reference to the organisation EE. We would typically expect to see something like billing.ee.com or something similar.
By further analysing the email, I noticed some grammatical issues…I must admit that it’s better than some email’s I’ve previously seen but nevertheless, this can sometimes be a sign of a malicious email.
The intention of the email, as is always the case with phishing emails is to spark a sense of urgency and get you to take action. This usually involves clicking a link to input personally identifiable information (PII), including payment details. Those that fall victim to phishing emails, they only realise once money has been taken from their accounts or their details have been used for fraudulent activities.
When analysing the link attached to the text: Update and verify billing details >, clicking the link with take you to the following URL: https://dlvr.it/SCgHhx which is redirected to https://websapp-link.westachinchanter.com/UchrFt. As you can see there is no correlation to EE in the URL’s presented. The latter URL attempts to GET the file named UchrFt as shown in the screenshot below and uses the IP address of 22.214.171.124 over HTTPS/443.
When trying to analyse the website on a computer the following message is presented. The HTTP 403 status code essentially means that access to the resource is forbidden but the server understands the request. It would seem as though the request will permit access to the content in the filename based on the user agent of the device.
When accessing the link via a mobile device the results are slightly different. We manage to get through to the following URL: https://ee-btgroupdlimited0292799710.com/account/index?ac=ee#/partnerships and we are presented with the following web page.
Below is a screenshot of the behaviour when the request to the URL is issued on a mobile device, or one posing to be a mobile user agent.
After performing the above analysis, the following behaviour was observed:
- Access to the resource is restricted by user agent
- When browsing to the URL: https://websapp-link.westachinchanter.com/UchrFt with the correct user agent, a response code 302 redirects the request to another link: https://ee-btgroupdlimited0292799710.com/?app1/identity/authorize/login as shown in the screenshot below
- Once the redirection has finished, the user will be able to see a webpage that presents itself as though it is EE’s website. This website however, is not legitimate and has cloned aspects to the real site. The URL https://ee-btgroupdlimited0292799710.com/account/index?ac=ee also doesn’t belong to EE.
Carrying out further analysis against the domain name shows the following:
- The domain name is reletively new (Registered: 02/11/21), meaning that this phishing campaign (at least under this domain name) is new.
When further analysing the IP address associated with the registered domain (126.96.36.199), I can see the following:
- There are a number of oher domains registered against the IP address; one of which has been confirmed malicious by Cisco as shown in the screenshots below.
- The domain analysed in this article has not yet been confirmed as malicious. Once I have concluded with my analysis, I will submit the relevant information to Cisco Talos for further investigation and request that this domain is recatergorised as malicious (Phishing).
Back to the website for further analysis…
While analysing the website, I noticed the following:
- Many of the links contained within the website are duds, for example: https://ee-btgroupdlimited0292799710.com/account/index?ac=ee#/partnerships there is no redirection. However, some of the links do redirect you to the actual EE website: ee.co.uk
- When clicking ‘Register’ the file is not found and as a result, a blank page is returned as shown in the screenshot below.
- When clicking ‘Reset password’, an error 404 code is returned as shown in the screenshot because the file is not found on the server.
- A comparision between the cloned website and the real website show some obvious differences. Some of these are shown below.
I have come to the conclusion that the malicious actors cloned an older website of EE’s and haven’t even been bothered to update it.
Now it’s time to get to the juicy bit…this is where the malicious actors try to obtain your payment information other PII.
When entering any email address and password to login…it is ofcourse accepted and I am taken to the next step.
In the next step, the intention is to gather my PII by requesting my full name, address and phone number. Again I entered false information and proceeded to Step 2.
In step 2, the intention of the malicious actors is to acquire your card details…all of it! The funny thing I noticed is that, there was no mention of how much money “I owed” but yet they wanted all my card details. Again, I enter dud information as shown below and proceed to Step 3.
Step 3 is the final stage. The malicious actors now think that they’ve received all the relevant information they need in order to steal my money and commit fraud against my name and that information is now sent to them. Again, there is no mention of the payment amount owed, they’ve just gone to the effort of creating a fake bank validation page before having the cheek to redirect me to the official EE website.
At the time of writing this, no other engine had reported this domain as malicious as shown in the screenshots below.
Updates to the blacklist staus of this domain can be found here. This does not include Cisco Talos!
I have now concluded my analysis of this website and I can confirm that this is a malicious Phishing campaign. If you know anybody with an EE account or anybody that has received a similar email, please share this with them to raise awareness.
DO NOT CLICK OR ENTER ANY URL!
I have reported this to EE and I will also feed this information back to Cisco Talos and other threat research organisations in an attempt to have this domain and IP further blacklisted. In the meantime, businesses or households that have the capabilities to block domains and IP addresses should consider blocking the following:
I will aim to update this article with any new findings and the outcome of any investigation performed by other research teams that I have contacted.
Cisco Talos has now reclassified this domain as Phishing and now blocked access.