Network Wizkid

It’s 2021 and COVID-19 is still very much relevant and showing no signs of disappearing anytime soon. There is signs of hope for some though as vaccines are now being rolled out in different countries, including the UK. Unfortunately due to supply and demand, vaccines that are available in the UK are specifically being offered to Government selected groups of individuals, ranging from the elderly to key workers at present. This means that many people still have to wait in line for their time to come. Sadly, even with something so serious like COVID-19, opportunists are taking advantage any way they can.

On Wednesday 27th January I was alerted to an email that looked to come from the National Health Service (NHS). The email with the subject line: RE:NHS COVID-19 Vaccination appointment 08:36:53-01/27/21 #05336933020645 indicated that the recipient was eligible for a COVID-19 vaccine. The email reads as shown below (only the name has been redacted).

ʜɪ <redacted name>

ᴀꜱ ᴘᴀʀᴛ ᴏꜰ ᴛʜᴇ ɢᴏᴠᴇʀɴᴍᴇɴᴛ’ꜱ ᴄᴏᴏʀᴅɪɴᴀᴛᴇᴅ ʀᴇꜱᴘᴏɴꜱᴇ ᴛᴏ ᴄᴏʀᴏɴᴀᴠɪʀᴜꜱ, ɴʜꜱ ɪꜱ ᴘᴇʀꜰᴏʀᴍɪɴɢ ꜱᴇʟᴇᴄᴛɪᴏɴꜱ ꜰᴏʀ ᴄᴏʀᴏɴᴀᴠɪʀᴜꜱ ᴠᴀᴄᴄɪɴᴀᴛɪᴏɴ ᴏɴ ᴛʜᴇ ʙᴀꜱɪꜱ ᴏꜰ ꜰᴀᴍɪʟʏ ɢᴇɴᴇᴛɪᴄꜱ ᴀɴᴅ ᴍᴇᴅɪᴄᴀʟ ʜɪꜱᴛᴏʀʏ.

ʏᴏᴜ ʜᴀᴠ ᴇʙᴇᴇɴ ꜱᴇʟᴇᴄᴛᴇᴅ ᴛᴏ ʀᴇᴄᴇɪᴠᴇ ᴀ ᴄᴏʀᴏɴᴀ ᴠɪʀᴜꜱ ᴠᴀᴄᴄɪɴᴀᴛɪᴏɴ

ᴜꜱᴇ ᴛʜɪꜱ ꜱᴇʀᴠɪᴄᴇ ᴛᴏ ᴄᴏɴꜰɪʀᴍ/ʀᴇᴊᴇᴄᴛ ʏᴏᴜʀ ᴄᴏʀᴏɴᴀᴠɪʀᴜꜱ (ᴄᴏᴠɪᴅ-19) ᴠᴀᴄᴄɪɴᴀᴛɪᴏɴ:
ɴʜꜱ – ᴀᴄᴄᴇᴘᴛ ɪɴᴠɪᴛᴀᴛɪᴏɴ >>
ɴʜꜱ – ᴅᴇᴄʟɪɴᴇ ɪɴᴠɪᴛᴀᴛɪᴏɴ >>

ɪᴛ ᴛʜᴇɴ ɢᴏᴇꜱ ᴏɴ ᴛᴏ ꜱᴀʏ:
ʏᴏᴜ ᴄᴀɴ ᴏɴʟʏ ᴜꜱᴇ ᴛʜɪꜱ ꜱᴇʀᴠɪᴄᴇ ɪꜰ ɪ ʜᴀᴠᴇ ʀᴇᴄᴇɪᴠᴇᴅ ᴀɴ ᴇᴍᴀɪʟ/ꜱᴍꜱ ʀᴇɢᴀʀᴅɪɴɢ ᴛʜɪꜱ ɪɴᴠɪᴛᴀᴛɪᴏɴ. ʏᴏᴜ ᴄᴀɴ ɴᴏᴛ ᴜꜱᴇ ᴛʜɪꜱ ꜱᴇʀᴠɪᴄᴇ ꜰᴏʀ ᴀɴʏᴏɴᴇ ᴏᴛʜᴇʀ ᴛʜᴀɴ ʏᴏᴜʀꜱᴇʟꜰ. ʏᴏᴜ ᴀʀᴇ ᴀʟꜱᴏ ꜰʀᴇᴇ ᴛᴏ ʀᴇᴊᴇᴄᴛ ᴛʜɪꜱ ɪɴᴠɪᴛᴀᴛɪᴏɴ, ʏᴏᴜʀ ᴀᴘᴘᴏɪɴᴛᴍᴇɴᴛ ᴡɪʟʟ ʙᴇ ɪꜱꜱᴜᴇᴅ ᴛᴏ ᴛʜᴇ ɴᴇxᴛ ᴘᴇʀꜱᴏɴ ɪɴ ʟɪɴᴇ ɪɴ ᴛʜᴀᴛ ᴄᴀꜱᴇ.

ʙᴏᴏᴋ ᴀɴ ᴀᴘᴘᴏɪɴᴛᴍᴇɴᴛ ᴜꜱɪɴɢ ᴛʜᴇ ɴʜꜱ ᴇ-ʀᴇꜰᴇʀʀᴀʟ ꜱᴇʀᴠɪᴄᴇ – ɴʜꜱ ᴠᴀᴄᴄɪɴᴀᴛɪᴏɴ

And here is a screenshot of the email in question:

Upon taking a look at the email in more detail, it was evident that the email was fake and not from the NHS. In more technical terms, this type of email is called a phishing email and you can watch more about these here. These emails are sent by disingenuous people in order to try and obtain your personal information and sometimes even payment information. If successful, attempts to steal your money will make and your data could later be used against you to carry out fraudulent activities. So I hear you asking; “How did you know and what should I look out for?”. Well don’t worry, this article will equip you with the knowledge you need to spot these emails.

How to Identify Phishing Emails

Here are a few tips on what to look for in phishing emails. The list is not exhaustive but is merely there to provide you with some guidance.

1. The content of the email is usually grammatically incorrect. Looking at the supposed NHS email about, we can see missing full stops and even letters in the wrong place. Genuine emails sent out at mass are usually peer-reviewed and approved before they are allowed to be distributed.
2. The sender’s email address is incorrect. Now, this can sometimes be difficult for those that are less tech-savvy but let me try and explain this part to you. When you receive an email from a company they should have what is called a company domain associated with their email address. For example: If I was sending an email from my company Network Wizkid, my email address would look something like: [email protected]; so let’s break this down. The first part of the email address ‘kelvin’ can be anything that I choose but the important part to look out for is the domain which comes after the ‘@’ symbol; in my case ‘networkwizkid.com’. This clearly identifies my brand/company to those receiving emails from me and this is common with other businesses. Returning back to the fake NHS email, we can see that the bad people have attempted to mislead the recipient by including ‘nhs-uk’ at the beginning of the email address. Furthermore, look at the domain; ‘service-notification.co.uk’, this is not the NHS. In fact, the NHS have a publicly available domain naming schema here and although it’s a good few years old, the domain names are unlikely to have changed. That being said, we should suspect that an email from the NHS would look something like this: ‘[email protected]’ and not ‘[email protected]’. Lastly, the fake email address we have just discussed is actually what we call an alias. This is where the real email address is masked with another name, in this case, another email address. The actual sender’s email address is ‘[email protected]’ and this is likely to be a fake account.
3. The subject line doesn’t look right. Sometimes when a phishing campaign is launched, the bad people often overlook the simple things. If we take the fake email, the subject line reads as ‘RE:NHS COVID-19 Vaccination appointment 08:36:53-01/27/21 #05336933020645‘. Now there is a couple of things that I observed in this subject and that is the fact that they’ve already got an appointment time and date. This wouldn’t be in the subject and nor would you have a date for a COVID-19 vaccine before you confirmed an appointment. The other thing I noticed was that at the start of the subject ‘RE’ is visible; this assumes that this is an email response to a previous email that was sent. Lastly, there is a funky-looking number at the end of the subject line, which probably bares no weight but nevertheless, it doesn’t look as though it should be there.
4. Hoover over the links but DON’T click on them! Phishing emails will 99.9% of the time include links to click on. If you receive a suspicious email with a link or multiple links you can always hover over the links to see where the link will take you too. If the link doesn’t look right don’t click it, if the link looks legit but you are unsure about the email then don’t click it.
5. The name of who the email is addressed to. It is likely that the bad people that have sent the email don’t know your name. In cases where this is true, they will address you by your email address or without any name at all. In the case of the NHS email, they address the user by their email address and not by their name.

What to do if you suspect a phishing email

Here are a few tips on what to do if you suspect an email is a phishing attempt. The list is not exhaustive but is merely there to provide you with some guidance.

1. DO NOT CLICK ANY LINKS! First and foremost, do not click any links contained within the email if you are unsure whether it is genuine. Depending on the type of phishing campaign some links when clicked can install malware (bad stuff) onto your machine. This can later be used for many things, including stealing information.
2. Report it to the company in question. If you suspect a phishing email, make note of the sender’s email address and if possible take screenshots of the email so you can provide the company with as much information as possible. Some companies actually have an email address that you can use to send all the relevant information and they will confirm with you whether the email is indeed fake. NHS have an email address along with some guidance here. You can also report suspicious emails to [email protected]
3. Categorise the email as spam. If the email you received arrived in your normal email inbox then you should recategorise this as spam as soon as you have confirmed it is indeed a fake email. Once done, some email providers will automatically delete the email however, if the email isn’t deleted you can remove it yourself.
4. Use network protection mechanisms. This is easier said than done for those families that are not so tech-savvy. However, if you have devices that can block traffic to specific IP addresses or links then it is worth copying those links and blocking them. I have included the links below purely for technical teams to analyse only. Please do not click on those links…you have been warned!

Further Analysis of the fake NHS COVID-19 Email

I have decided to include this section for the awareness of the reader.

• The email address in question includes x2 links, having clicked on both of them, it takes me to the same page with URL: https://65-21-5-36.cprapid.com/confirm-appointment.php?action=confirm-booking&inviteID=rmOHKqJvwkYxNjHqpAttjjhEZaRdSTIhTiGwnaujXQMlSiKft. The original link in the email is: http://dpo733728.65-21-5-0.cprapid.com/?query=1&REF=QYlDngxeLx We can see that it is not an NHS link! Furthermore, this link is a redirection link that contains the IP address in the link. It’s important to note that there is more than one IP address associated with this. I have noted the ones that I have come across below:

• The IP addresses assigned to the links work in a round-robin fashion
• When navigating the landing page and clicking on the page headings, it always takes me back to the same page. In other words, all the links on the page apart from the ‘accept invitation’ and ‘reject invitation’ are the same.
• There is a few more telling signs that this is a phishing email but the objective of the page is to get users to click on the ‘Accept invitation’ or ‘Reject invitation’ button links. Both button links take the user to the same page. This is the main part of the phishing campaign that is used to steal your data. The screenshot below shows the form requesting the user’s data.

• Once the user’s details have been collected on the previous step, pressing continue will take the user to the next step. This is the part where the malicious actors want to succeed as this is where payment details are requested as shown in the screenshot below.

• Both the reject and accept invitation links will take the user to the same page; with the main purpose of obtaining card details.

Traffic Analysis

• When the link in the email is clicked on, the original request uses HTTP to IP 65.21.5.0
• When the TCP connection has been established, the host requests the following as shown in the screenshot

• The server responds back with the following message to ask the client to go to the specified location. This is not static as mentioned above and the location returned will contain a different IP address almost every time.

• Based on the previous request, the client creates a session with the new host as shown in the screenshot. This session is negotiated using HTTPS (443) and so if this connection was to be blocked the domain and/or the IP addresses would need to be blocked.

• Security products such as Cisco Umbrella can be used to block the relevant domains as shown in the screenshot below.

Closing Comments

Thank you for reading, I really hope this will help reduce the number of people falling for such a scam. Please share with your friends, family and colleagues to raise awareness and in the hopes of helping others.

Listen to the latest government advice to get updates on the latest COVID-19 news and developments with vaccines and remember, the NHS shouldn’t ask for your bank details. Lastly, if an email doesn’t look right follow the advice above.

At the time of writing this article, the domain associated with this email wasn’t considered risky. Hopefully, this article along with the research from another cybersecurity professional will help change that.

If you are a security researcher and/or somebody that has also looked into this phishing campaign and would like to add something to this article then please reach out in the comments section.

Thank you.