¿Se trata de un phishing de correo electrónico de Amazon Business?

Hoy recibí un mensaje que pretende ser de Amazon. Normalmente,puedodetectaruncorreoelectrónicodephishingadistancia.(TrabajoeneldepartamentodeAbusosyCONdeunISP).Peroestepareceunpocodesviado.Siesphishing,damiedo.

Elúnicoindicioquetengodequenoesrealesqueseenvióaunadirecciónde{laAenQ&A}@eoni.com,quenotieneunKenneth(esunadireccióndesoportetécnicoparanuestroISPquetambiénhacehostingdedominio).Elhechodequeesténusandoesadirecciónmehacepensarqueladirecciónpodríahaberserecopiladoautomáticamente(probablementewhois).EsmuyposiblequeunodelosdominiosquealojamosseaparaunclientellamadoKenneth,yqueesedominiotenganuestradireccióndecontactoenelregistrodewhoisenalgúnlugar.Tenemossuficientesdominiosalojadosquesolounnombrenoserásuficienteparaencontrardichonombrededominioymirarelregistrodewhois.

Alestareneldepartamentodeabusos,queríasabersiestoesrealono(porloquepuedodenunciarlosiesposible/impedirquetrabajeennuestraredsiesunPhish).

Aquíestánlosencabezados:

Return-Path:<01010157e278aa63-283a615a-b603-4300-8c6f-8426b3978f81-000000@us-west-2.amazonses.com>Delivered-To:{ainQ&A}@eoni.comReceived:(qmail8542invokedfromnetwork);20Oct201614:22:22-0000Received:froma27-163.smtp-out.us-west-2.amazonses.com(HELOa27-163.smtp-out.us-west-2.amazonses.com)(54.240.27.163)byadam6.eoni.comwith(AES128-SHAencrypted)SMTP(9d6af486-96d0-11e6-bacc-001e67492cec);Thu,20Oct201607:22:22-0700DKIM-Signature:v=1;a=rsa-sha256;q=dns/txt;c=relaxed/simple;s=iapqtturmhylirl6i5t3a2ps2ewsadsl;d=business.amazon.com;t=1476973341;h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type:List-Unsubscribe;bh=CqDwwona4ZmOCsT+zgi3DKmE5lkxklMdpT65fdXrB1c=;b=UAkSuvsci14jfOFm+fW8S5l3ntdIbESTZB8eHvo6+itz4xiYy9sxXQ1RoXIJIGq93ny5HJIKyI6wkjKRWnX6TQ3EHhDqDFlkB75Z1NzHNlp/5NUA8cEa6ua+wq1sWdyG33ok5gn5Kkz3v72uQMAhT6Dqq/3DSW9ipDMzrHF12Fs=DKIM-Signature:v=1;a=rsa-sha256;q=dns/txt;c=relaxed/simple;s=gdwg2y3kokkkj5a55z2ilkup5wp5hhxx;d=amazonses.com;t=1476973341;h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type:List-Unsubscribe:Feedback-ID;bh=CqDwwona4ZmOCsT+zgi3DKmE5lkxklMdpT65fdXrB1c=;b=BdhqUbp6t3dhXe83M3isFcjV2hXaT6rAhCxPN/WXWepJngjhi1EO3Sgd5SbkaEjj6dzzlfljD+nKTJH2r9Kd1COeXqc5tgSeMEmVYV1TpmIRhc1fU9RUULRKG4ojxs0msSbRDRzSCa83Se484s7KDNwb5LWixFn7jo3oL7DFKx0=Message-ID:<01010157e278aa63-283a615a-b603-4300-8c6f-8426b3978f81-000000@us-west-2.amazonses.com>Date:Thu,20Oct201614:22:21+0000Subject:FreeUpgradetoAmazonBusinessAccountFrom:Amazon<[email protected]>To:{AinQ&A}@eoni.comMIME-Version:1.0Content-Type:multipart/alternative;boundary="_=_swift_v4_1476973341_6e5cebc34b840a2a68132f6e212fdc76_=_"
X-Pardot-Route: 113:54552:359489270
List-Unsubscribe: <http://www.amazonbusiness.com/unsubscribe/u/54552/6674f6c0dd8377b4a26688a664718cffd707396fd788791d186acab4a81bd210/359489270>
X-Report-Abuse-To: [email protected]
X-SES-Outgoing: 2016.10.20-54.240.27.163
Feedback-ID: 1.us-west-2.DslCQSzKRwSQ0bYxCfi+GcY39H31l7QrR+kFUIOTrc4=:AmazonSES
X-MagicMail-OS: Inactive
X-MagicMail-UUID: 9d6af486-96d0-11e6-bacc-001e67492cec
X-MagicMail-SourceIP: 54.240.27.163
X-MagicMail-RegexMatch: 0
X-MagicMail-EnvelopeFrom: <01010157e278aa63-283a615a-b603-4300-8c6f-8426b3978f81-000000@us-west-2.amazonses.com>
X-MagicMail-Original-Destination: {A in Q&A}@eoni.com
X-MagicMail-Quarantine: Yes

Mirando los encabezados, veo que es por lo que creo que es un servicio de correo electrónico de AWS. (Cualquiera puede comprar eso y enviar un correo electrónico). Así que eso no me convence de que sea Amazon. Veo cosas sobre Pardot, un sistema de automatización de marketing B2B de salesforce. Parece extraño que no fuera en casa para Amazon, pero podrían usar un sistema así. Así que no estoy seguro de qué pensar al respecto.

Si esto es un ataque, tiene que funcionar de alguna manera. ¿A dónde van los enlaces?

Crear mi cuenta: http: /www.amazonbusiness.com/e/54552/gistration-start-ref-b2b-e459b/jt2hvr/359489270

Cancelar suscripción: http: /www.amazonbusiness.com/preferences/? ehash = 6674f6c0dd8377b4a26688a664718cffd707396fd788791d186acab4a81bd210 & email_id = 359489270

Actualice las preferencias de correo electrónico: http: /www.amazonbusiness.com/preferences/? ehash = 6674f6c0dd8377b4a26688a664718cffd707396fd788791d186acab4a81bd210 & email_id = 359489270

Ninguno de estos tiene SSL, pero Create my account one redirige a:

enlace

Bien, ¿dónde está alojado este dominio amazonbusiness.com? ¿Quién posee el nombre? Seguramente Amazon alojaría todos sus sitios en AWS, ¿no?

dig a  www.amazonbusiness.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> a www.amazonbusiness.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58074
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.amazonbusiness.com.        IN  A

;; ANSWER SECTION:
www.amazonbusiness.com. 820 IN  CNAME   go.pardot.com.
go.pardot.com.      7199    IN  CNAME   pi.pardot.com.
pi.pardot.com.      29  IN  CNAME   pi-dfw.pardot.com.
pi-dfw.pardot.com.  29  IN  CNAME   pi-dfw-lb1.pardot.com.
pi-dfw-lb1.pardot.com.  899 IN  A   136.147.104.32

;; Query time: 57 msec
;; SERVER: 192.168.88.1#53(192.168.88.1)
;; WHEN: Thu Oct 20 08:21:50 PDT 2016
;; MSG SIZE  rcvd: 143

Compare eso con el propio amazon.com:

dig a amazon.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> a amazon.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40326
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;amazon.com.            IN  A

;; ANSWER SECTION:
amazon.com.     23  IN  A   54.239.25.208
amazon.com.     23  IN  A   54.239.17.7
amazon.com.     23  IN  A   54.239.26.128
amazon.com.     23  IN  A   54.239.25.192
amazon.com.     23  IN  A   54.239.17.6
amazon.com.     23  IN  A   54.239.25.200

;; Query time: 1 msec
;; SERVER: 192.168.88.1#53(192.168.88.1)
;; WHEN: Thu Oct 20 09:02:34 PDT 2016
;; MSG SIZE  rcvd: 124

Bien, entonces quién es el propietario del espacio de direcciones IP para el sitio posiblemente falso:

whois 136.147.104.32

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=136.147.104.32?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       136.147.0.0 - 136.147.255.255
CIDR:           136.147.0.0/16
NetName:        SFDC-3
NetHandle:      NET-136-147-0-0-1
Parent:         NET136 (NET-136-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS14340
Organization:   Salesforce.com, Inc. (SALESF-3)
RegDate:        2012-02-24
Updated:        2014-07-14
Ref:            https://whois.arin.net/rest/net/NET-136-147-0-0-1


OrgName:        Salesforce.com, Inc.
OrgId:          SALESF-3
Address:        1 Market Street
Address:        Suite 300
City:           San Francisco
StateProv:      CA
PostalCode:     94105
Country:        US
RegDate:        1999-11-30
Updated:        2014-11-20
Ref:            https://whois.arin.net/rest/org/SALESF-3


OrgAbuseHandle: NOC1403-ARIN
OrgAbuseName:   Network Operations Center
OrgAbusePhone:  +1-415-901-7000 
OrgAbuseEmail:  [email protected]
OrgAbuseRef:    https://whois.arin.net/rest/poc/NOC1403-ARIN

OrgNOCHandle: NOC1403-ARIN
OrgNOCName:   Network Operations Center
OrgNOCPhone:  +1-415-901-7000 
OrgNOCEmail:  [email protected]
OrgNOCRef:    https://whois.arin.net/rest/poc/NOC1403-ARIN

OrgAbuseHandle: SAN76-ARIN
OrgAbuseName:   Salesforce Abuse NOC
OrgAbusePhone:  +1-703-463-3219 
OrgAbuseEmail:  [email protected]
OrgAbuseRef:    https://whois.arin.net/rest/poc/SAN76-ARIN

OrgTechHandle: NOC1403-ARIN
OrgTechName:   Network Operations Center
OrgTechPhone:  +1-415-901-7000 
OrgTechEmail:  [email protected]
OrgTechRef:    https://whois.arin.net/rest/poc/NOC1403-ARIN

RNOCHandle: NOC1403-ARIN
RNOCName:   Network Operations Center
RNOCPhone:  +1-415-901-7000 
RNOCEmail:  [email protected]
RNOCRef:    https://whois.arin.net/rest/poc/NOC1403-ARIN

RAbuseHandle: SAN76-ARIN
RAbuseName:   Salesforce Abuse NOC
RAbusePhone:  +1-703-463-3219 
RAbuseEmail:  [email protected]
RAbuseRef:    https://whois.arin.net/rest/poc/SAN76-ARIN

RTechHandle: NOC1403-ARIN
RTechName:   Network Operations Center
RTechPhone:  +1-415-901-7000 
RTechEmail:  [email protected]
RTechRef:    https://whois.arin.net/rest/poc/NOC1403-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#

Así que NO en AWS. Compare con quién es el propietario del espacio de direcciones IP que alberga Amazon.com:

whois 54.239.26.128

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=54.239.26.128?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       54.224.0.0 - 54.239.255.255
CIDR:           54.224.0.0/12
NetName:        AMAZON-2011L
NetHandle:      NET-54-224-0-0-1
Parent:         NET54 (NET-54-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS16509
Organization:   Amazon Technologies Inc. (AT-88-Z)
RegDate:        2012-03-01
Updated:        2012-04-02
Ref:            https://whois.arin.net/rest/net/NET-54-224-0-0-1


OrgName:        Amazon Technologies Inc.
OrgId:          AT-88-Z
Address:        410 Terry Ave N.
City:           Seattle
StateProv:      WA
PostalCode:     98109
Country:        US
RegDate:        2011-12-08
Updated:        2014-10-20
Comment:        All abuse reports MUST include:
Comment:        * src IP
Comment:        * dest IP (your IP)
Comment:        * dest port
Comment:        * Accurate date/timestamp and timezone of activity
Comment:        * Intensity/frequency (short log extracts)
Comment:        * Your contact details (phone and email) Without these we will be unable to identify the correct owner of the IP address at that point in time.
Ref:            https://whois.arin.net/rest/org/AT-88-Z


OrgTechHandle: ANO24-ARIN
OrgTechName:   Amazon EC2 Network Operations
OrgTechPhone:  +1-206-266-4064 
OrgTechEmail:  [email protected]
OrgTechRef:    https://whois.arin.net/rest/poc/ANO24-ARIN

OrgAbuseHandle: AEA8-ARIN
OrgAbuseName:   Amazon EC2 Abuse
OrgAbusePhone:  +1-206-266-4064 
OrgAbuseEmail:  [email protected]
OrgAbuseRef:    https://whois.arin.net/rest/poc/AEA8-ARIN

OrgNOCHandle: AANO1-ARIN
OrgNOCName:   Amazon AWS Network Operations
OrgNOCPhone:  +1-206-266-4064 
OrgNOCEmail:  [email protected]
OrgNOCRef:    https://whois.arin.net/rest/poc/AANO1-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#

Así que Amazon.com está en AWS, como pensé que sería.

En este momento, no estoy seguro de si el correo electrónico es falso o no. ¿Lo es? Si es así, ¿cómo funciona? Parece estar haciendo algo con OpenID, ¿qué está pasando allí? ¿Cómo podría estar seguro en el futuro?