Beware the Insidious Invite; Or
"Punchbowl[.]Ru" is not
"Punchbowl[.]Com"
Ed note: All links to punchbowl[.]anything are disabled within this post.
On Thursday, November 9, 2023, I received an email from a long term client asking me if I knew her password. My response to that question is always the same. I make it my business NOT to remember any client's passwords. I say a password is much like an account number. I do not want to retain that piece of information once it is saved to the client's computer within the browser, which is the easiest method for a not too technical Consumer to get to their email, etc. I advise people to keep a list of those passwords; but it is up to the client to decide to do that or not. This client had no list of her passwords.
The client is a bright older lady who is also deeply involved in her religious congregation. She is also a once bitten, twice shy, victim of a Fake AV Alert. My second response to her email was that I could help her either recover her password, or create a new password. She agreed. And I met with her the following day. The same day I write this.
It is not ideal security to use the browser as a password manager, but it does works for many. So I assumed her web based email application was either forcing a hard input of the password as a security measure, or forcing the password to be changed. Those assumptions, however, proved to be wrong. Her password request came from within two very deceptive spam emails.
Two spam emails came in quick succession. Each had as a subject header an invitation to some event. The sender's addresses were legitimate addresses that coincided with a public email list of members of her congregation. The client could not think of any reason why she would be invited to any gathering of the senders because she really did not know them.
Since the client said she had already opened the emails, I assumed whatever damage might happen from opening these emails had already occurred. So I opened one email to perform some simple forensics. The email looked like an invitation from Punchbow[.]com, which is a website that allows Consumers to make invitations and send them via email. The Bing AI described Punchbowl[.]com as:
"Punchbowl[.]com is a platform that allows users to create and send free online invitations and digital cards."
The spam email looked like what I assumed a Punchbowl invitation might look like; although I have never sent or received a Punchbowl invitation. An image of a big red bowl filled the body of the spam email. The client said she clicked on the Punchbowl image and was then prompted to enter her email password that corresponded with a list of common email providers. She didn't know her email password, and that's why she contacted me in the first place. When I moused over the image and looked at the URL, the URL pointed to punchbowl[.]ru. I knew my client had infected her computer. RU is the country code for Russia. And that's not where the real Punchbowl[.]com is located.
Well, that was enough for me to know the spam emails were fine examples of cybercrime. Nevertheless, more information about this rogue domain would prove useful. Below is a Whois record for Punchbowl[.]ru. The Whois record serves well as a basic lesson in CyberSecurity forensics. On July 07, 2022, Readers of the Dispatches were introduced to Whois records as part of the post, Anatomy of a Web Address
Besides the dotRU country code, the first piece of information revealed by the Whois record is the fact that the domain is only two weeks old, and expires in one year. No long term business plan, here. The other piece of information is the IP location of the domain is "Moska," which the Collins Dictionary says is the City of Moscow, but in the Russian language.
Compare this to the Whois Record for the legitimate Punchbowl[.]com. First, notice the creation date is February 08, 2000. And the registration expires in 2030. A clear indication of a legitimate business. And the location of the IP is Virginia, USA.
I asked Bing what was the purpose of Punchbowl[.]ru. Bing's first response was an example of an AI hallucination, i.e. a bad guess.
"Punchbowl'.'ru appears to redirect to Punchbowl News, a news platform that provides breaking news, US politics, and Congress news."
Well, that was wrong, and possibly libelous against the real punchbowl[.]news. I asked Bing the same question just a few minutes later. Apparently, Bing now learns quickly. The AI's second response, in short succession from the first, was a bit more accurate:
"It seems there might be a misunderstanding. The website `punchbowl'.'ru` does not appear to exist."
And Bing is now on the Taskbar?
I am sure any self-respecting computer user is poo-pooing this entire post. Saying, "I would never fall that load a email malarkey." To that I have two comments. I am sure the employee of Boeing Aircraft, who had clicked on a bad link in its Business Email Compromise attack of November 2, 2023, felt the same sense of self-confidence. One main reason these attacks are so successful is that people do click when the email appears otherwise legitimate. And also why the Dispatcher presses the importance of knowing the destination of the link before clicking the link.
Nonetheless, this attack will achieve some level of success. It is the holiday season. Invitations to all kinds of gatherings will be happening far and wide. Uncle Billy always sends e-invites. So, the witting and the unwitting in the hurly-burly of the holiday season will click the link. You can bet your last bottom dollar on that.
To be forewarned is to be forearmed.
Gerald Reiff