Hi everyone, just want to warn everyone travelling to Thailand and applying for your Thailand Pass to be aware of phishing emails. I almost fell for it and still can’t believe my negligence. Sharing it here so hopefully, no one else will get tripped up like me.
Sequence of events
1 Mar - submitted Thailand Pass application
2 Mar - Thailand passed approved email
7 Mar - "There are a New updates regarding your submitted information Thailand Pass" in my inbox (not spam)
7 Mar - I replied and submitted my details
7 Mar - reply to "There are a New updates regarding your submitted information Thailand Pass", in spam
The spam email linked to a zip file which upon opening there's an HTML file inside. I was so close to opening it! 😱
Luckily some doubts arose within me and I didn’t open it. Since we are here to learn, I set up a virtual environment and continued the steps. Let’s see what the attacker want an unaware user to do.
Let’s explore the scam
Upon clicking the bit.ly link, the user will download a zip file which upon opening, there is an HTML file inside.
Let’s open the HTML file to have a look. The font and style is uncannily similar to the official Thailand Pass portal. There is even a Google reCAPTCHA logo at the bottom right corner. The user is prompted to download another zip file.
Upon opening the zip file, here is where the attacker finally strikes.
The user is presented with a VBS script! Let’s open it safely with notepad to take a quick look.
The VBS script is of cause encoded, and what a smart way to start the code with a commented out line. Let’s scroll down.
While I’m never good with encoding/decoding, what I suppose that is happening is this VBS script will install something malicious on your computer, and upon the successful installation it will prompt with “Your information has been successfully updated, Thailand Pass.”
Phew!
Reflections
I felt for the first email on 7 Mar 149PM, as my guard was down for 4 reasons:
I rarely give out this personal email, usually only for government and official documents - so anything that comes into this email is expected to be trustworthy
They are somehow aware of my upcoming trip to Thailand + very recently made a Thailand Pass application
Being just a few days after my application, it’s typical of governments to have follow-ups
The email was not flagged by Gmail as spam, and it passed SPF and DKIM. it's even handled by SendGrid.
I looked through a Facebook group and someone mentioned this:
A developer friend also commented it’s possible that the database may not be secured well and email addresses could be queried and extracted.
I can’t confirm or deny the above, though they are certainly probable suspicions. We can’t do much about it personally, what we can do is to step up our awareness and not let our guards down, so that we can travel safe and fun!
