Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-10-07 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

First Hurricane Matthew related Phish

Published: 2016-10-07
Last Updated: 2016-10-08 14:57:02 UTC
by Rick Wanner (Version: 1)
2 comment(s)

Dr. J. put out an appeal earlier today for readers to send in any Scams related to Hurricane Matthew.  Literally within minutes Matthias sent us a Hurricane Matthew Phish that hit his inbox today. It purports to be from online payment company Stripe.

---

Welcome to Stripe!

Due To Hurricane Matthew, our servers have been affected and We be updated and all Users with 2-step verification should disable this function for the mean Time

Before we can fully provision your account, we need a few moments to verify some of the information you have provided.

We typically notify our customers of their provisioning status within an hour after severs are updated . However, in some cases we need to verify your information over the phone first. The call shouldn't take long, but due to many users on our system we can't be able to reach every one so we ask you update and confirm your details to be on a safe side 

further action may be required on your part. Please login to Your Dash board hxxps://dashboard.stripe.com/Hurricane Matthew- verification/ to update details

Users with wrong information would be banned from Our service

Regards,

Account Review Team

----

Of course the email is not from Stripe. Checking the usual; the spelling and grammar are okay; the formatting and punctuation are horrible; it was sent from an account in the ruby.net domain; and the dashboard link points to hxxp://fund2pay.org/stripe/ST/.

If you click through to the landing page.  Google is already catching this as a phishing site.

If you do click through, the page is an excellent rendition of the Stripe login page.

If you do enter your credentials it takes you to a very similar page, presumably so you can verify your credentials. If you are going to Phish someone you should make sure you get it right!

After you verified your credentials it passes you through to the real Stripe login page.  Although Stripe notices the redirect.

 Probably most interesting is that it requests Stripe users to disable their 2-factor authentication.  So assuming you do enter your credentials 3-times and disable your 2FA, the Phishers would have unimpeded access to the account. Tricky!

In my mind this falls into the realm of low probability of success, but as P.T. Barnum said "There's a sucker born every minute."

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

2 comment(s)
To report any scams/malware related to Hurricane Matthew, use our contact form: https://isc.sans.edu/contact.html
ISC Stormcast For Friday, October 7th 2016 https://isc.sans.edu/podcastdetail.html?id=5199

What is happening on 2323/TCP?

Published: 2016-10-07
Last Updated: 2016-10-07 03:04:30 UTC
by Rick Wanner (Version: 1)
2 comment(s)

A number of sources, including DShield, have noticed an uptick on port 2323 TCP beginning around 3 weeks ago.

This is the scanner portion of the Mirai botnet scanning for IoT devices on both 23/TCP and 2323/TCP.   There are a number of IoT devices that use port 2323/TCP as an alternate port for Telnet.  Those who have setup listeners on port 2323 are seeing brute force credential attacks utilizing a small dictionary.

The Mirai botnet iwas used to attempt to DDOS Brian Krebs website i and ifor the nearly 1 Tbps DDOS against OVH in late September

 

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords:
2 comment(s)
Diary Archives