For a few days, I’m seeing a lot of phishing emails that try to steal credentials from victims. Well, nothing brand new but, this time, the scenario is quite different : The malicious email contains an HTML body with nice logos and texts pretending to be from a renowned company or service provider. There is a link that opens a page with a fake document but blurred with a popup login page on top of it. The victim is enticed to enter his/her credentials to read the document. I found samples for most of the well-known office documents. Here are some screenshots: function emailCheck(emailStr) { ... var checkTLD=1; var knownDomsPat=/^(com|net|org|edu|int|mil|gov|arpa|biz|aero|name|coop|info|pro|museum|ws)$/; ... if (checkTLD && domArr[domArr.length-1].length!=2 && domArr[domArr.length-1].search(knownDomsPat)==-1) { alert(errmsg); return false; } ... errmsg="Please enter a valid email address."; The HTTP POST data and extra information are sent to the bad guys via a 'mailer.php' script. Sent data are:
Then, an HTTP redirect is performed to a second page: "phone.html" which mimics a Google authentication page and asks for the user phone number. Here again, POST data are processed via "phone.php" which sends a second email with the victim's phone number. Emails are sent to two addresses (not disclosed here):
To conclude on a funny finding: there is a specific PHP script 'imp.php' which creates a copy of the material in a new directory. The directory name is based on a combination of a random number converted in Base64 and hashed. By calling this script in an automated way, it is possible to fill the web server file system with thousands of new directories: From a technical point of view, it is a low-level attack but I'm pretty sure it still works. Take care! Xavier Mertens (@xme) |
Xme 579 Posts ISC Handler Jul 5th 2016 |
Thread locked Subscribe |
Jul 5th 2016 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!