Phishing Archives - Sucuri Labs

Phishing with a COVID-19 Lure

It’s not uncommon to see criminals use disasters or current events to enhance their social engineering tactics, and the recent COVID-19 pandemic is no different. During a recent investigation, we received an email originating from 69.112.92.34 (x-originating-ip: [69.112.92.34]) with a [redacted]@[redacted].k12.ct.us email address and the following message body:

 
Due to the recent COVID-19 outbreak, IT Helpdesk is currently working on advance Staff portal in order to keep our staff/employee on task & organized schedules.
All Staff/Employee are required to update their Staff Portal.

To access the portal, Click on STAFF PORTAL for update.

Failure to update your Staff portal, you will be deleted from our database.

Sincerely,

IT Helpdesk

©2020 Microsoft outlook.

All rights reserved

The malicious user is employing the COVID-19 crisis to provide credibility as to why the impersonated IT Helpdesk would need the victim to update their personal information.

When clicked, the PORTAL link directs victims first to the URL shortener service bit.ly and then passed them along to the malicious phishing subdomain designmysite[.]pro:

hxxps://bit[.]ly/2Qu0dMZ
⤋
hxxp://8li9c1sr9queececshfj5lulh.designmysite[.]pro

The subdomain 8li9c1sr9queececshfj5lulh.designmysite[.]pro was disabled before I could properly load it, however this is not the first phishing scam attempted by this domain. Continuing my research, I found another phishing page on a similar subdomain 6bsy904ldphremdrtt0pixql9.designmysite[.]pro:

As seen in the malicious COVID-19 phishing campaign, this particular phishing form is also disseminated through a bit.lyb> shortened URL. What’s more, there are multiple reports going all the way back to 2018 which show designmysite[.]pro spoofing or compromising existing educator email addresses:

When viewing the source of the phishing forms, it becomes clear that the email address spamingboxtool101@outlook.com is being used to collect the phished information submitted by victims:

"widget":{},"uniqueId":"Ajj7NKp9ACuwjMj","parentUniqueId":"ffpV5Q4d2ksrav0"},"page-zones__main-widgets__responsivecolumns1-zones__5e654f40427e2-widgets__5e654f405b223":{"ref":"5921879","uniqueHTMLId":"page-zones__main-widgets__responsivecolumns1-zones__5e654f40427e2-widgets__5e654f405b223","name":"5e654f405b223","fixed":false,"libraryItemRef":"0","pageRef":"1910011","temporary":{},"changed":{},"type":"widget.advancedcontactform","data":{"email":"spamingboxtool101@outlook.com","text":"Send","formTitle":"box","fromEmailLabel":"Your email:","fromEmailPlaceholder":"Type your email","collectEmailAddress":"1","localClass":"widget-advancedcontactform-84336F","uniqueId":"c7Z6hf92oPJCEEC","formFields":[{"title":"Full Name","type":"singleline","options":[],"mandatory":1,"id":"c7acbb10-6177-11ea-96dc-65cdea8475cd","order":1}...

This recent investigation clearly demonstrates why it’s important to keep an eye out for phishing campaigns – as well as misinformation in general. Familiarize yourself with the steps you can take to recognize a phishing campaign and avoid becoming a victim.

Apr 6, 2020 by Luke Leal

Phishing and Malware via SMS Text Message

We’ve recently noticed an increase in reports of phishing and malware being distributed via SMS text messages.

During one investigation, we identified fake messages sent from a random number pretending to be Amazon. The message contents ask the victim to click on the link to confirm their shipping address.

The URL bears no resemblance to Amazon and clearly doesn’t employ Amazon’s URL shortener (amzn.com). Unfortunately, we were unable to confirm exactly what the attackers were directing users to since hxxp://k8esv[.]info now returns a 404 (Not Found) response, but it's clear that it’s being used for phishing or malware.

In most phishing cases seen distributed via SMS, victims are taken to a fake page ― for example, one that looks like Amazon’s signup page ― and asked to login to access important order information or confirm a purchase.

To the untrained eye, these SMS phishing pages might appear to belong to the real Amazon website, but submitting login credentials typically results in a successful phish ― and an account compromise.

The suspicious domain is hosted on 47.240.4.254 which also appears to be hosting other similar domains:

The IP address belongs to Alibaba Cloud:

Alibaba.com LLC AL-3 (NET-47-235-0-0-1) 47.235.0.0 - 47.246.255.255

ALICLOUD-HK ALICLOUD-HK (NET-47-240-0-0-1) 47.240.0.0 - 47.240.255.255

The domain was registered through namecheap.com and has WHOIS protection, so we can’t see who was responsible for registering hxxp://k8esv[.]info. What we can tell is that these other suspicious domains were also registered there, suggesting the same person was involved.

We’re finding many variations of SMS phishing campaigns, and not every text looks the same. Users should always exercise caution when receiving SMS from unknown numbers.

To mitigate risk, avoid clicking on any links inside text messages ― especially if they are coming from an unknown number and lead to suspicious URLs. If you receive an SMS message similar to this one, login directly to your Amazon account via the Amazon website and check if there are any issues or status updates that require your attention from the account dashboard.

We will continue investigating this campaign to see if we can get more details about the attack.

Mar 6, 2020 by Krasimir Konov

Skimmers and Phishing

Recently, we shared a post about a network of domains used in a JavaScript credit card stealing malware campaign. These domains are all hosted on the same server with the IP 8.208.15.67.

In addition to the domains used by the skimmers, the server also had two sites whose domains were clearly created for phishing two Canadian banks:

rbcroyalbank[.]com.ng - Real address of the Royal Bank of Canada is rbcroyalbank.com

www1-bmo[.]com.co - Online banking for the Bank of Montreal is www1.bmo.com.

Given that the goal of malware on e-commerce sites and bank phishing is to obtain payment details and steal money, it’s quite natural to see the same bad actors participating in both types of attacks.

Moreover, as Group IB wrote in April about the previous wave of these JS skimmers, this campaign is known for using fake Magento login pages on domains mimicking the domain names of the online stores they tried to compromise. So phishing and credit card skimmers complement each other very well.

Unlike other domains, where registrant details were hidden by privacy protection services, the rbcroyalbank[.]com.ng domain had public WHOIS information.

Creation Date: 2019-06-10
...
Registrant ID: 1319589-NIRA
Registrant Name: Julio Jaime
Registrant Organization: Media Lend, LLC
Registrant Email: medialand.regru@gmail.com

Most likely, this information is [mostly] fake—but it was enough to find another batch of phishing domains.

Fake Data:
While the data says the address is in Indiana, the zip code and city provided are in New Jersey.

The email “medialand.regru@gmail.com” suggests a connection to a Russian domain name registrar reg.ru. Most likely, it’s a dedicated email address used specifically for registering new domain names.

We used DomainBigData to search if anything else was associated with that medialand.regru account and found a whole bunch of other [mostly] phishing domains registered in 2019.
Here are just some of them:

Facebook
facebook-bay[.]com  2019-03-29  reg.com
facebook-s3[.]com   2019-04-04  reg.com
facebook-s2[.]com   2019-04-04  reg.com
facebook-s1[.]com   2019-04-04  reg.com
facebook-listings[.]com 2019-03-30  reg.com
facebook-listing[.]com  2019-03-30  reg.com
facebook-itm[.]com  2019-03-30  reg.com
facebook-state[.]com    2019-03-29  reg.com
facebook-restore[.]com  2019-03-23  reg.com
restore-facebook[.]com  2019-03-23  reg.com
facebook-area[.]com     2019-03-17  reg.com
facebook-ss[.]com   2019-03-29  reg.com
recover-facebook[.]com  2019-03-23  reg.com
facebook-st[.]com   2019-03-29  reg.com
facebook-secure[.]com   2019-03-23  reg.com
static-facebook[.]com   2019-03-23  reg.com
facebook-us[.]com   2019-03-28  reg.com
facebook-s6[.]com   2019-04-20  reg.com
facebook-s5[.]com   2019-04-20  reg.com
facebook-s4[.]com   2019-04-20  reg.com

MyEtherWallet
myetherevvalliet[.]com  2019-07-21  reg.com
Bank phishing
carrefourbanque-compte[.]com    2019-06-18  reg.com
www-1royalbank[.]com    2019-05-29  reg.com
clickwebsite-rbc[.]com  2019-05-22  reg.com
tangerine-en[.]com  2019-05-07  reg.com
meine-db-account-i73983479[.]com    2019-04-08  reg.com
acc7201-statement-online[.]com  2019-04-01  reg.com
postecartaonline[.]com  2019-03-26  reg.com
client-sofinco[.]net    2019-03-01  reg.com
olb-secure[.]com    2019-02-20  reg.com
mabanquepro-bnpparibas[.]com    2019-03-17  reg.com
bmo-onlinebanking[.]com     2019-05-08  reg.com
secure-banking-updt[.]com   2019-02-22  reg.com
com-cgi-bin-3t5ufkygkl56-www-desjardins[.]com   2019-04-25  reg.com

PayPal
limited-services-paypal[.]com   2019-05-20  reg.com
restricted-users-paypai[.]com   2019-06-28  reg.com

Mobile carriers 
my3-bill[.]com  2019-04-18  reg.com
three-mybilling[.]com   2019-03-28  reg.com
threebilling[.]com  2019-03-08  reg.com
myvodafone-billing[.]com    2019-03-12  reg.com
account-billing[.]com   2019-03-15  reg.com

Apple
apple-appield[.]com     2019-04-23  reg.com
apple-restore[.]com     2019-03-28  reg.com

Many of these domains have already been detected as phishing by various security companies:

https://www.virustotal.com/gui/url/fb934dd5d574344759251678dd3c3b183f83fbe1cfb652201b155ee5c69a5476/detection

Aug 14, 2019 by Denis Sinegubko

Hydro-Quebec phishing

We have found an interesting phishing kit containing numerous phishing pages which target large, popular brands like Amazon and Paypal. What was interesting about this kit was that it also included a phishing page that was more unusual: Hydro-Québec.

**./administrator/help/rembouresement/hydroquebec/Hydro/quebec/Login.html**

Hydro-Québec is a public utility company that primarily sells to customers within Québec, Canada. As the overall population of Québec, Canada is about 8.4 million people, this limits the number of possible victims when comparing it to a larger userbase of a national or international businesses with hundreds of millions of users.

WombatSecurity’s phishing statistics show an average click rate of just 9% for the average phishing email, which demonstrates why large userbases are considerably more attractive to malicious users. Nevertheless, Hydro-Québec recently sent a notice to its customers to be on the lookout for suspicious emails.

This particular phishing campaign is being sent to customers and promises a refund of over $100 USD - under the condition that the victim provides their personal and payment information. This private information is then sent to a PHP mail script that sends the stolen data to an email address specified by the malicious user.

This phishing kits exfiltrates the stolen data through a PHP mail script and uses three separate PHP scripts that send the field data from their respective phishing page.

The phishing page responsible for requesting the credit card data was using the following script:

I was also surprised to see that the creator of the phishing page was brazen enough to blatantly ask for the credit limit of the payment card, which is highly unusual and not asked by merchants:

phishing site requesting credit card information

Aug 7, 2019 by Luke Leal

EE wireless provider phishing malware

A large number of phishing targets include popular services such as banks, payment providers, and email services.

In this type of attack, fraudsters create fake pages that appear to be legitimate content, but instead trick victims into disclosing sensitive information such as email accounts, logins, and passwords. This information is then collected and sent to them via email, or saved on a file in a compromised environment. The stolen information can be used to make fraudulent purchases, money transfers, sold on the darknet for profit, or other kinds of illegal activities.

During a recent remediation response, we found a phishing campaign that was targeting a very specific service — the popular UK wireless phone, broadband, and landline provider “EE”.

The malware itself is not very complex. It shows victims a copy of the original “EE” login page, which has been designed to trick users into entering their account information. Just like the majority of other phishing scams, the user is prompted to login in order to proceed.

Any submitted credentials are then emailed to the bad actor and are (likely) used to access their account.

An interesting aspect of this particular campaign is that the malicious script appears to be only targeting mobile users. It also records the user’s IP from whenever the page is accessed.
Here is a small snippet:

$useragent = $_SERVER['HTTP_USER_AGENT'];

if(preg_match('/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i',$useragent)||preg_match('/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i',substr($useragent,0,4)))  {

$_SESSION['mobile'] = true;

}

if(isset($_SESSION['mobile'])) {

   $mobile = true;

}

$v_ip = $_SERVER['REMOTE_ADDR'];
$hash = md5($v_ip);

The beginning of the form collects the login details and includes the hashed IP of the user:

<form name="userInformationForm" id="userInformationForm" 
method="POST" autocomplete="off" 
class="capture_form capture_userInformationForm" 
accept-charset="UTF-8" action="details.php?&sessionid=<?php echo $hash; ?>&securessl=true" 
onsubmit="return empty()">

The rest of the page is an exact copy of the login page found on the original site, but a few changes have been to the form responsible for submitting the login credentials — they are sent to another file and emailed to the attacker.

It's not entirely clear what are the objectives behind this phishing attempt are. Our first assumption was that bad actors were remotely accessing the SMS messages to capture a 2FA code sent from other services, however a quick investigated revealed that EE doesn't provide this service.

The second guess was that attackers are using the stolen credentials to change EE’s DNS servers on broadband routers to redirect customers to other phishing pages, however it doesn't seem to be possible.

If you use this provider and have some clues for us, please reach our team at labs[at]sucuri[dot]net.

Aug 1, 2019 by Krasimir Konov

Using Google and Facebook to aid on distribution

Every now and then I check my spam mail box for interesting malware (yes, I receive a lot of phishing messages and alerts that my payments are overdue), but most of the time is more of the same, effortless malware, lousy written messages and not fun to analyze.

Today I was bored (that time of the year that you need to write tons of reports, sorry boss…) and I decided to follow the trail of some of those links on the messages I got. And the first one was a "pleasant" surprise.

Usually I'd go with checking the message origin and writing about how it was sent and what was used to get control of the site, but this time I'll write about other aspect. (If you are wondering, it is a WordPress site with a vulnerable revslider on the site's theme that allowed the attacker to have privileged access to the site).

For those not fluent in Brazilian Portuguese, this message is telling that I have a payment overdue and a new "boleto" (a common barcode payment method in Brazil) is attached. The interesting part is that they are referring to me by my personal email alias and not the full name, however they got my CPF (Brazil's Social Security Number) correct, probably it's is related to some leaked data (not that uncommon here).

Everything on this message is clickable and all them will send you to the same Google shortened URL. Which translates to the Facebook's fbsbx.com domain, which is used by Facebook as the domain where the attachments shared on chats and groups are stored.

It is pretty interesting that they are relying on such services to "host" their files instead of using another hacked site to store the malware. I monitored this file and although the link was set to expire on Fri, 22 Dec 2017 16:15:47 GMT, it was taken down less than 24h after I receive the email scam, probably by a Facebook malware scan process.

Dec 11, 2017 by Fioravante Souza

Protecting Phishing Pages via .htaccess

Phishers usually want to protect their pages from being detected by search engines and security companies. To achieve that, they add .htaccess files that deny access to their phishing directories from known IP addresses and networks. Depending on the scenario, if they are targeting a specific type of service (online banking for instance) attackers may allow only a set of visitors from a specific country to see that phishing page.

Though attacker’s skillset may vary, some will just try to customize third-party scripts they find online and it’s not uncommon when they do it poorly. For example, one phishing campaign uses a bot blocking .htaccess file that can be easily found on the Internet. It really protects sites from unwanted bots, but has very little to do with search engines, security companies, and geographic regions (although it blocks some of them) - it just saves bandwidth.

deny from 216.163.255.1 # rpa.metlife.com bored employees
deny from 67.127.164.125 # DSL bandwidth waster
deny from 193.253.199. # france SE art-online.com bandwidth waster
deny from 80.179.254. # clown from Israel using downloader
deny from 64.37.103. # spambots and other non customers
deny from 69.61.12.100 # spambot from servershost.net

Along with the .htaccess file, there may be other files within the phishing structure, such as:

Image directories (img/images) - These directories may contain logo, header/footer images & others related to phishing (Paypal, Banks, etc.).

Jul 11, 2017 by Yuliyan Tsvetkov