Tag: URL Shorteners

Phishing with a COVID-19 Lure

It’s not uncommon to see criminals use disasters or current events to enhance their social engineering tactics, and the recent COVID-19 pandemic is no different. During a recent investigation, we received an email originating from 69.112.92.34 (x-originating-ip: [69.112.92.34]) with a [redacted]@[redacted].k12.ct.us email address and the following message body:

 

 
Due to the recent COVID-19 outbreak, IT Helpdesk is currently working on advance Staff portal in order to keep our staff/employee on task & organized schedules.
All Staff/Employee are required to update their Staff Portal.

To access the portal, Click on STAFF PORTAL for update.

Failure to update your Staff portal, you will be deleted from our database.

Sincerely,

IT Helpdesk

©2020 Microsoft outlook.

All rights reserved

The malicious user is employing the COVID-19 crisis to provide credibility as to why the impersonated IT Helpdesk would need the victim to update their personal information.

When clicked, the PORTAL link directs victims first to the URL shortener service bit.ly and then passed them along to the malicious phishing subdomain designmysite[.]pro:

COVID-19 Phishing Lure 

hxxps://bit[.]ly/2Qu0dMZ
⤋
hxxp://8li9c1sr9queececshfj5lulh.designmysite[.]pro

The subdomain 8li9c1sr9queececshfj5lulh.designmysite[.]pro was disabled before I could properly load it, however this is not the first phishing scam attempted by this domain. Continuing my research, I found another phishing page on a similar subdomain 6bsy904ldphremdrtt0pixql9.designmysite[.]pro:

As seen in the malicious COVID-19 phishing campaign, this particular phishing form is also disseminated through a bit.lyb> shortened URL. What’s more, there are multiple reports going all the way back to 2018 which show designmysite[.]pro spoofing or compromising existing educator email addresses:

When viewing the source of the phishing forms, it becomes clear that the email address spamingboxtool101@outlook.com is being used to collect the phished information submitted by victims: 

"widget":{},"uniqueId":"Ajj7NKp9ACuwjMj","parentUniqueId":"ffpV5Q4d2ksrav0"},"page-zones__main-widgets__responsivecolumns1-zones__5e654f40427e2-widgets__5e654f405b223":{"ref":"5921879","uniqueHTMLId":"page-zones__main-widgets__responsivecolumns1-zones__5e654f40427e2-widgets__5e654f405b223","name":"5e654f405b223","fixed":false,"libraryItemRef":"0","pageRef":"1910011","temporary":{},"changed":{},"type":"widget.advancedcontactform","data":{"email":"spamingboxtool101@outlook.com","text":"Send","formTitle":"box","fromEmailLabel":"Your email:","fromEmailPlaceholder":"Type your email","collectEmailAddress":"1","localClass":"widget-advancedcontactform-84336F","uniqueId":"c7Z6hf92oPJCEEC","formFields":[{"title":"Full Name","type":"singleline","options":[],"mandatory":1,"id":"c7acbb10-6177-11ea-96dc-65cdea8475cd","order":1}...

This recent investigation clearly demonstrates why it’s important to keep an eye out for phishing campaigns – as well as misinformation in general. Familiarize yourself with the steps you can take to recognize a phishing campaign and avoid becoming a victim.

Apr 6, 2020 by Luke Leal

Phishing and Malware via SMS Text Message

We’ve recently noticed an increase in reports of phishing and malware being distributed via SMS text messages.

During one investigation, we identified fake messages sent from a random number pretending to be Amazon. The message contents ask the victim to click on the link to confirm their shipping address.

Fake Amazon phishing text message

The URL bears no resemblance to Amazon and clearly doesn’t employ Amazon’s URL shortener (amzn.com). Unfortunately, we were unable to confirm exactly what the attackers were directing users to since hxxp://k8esv[.]info now returns a 404 (Not Found) response, but it's clear that it’s being used for phishing or malware.

In most phishing cases seen distributed via SMS, victims are taken to a fake page ― for example, one that looks like Amazon’s signup page ― and asked to login to access important order information or confirm a purchase.

To the untrained eye, these SMS phishing pages might appear to belong to the real Amazon website, but submitting login credentials typically results in a successful phish ― and an account compromise.

The suspicious domain is hosted on 47.240.4.254 which also appears to be hosting other similar domains:

suspicions phishing domains hosted on 47.240.4.254

The IP address belongs to Alibaba Cloud: 

Alibaba.com LLC AL-3 (NET-47-235-0-0-1) 47.235.0.0 - 47.246.255.255

ALICLOUD-HK ALICLOUD-HK (NET-47-240-0-0-1) 47.240.0.0 - 47.240.255.255

The domain was registered through namecheap.com and has WHOIS protection, so we can’t see who was responsible for registering hxxp://k8esv[.]info. What we can tell is that these other suspicious domains were also registered there, suggesting the same person was involved.

We’re finding many variations of SMS phishing campaigns, and not every text looks the same. Users should always exercise caution when receiving SMS from unknown numbers.

To mitigate risk, avoid clicking on any links inside text messages ― especially if they are coming from an unknown number and lead to suspicious URLs. If you receive an SMS message similar to this one, login directly to your Amazon account via the Amazon website and check if there are any issues or status updates that require your attention from the account dashboard.

We will continue investigating this campaign to see if we can get more details about the attack.

Mar 6, 2020 by Krasimir Konov