Fake 'Secure email' SPAM, Fake 'Bank login' - Phish
FYI...
Fake 'Secure email' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/trick...ments-malspam/
14 Nov 2017 - "An email with the subject of 'Secure email message' pretending to come from Lloyds Bank but actually coming from... look-a-like or typo-squatting domains and email addresses <secure@ lloydsconfidential .com>
or <secure@ lloydsbankdocs .com> or <secure@ lloydsbankconfidential .com> with a malicious word doc attachment is today’s latest -spoof- of a well-known company, bank or public authority delivering Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...loyds-Bank.png
Despite the instructions in the email to use the Authorisation code in the word doc, there is nowhere to enter it and it is not needed. The criminals are relying on you being fooled by this simple Social Engineering trick persuading you to enable Macros and content to infect you & steal your Money, Passwords and Bank details.
They tell you ”Note: Contents of this document are protected and secured. If you have problems viewing/loading secure content, please select “Enable Content” button.”
Do -NOT- enable Macros or Content under any circumstances. That will infect you...
Today’s example of the -spoofed- domains are, as usual, registered via Godaddy as registrar.
lloydsconfidential .com hosted on and sending emails via 185.106.121.78
free.hostsailor .com AS60117 Host Sailor Ltd.
lloydsbankconfidential .com hosted on and sending emails via 95.211.104.108 hosted-by.swiftslots .com
AS60781 LeaseWeb Netherlands B.V.
lloydsbankdocs .com hosted on and sending emails via 134.19.180.151 134191801511.onlinemarketmix .com AS49453 Global Layer B.V.
doc1_46.doc - Current Virus total detections 3/59*. Payload Security**...
This malware file downloads from
http ://simplicitybystrasser .com/images/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to a .exe file. (VirusTotal 9/68***).
An alternative download location is
http ://lhelectrique .com/logo.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co...oc1_46_doc.png
DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/d...is/1510661006/
doc1_46.doc
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
216.239.36.21
23.235.209.96
Contacted Hosts
23.235.209.96
216.239.36.21
92.63.107.222
91.211.247.94
*** https://www.virustotal.com/en/file/4...e952/analysis/
logo.png
simplicitybystrasser .com: 23.235.209.96: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/f4...5de7/analysis/
lhelectrique .com: 173.209.38.131: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/3a...7a81/analysis/
___
Fake 'Bank login' - Phish...
- https://myonlinesecurity.co.uk/fake-...ount-phishing/
14 Nov 2017 - "... phishing attempts for Bank login details. This one is actually quite effective when you get to the site. As you can see from the screenshots, it is very easy to be fooled by the
http ://www.halifax-online .co.uk.personal.logon.login.jsp at the start on the URL in the browser address bar
(Highlighted in Yellow) where the real web address you are sent to is lifextension .ro (Highlighted in Green)...
Screenshot: https://myonlinesecurity.co.uk/wp-co...4_nov_2017.png
... If you follow the-link-inside-the-email you first get sent to
https ://superjasa .com/wp-admin/js/widgets/x86x.php which immediately redirects you to
http ://www.halifax-online .co.uk.personal.logon.login.jsp.1510638768542.lifextension .ro/RT28JASHHDAS02/Login.php?sslchannel=true&sessionid=WR3WM0KHcrFBC45ugtRa7iFomyQGXFz5fraRrou3vd4QceX3svWxy82f4JzNRFdeGOjHnwfj5iI0UJ2T
where you see a webpage looking like this:
> https://myonlinesecurity.co.uk/wp-co...ension.ro_.png
... Both sites involved in this phish are likely to be -compromised- sites, being used without the website owners knowledge
http ://lifextension .ro - 76.72.173.69: https://www.virustotal.com/en/ip-add...9/information/
There is a message on the home page for lifextension .ro warning that the hosting agreement for this page has expired! but the hosts/resellers have only put that on the home page -not- on any subdomains so the phish stays active... the DCM software “company” is a webdesigner and hosting reseller, who aren’t taking security of their client’s sites seriously enough. By the layout and design of their own website they must think of style over substance and mistakes and errors don’t matter (various missing & broken links, including social media buttons going nowhere):
- https://myonlinesecurity.co.uk/wp-co...tension_ro.png
> https://www.virustotal.com/en/url/31...ca0b/analysis/
Has a malware prompt on its home page, luckily the file is hosted-on-Dropbox & no longer available for download.
superjasa .com: 202.52.146.30: https://www.virustotal.com/en/ip-add...0/information/
