Fake 'Important matter' SPAM, 'Message from IT' - Phish
FYI...
Fake 'Important matter' SPAM - delivers unknown malware
- https://myonlinesecurity.co.uk/distu...known-malware/
28 Mar 2017 - "This email was forwarded to me by a contact who works for a public service agency. I have redacted the actual recipients domain and any email address. There is a 'Charmaine' [redacted] living at the address listed according to google searches. I am sure that there will be a lot of other emails with other real details that will really scare the recipients into opening these emails and being infected. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain .com >. That is why these scams and phishes work so well... The email looks like:
From: Antony Gfroerer <antongfoufou@ wanadoo .fr>
Date: Tue, 28 Mar 2017 09:37:38 +0000
To: Charmaine [redacted] <c*********@ [redacted]>
Subject: Charmaine
Attachment: victim.dot (renamed from recipients name)
Hello, Charmaine!
I am disturbing you for a very important matter. Though we are not familiar, but I have considerable ammount of information concerning you. The matter is that, most probably mistakenly, the data of your account has been sent to me.
For example, your address is:
5 [redacted] Lane
Perth
Perthshire and Kinross
PH2 [redacted]
I am a lawful citizen, so I decided to personal details may have been hacked. I pinned the file – victim.dot that that was emailed to me, that you could find out what information has become accessible for fraudsters. File password is – 2131
I look forward to hearing from you,
Antony Gfroerer ...
victim.dot - Current Virus total detections 0/55*. Payload Security** is unable to analyse as an unsupported format. MALWR*** shows nothing... I am informed that they download:
galaxytown .net/store/read.gif -and- effeelle .eu/img/logo.gif which appear to be genuine gif files from the headers, although they refuse to display as any sort of image file and must contain some sort of embedded -malware- content... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1490695414/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
62.149.140.45: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/fa...3c34/analysis/
*** https://malwr.com/analysis/NDQ3MDg1O...lhNWUyNDViYjQ/
galaxytown .net: 67.225.216.115: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/7b...8912/analysis/
___
'Message from IT' - Phish
- https://myonlinesecurity.co.uk/impor...-365-phishing/
28 Mar 2017 - "... slightly different than many others and much more involved and complicated. It pretends to be a message from IT support to update webmail to use Office 365 / Outlook web access...
Screenshot: https://myonlinesecurity.co.uk/wp-co...-IT-Sector.png
This email has a genuine PDF attachment:
> https://myonlinesecurity.co.uk/wp-co...65_upgrade.png
If you follow the link inside the pdf you see a webpage looking like this:
[ http ://radioclassicafm .com.br/lr/barracuda/barracuda/index.html ]
>> https://myonlinesecurity.co.uk/wp-co...da_signin1.png
After you input your email address and password, you get told -incorrect- details and -forwarded- to an almost identical looking page where you can put it in again:
>> https://myonlinesecurity.co.uk/wp-co...cuda_login.png
Then you get sent to an imitation of the Google Verification page where they ask for either your phone number or alternative email address...
>> https://myonlinesecurity.co.uk/wp-co...gle_verify.png
Then you get a 'success' page... All of these emails use Social engineering tricks to persuade you to open the -attachments- that come with the email..."
radioclassicafm .com.br: 216.172.173.156: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/2f...bdc8/analysis/
