Apple Security Measures phishing
Quite a big spam run apple phishing today. The bad spelling and grammar should be enough to warn anybody that it is a fake.
The email looks like
From: Apple <online@online.shop>
Date: Thu 02/02/2017 15:30
Subject: Apple Security Measures
Body content:
|
The link in the email goes to http://www.interwurlitzer.com/mc.html which redirects you to http://www.bdic.ca/mardei/Itunes/apple/ where you see the typical Apple phishing page
Update 3 February 2017: now redirecting to http://beere.ca/morbid/Itunes/apple/
I personally have the word ‘informations’ in my bad spam words dictionary. The only legitimate emails I ever get with this word seem to be from French speaking people. I’m guessing the perpetrators are North or West African or some other French speaking country. I’m going to guess Tunisia, they seem proud of their hackers.
Funny thing about this campaign – we have thousands of users. We received 24 that were all rejected, then they just gave up. Almost like they weren’t in control of a botnet. Some of the message ID’s are also bizarre –
Make up your mind! Are you Apple or Paypal ? LOL
I sometimes go phishing for phishers. Phishers are sometimes lazy and leave things behind. If the URL is hxxp://www.bdic.ca/mardei/Itunes/apple/ I try hxxp://www.bdic.ca/mardei/Itunes, then hxxp://www.bdic.ca/mardei/, then hxxp://www.bdic.ca/mardei/Itunes/apple/appl.zip, hxxp://www.bdic.ca/mardei/Itunes/apple/apple.zip … etc.
Sometimes I find a zip file they have left behind. If they have, I look through their PHP source code and find the email address they are sending the results to, or the txt file they are submitting it to.
I do things with these email addresses and text files.
Beware phishers!
@NEntered got phish fails
interwurlitzer .com: 87.229.45.133: https://www.virustotal.com/en/ip-address/87.229.45.133/information/
> https://www.virustotal.com/en/url/b3f673a5be4a48fdae3c0c149a0a2bbd5313113a4908796f68a58a61051ac7f8/analysis/
bdic .ca: 67.212.91.221: https://www.virustotal.com/en/ip-address/67.212.91.221/information/
> https://www.virustotal.com/en/url/0b430f5f53a594afa4a2c1c5538c23dc12848e15caae36ac0ea093ef7b323e95/analysis/
//