This not very common phishing scam received this morning starts with a typical email that at first glance could be genuine, if you are a small company dealing with that sort of product. The attachment is a genuine PDF, that pretends to be a secured online PDF so all you can see is a blurred copy. When you follow the link in the PDF you go to a short url redirection service http://ow.ly/2pti3062lcg & are redirected to http://yawaland.com/wp-content/toribo/bill/index.php where you see a website. Enter the required details and they eventually offer you a download of a quote for painting from an innocent Australians small business that they have obviously found elsewhere and are reusing.
This could very easily have been a much more effective phish, if the scammers had used a bit more care and used better or more believable emails and downloads. If they had matched properly, many people could have been fooled. The biggest danger in this sort of scam / attack is that the original PDF that a victim downloads can be set to download ANYTHING to the victims computer. It can easily be used to deliver malware, Trojans, Viruses and ransomware. This sort of scam / phishing attack works because a high proportion of victims don’t bother to read the email properly, just skim through it because they receive so many similar genuine ones. PDF files, unfortunately are seen as innocent and harmless when they can be amongst the most dangerous format that comes as an email attachment. That is why I posted recently about the Ontario Police making a big mistake with their email attachment advice. This illustrates perfectly why they are so wrong
The email looks like:
From: Woonha Jee <firstname.lastname@example.org>
Date: Fri 11/11/2016 04:14
Subject: RE: AUTO QUOTATION OFFER
Attachment: ORDER DETAILS.pdf
We got an urgent order from one of our customers but due to the urgency we
cannot complete the order now, so we would like you to take up the order
and we will serve as an agent but first give us your bottom price for the
attached sample of the order let us see if it is favorable to us.
Hope to hear from you soon.
Kabiru A.Adams.R.N,B.A. LHSM
Aryan Blue Calm Shipping Agency Co.
1007 Hallimont Road,
Baltimore, Mary 21228.
PDF looks like
Downloaded fake Quote
I have created a short video showing this phishing scam in its entirety
Video created using Camtasia Screen recording suite . I get a free NFR copy of this software from the manufacturer, who offers this benefit to Microsoft MVPs and find it extremely useful for creating this sort of video.
This looks like hacked / compromised WordPress website or possibly set up deliberately by the scammer to perform nefarious actions. It has been live for several months now. The registration details appear to be bogus, which is quite a common occurrence with Domains registered by Godaddy. http://whois.domaintools.com/yawaland.com
Domain Whois record
Queried whois.internic.net with “dom yawaland.com“…Domain Name: YAWALAND.COM Registrar: GODADDY.COM, LLC Sponsoring Registrar IANA ID: 146 Whois Server: whois.godaddy.com Referral URL: http://www.godaddy.com Name Server: SEANS1.HOSTWINDSDNS.COM Name Server: SEANS2.HOSTWINDSDNS.COM Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Updated Date: 22-sep-2016 Creation Date: 26-jul-2016 Expiration Date: 26-jul-2017 >>> Last update of whois database: Fri, 11 Nov 2016 07:02:17 GMT <<< For more information on Whois status codes, please visit https://icann.org/epp
Queried whois.godaddy.com with “yawaland.com“…Domain Name: yawaland.com Registry Domain ID: 2046374991_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Update Date: 2016-07-26T01:53:19Z Creation Date: 2016-07-26T01:53:18Z Registrar Registration Expiration Date: 2017-07-26T01:53:18Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: email@example.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited Registry Registrant ID: Not Available From Registry Registrant Name: Ikechukwu Stanley Registrant Organization: Registrant Street: 132 Uratta Road Aba Registrant Street: 113 Uratta Road Aba Registrant City: Aba Registrant State/Province: Abia State Registrant Postal Code: 000045 Registrant Country: NG Registrant Phone: +234.8142791630 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: Smartcred71@gmail.com
The site itself offers what look like downloads of copyright films & music, so should be treated with complete suspicion. I haven’t looked at an actual download to determine whether they are genuine copies or have Trojans or Viruses embedded in them, mainly becasue if this site is already on the radar of the authorities, I don’t want to be accused of copyright infringement and downloading copyright films & music.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click the link in the email . Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.