Just a quick one to remind everybody that the Petya or NotPetya or whatever it will turn out to be called running riot throughout Europe and other parts of the world encrypting computers seemingly without any method of stopping it at the moment isn’t the only malware around. Users are still affected by the “normal” everyday malware, scams and social engineering tricks that come with every email or text from the bad guys.
This was forwarded to me by a contact. This pretends to be a text notification of an interac transfer from Canadian Revenue Agency
The link in the text goes to http://bit.do/dxvrC which redirects you to http://etransfer.interac-mobile.com.pujaachauhan.com/CAn6ty34u.htm where you have multiple phishing pages via different links for the most common banks in use in Canada
This must have been a really aggressive campaign with a lot of response from prospective victims. The web page shows this message, so either the phisher had a very low web allowance or there were so many visitors that it exceeded the normal allowance
However the bit.do short link url has been disabled for violation of terms and conditions. I almost laughed seeing the message ” we do not allow malicious links”. When they have malicious links themselves on the error pages.
If you mistype or enter the wrong 5 character link you get a 404 page of sorts where they pretend you need to update your mobile plugin for that service. It looks like Bit.do are so scummy and lacking in morals that they are pushing fake , dangerous software for the money they receive via affiliate schemes if a redirect site is not found or is wrongly typed.
Do not use Bit.do as a short url site. It is just too dangerous
If you press cancel, you get the bit.do page in all its glory with links enabled where selecting any link takes you to either the flash player update or a fake Java Update site seemingly at random
If you press OK you get sent directly to http://www.theappinstallgo9.com/v7re/index.html?dp=fmgnj5952bf8c6bf07131563934&brw=ie&ssg=&p=1 and get a fake flash player update
The other download site for the fake Java is http://j.hgguxtzchuddy.download/271344/1202/cyqsxo/a7slkj
As usual all we can say is be careful and watch what you click.
Both downloads appear to be versions of installcore or dealply adware cr@p