A bit of a strange and very mixed up phishing scam attempt to talk about this morning. At first glance it appears to be a perfectly normal fake / spoofed dropbox phishing scam trying to steal your email log in credentials, but the stupid phisher has pasted the html code into the email body, so it displays as code instead of a properly displayed email. They have also got broken, missing or no longer valid links , via Google search open redirects ( which Google still insists is not a security risk! ).
But if you follow the final link in the chain https://securigence.dcwdhost.com/dropbox/wells/index.php you will see the phishing page.
It looks like securigence.com are using dcdwhost.com to host their website and a misconfiguration in the way the site is set up exposes serious vulnerabilities.
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
The email looks like:
From: Drop Box <firstname.lastname@example.org>
Date: Tue 10/10/2017 05:15
Subject: You have new documents
<p>Dear User,<br />
You have 6 incoming documents. <a data-saferedirecturl=”https://www.google.com/url?hl=en&q=http://whiterabbit[.]com[.]es/19191/19191/home/index.php&source=gmail&ust=1507655591807000&usg=AFQjCNG4pcgKF3cRIom_299sha-R5g_lJw” href=”https://securigence.dcwdhost.com/dropbox/wells/index.php” target=”_blank”>CLICK HERE</a> to view.<br />
Drop Box Team</p>
If you follow this link you see a webpage looking like this: https://securigence.dcwdhost.com/dropbox/wells/index.php
This statement on their home page absolutely scares the life out of me. If their website is not secure then how can they advise and secure other vital systems, including ( according to them ) “we have been supporting the Department of Defense and other United States Civil agencies in Systems Engineering, Software Development, and Cyber Security.”
I know they have no direct control over the way the host configures the website on their behalf, but when you advertise yourself as a security company specializing in Cyber Security, you need to do a few basic checks on your own set up on a regular basis.
Then further up to http://dcwdhost.com/ where we see a misconfiguration and open directories and the training directory has a WMV movie file from another site hosted by this webhosting company
The entire thing is actually hosted on Godaddy and using cloudflare for DNS. Quite where the misconfiguration and security hole is needs further investigation by Godaddy security staff. Whether there are vulnerabilities on the server generally or whether the “hosting company” is so inefficient and clueless that they aren’t securing it properly, but there are glaring security holes here
We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.