We see lots of phishing attempts for various credentials. This scam in Hebrew is a totally new one to me. As far as I can tell the Mobile phone company being spoofed Hot Mobile is an Israeli Mobile Phone company that has links to the Israeli defence Forces. All the info I am getting about this comes from Google translate or Wikipedia, so might not be 100% accurate. I don’t speak or read Hebrew at all, so am completely reliant on web translations.
Other countries also have regular phishing scams against their Mobile Phone or other telecoms networks or companies. I have just never seen an Israeli / Hebrew one before.
You can now submit suspicious sites, emails and files via our Submissions system
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
The email looks like:
From: Hot Mobile שירותי תמיכה <email@example.com>
(Translated) Support Services
Date: Sat 25/05/2019 04:55
Subject: אנו מבצעים סדרה של עדכונים לכל חשבונות המנויים, ואנו רוצים שמנויי HotMobile תעדכן את המידע האישי והפיננסי שלך, כך שהשירותים שלך לא ייסגרו או שחשבונך יוסר.
( translated) We make a series of updates to all subscriber accounts, and we want HotMobile subscribers to update your personal and financial information so that your services are not closed or your account is removed
שלום לקוחות יקרים,
ברצוננו ליידע אותך שאנו עורכים סדרה של עדכונים לכל חשבונות המנויים שלנו
אנו רוצים שמנויי HotMobile תעדכן את המידע האישי והפיננסי שלך, כך שהשירותים שלך לא ייסגרו או שחשבונך יוסר.
לחץ על הקישור “אנא עדכן את פרטי החשבון שלי” בהמשך
עשה זאת בהקדם האפשרי כדי שהחשבון שלך לא יוקפא
תודה על שיתוף הפעולה
עדכן את פרטי החשבון שלי
We’re writing to let you know that we’re making a series of updates to all of our subscriber accounts
We want HotMobile subscribers to update your personal and financial information so that your services are not closed or your account is removed.
Click the “Please update my account information” link below
Please do so as soon as possible so that your account will not be frozen
Thank you for your cooperation
Please update my account information
If you follow the link in the email you see a webpage looking like this: http://18.104.22.168/~digitalo/sabun/petek/paraben/in/freehot/in/alkhot/predo/pre/aree that adds session IDs to the visit.
After you input a phone number and an ID number you get forwarded to a payment details page ( I think) But because I don’t read or understand Hebrew I cannot fully fill in the details with acceptable information so pressing send after using fake details gives me an error page saying “Mailer Error: SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting”
We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.