Just a very quick post about a phishing scam this morning. This is only noteworthy because the phishing takes place on a compromised website belonging to a small Brazilian ISP. https://www.agilinker.com.br/
The email pretends to be a fax message from your own domain, so the ones I received pretended to come from faxINchine@myonlinesecurity.co.uk. I received lots of these all addressed to various different email addresses on the myonlinesecurity.co.uk domain.
You can now submit suspicious sites, emails and files via our Submissions system
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
The email looks like:
From:Fax message <faxINchine@myonlinesecurity.co.uk>
Date:Fri 17/05/2019 07:43
Subject: Fax message from +17174451**** – 6 page(s)
Attachment: Fax Message.html
You have a new fax! Click the attachment to view.
Fax Details Date Received: 2019-05-10 8:05:46 PDT
Type: Attached in pdf
Number of Pages: 4
Reference #: fxi8083216-908876
Sign in using your email@example.com and password to view fax.
The Fax Team
This email has an HTML attachment that when clicked on sends you to “http://firstname.lastname@example.org”
The content of the attachment is a simple html meta refresh
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN”
<meta http-equiv=”Content-Type” content=”text/html; charset=iso-8859-1″ />
After you input your email address and password, you get told incorrect details and forwarded to an almost identical looking page where you can put it in again.
Then you get forwarded to the home page of the domain in the email address
Now as I mentioned earlier this phishing scam takes place on the compromised website of a small local ISP in Brazil. There is an open directory listing on the site. If you try to visit the phish folder without the ?x=x you get diverted to the google home page. As you also do if using the “wrong” IP address.
I wonder what else is compromised on that ISP and whether any customer information is leaking to the scammers or whether they can gain access to customer services & accounts and either change or remove services. Hopefully it is just the compromised website, which is obviously running on WordPress, probably using an out of date version or vulnerable theme. This website is using what looks like shared hosting on Dreamhost in USA
Domain Whois record
Queried whois.nic.br with “agilinker.com.br“…
domain: agilinker.com.br owner: Eudis Rodrigues Boarato owner-c: ROASO75 admin-c: ROASO75 tech-c: ROASO75 billing-c: ROASO75 nserver: ns1.dreamhost.com nsstat: 20190517 AA nslastaa: 20190517 nserver: ns2.dreamhost.com nsstat: 20190517 AA nslastaa: 20190517 saci: yes created: 20180313 #18129128 changed: 20180330 expires: 20200313 status: published nic-hdl-br: ROASO75 person: Robson A. de Souza created: 20100114 changed: 20160418 % Security and mail abuse issues should also be addressed to % cert.br, http://www.cert.br/ , respectivelly to email@example.com % and firstname.lastname@example.org % % whois.registro.br accepts only direct match queries. Types % of queries are: domain (.br), registrant (tax ID), ticket, % provider, contact handle (ID), CIDR block, IP and ASN.
Network Whois record
Queried whois.arin.net with “n 126.96.36.199“…
NetRange: 188.8.131.52 - 184.108.40.206 CIDR: 220.127.116.11/17 NetName: DREAMHOST-BLK6 NetHandle: NET-208-113-128-0-1 Parent: NET208 (NET-208-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: New Dream Network, LLC (NDN) RegDate: 2006-04-12 Updated: 2012-03-02 Ref: https://rdap.arin.net/registry/ip/18.104.22.168 OrgName: New Dream Network, LLC OrgId: NDN Address: 417 Associated Rd. Address: PMB #257 City: Brea StateProv: CA PostalCode: 92821 Country: US RegDate: 2001-04-16 Updated: 2017-01-28 Comment: Address location was created regardless of geographic location. Ref: https://rdap.arin.net/registry/entity/NDN OrgAbuseHandle: DAT5-ARIN OrgAbuseName: DreamHost Abuse Team OrgAbusePhone: +1-714-706-4182 OrgAbuseEmail: email@example.com OrgAbuseRef: https://rdap.arin.net/registry/entity/DAT5-ARIN
|22.214.171.124||ipmail06.adl2.internode.on.net||AU||AS4739 Internode Pty Ltd|
|126.96.36.199||124-148-188-241.dyn.iinet.net.au||Melbourne||Victoria||AU||AS4739 Internode Pty Ltd|
Received: from ipmail06.adl2.internode.on.net ([188.8.131.52]:6134) by my email serverwith esmtp (Exim 4.91) (envelope-from <faxINchine@myonlinesecurity.co.uk>) id 1hRWZr-0001cL-0t for firstname.lastname@example.org; Fri, 17 May 2019 07:42:48 +0100 Received: from 124-148-188-241.dyn.iinet.net.au (HELO myonlinesecurity.co.uk) ([184.108.40.206]) by ipmail06.adl2.internode.on.net with ESMTP; 17 May 2019 16:12:45 +0930 From: Fax message <faxINchine@myonlinesecurity.co.uk> To: email@example.com Subject: Fax message from +17174451**** - 6 page(s) Date: 16 May 2019 23:42:41 -0700 Message-ID: <20190515075046.7AC33D14DF9F7DC8@myonlinesecurity.co.uk> MIME-Version: 1.0 Priority: Urgent Content-Type: multipart/mixed; boundary="----=_NextPart_000_0012_246459E9.7739B4E7"
We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.