I found a marginally interesting phishing scam in my server quarantine folder overnight. The main reason for posting this today is the way the scammer is performing the phishing scam. Unlike many similar scams, there are no direct links to any website. Instead the scammer has attached an encoded html file so it is more difficult to find the links. Then there are still no direct links or connections via the post button. Instead everything is done via .js files on a remote what appears to be a compromised Nigerian website site nosakhealthcare.com. where a subdomain is being used. http:// taxuytrewqasdfghjklmnbvcxzasdfghjklpoiuytrewqasdfghjklmnbvcxz.nosakhealthcare.com on IP number 18.104.22.168 The main url redirects to http://nosakgroup.com/ which doesn’t at first glance appear to have any obvious compromises on it and doesn’t even mention the nosakhealthcare.com at all as being part of the group.
What is most concerning about this sort of phishing scam is that most automatic scanning tools, even when they do decode the url encoded script in the html file don’t follow the js files to get the final php submission. This sort of multistage approach is relatively common in malware campaigns, but I don’t generally see it in phishing scams. I can’t see the content of or download megapha.php so I am unable to find out if that sends the stolen credentials via email or whether it sends via other methods to the criminal performing the scam.
One thing to note is that when you open a HTML file on your computer, you don’t get any HTTP/HTTPS warnings in the way you would do on a normal website.
Trying to go to the root of the subdomain or any of the folders gives a 403 forbidden message.
Anyway lets get to the actual phishing email which pretends to be a Tax Clearance Certificate from The US Government income Tax Department. there is no registered domain of incometaxefilling.gov Any tax messages in USA should come from an IRS.gov domain or in UK would come from HMRC.gov.uk
From: TAX OFFICE <Donotreply@incometaxefilling.gov>
Date: Wed 26/09/2018 18:39
Subject: RE: TAX CLEARANCE CERTIFICATE
TCC issued for application no 0007649
In pursuance of your application no. 0007649 for Tax Clearance Certificate,
please be informed that your TCC has been issued and is now available for download.
Download the attached TCC, Your official TCC Number is 10048500
Thank you for using the online TCC Portal.
Office of the tax Clearance.
If you open the attachment on your computer you will see a web page looking like this, which pretends to be a Microsoft One Drive page asking you to download the certificate. All they appear to be trying to steal is your email address and password. They don’t seem to be asking for any further information at all.
|22.214.171.124||Honkong||HONG KONG||HK||AS9381 WTT HK Limited|
|126.96.36.199||Santiago||Santiago Metropolitan||CL||AS15311 Telefonica Empresas|
Received: from [188.8.131.52] (port=1338 helo=smtp.31808888.com) by my email server with esmtp (Exim 4.91) (envelope-from <Donotreply@incometaxefilling.gov>) id 1g5FCy-0003af-Ju for firstname.lastname@example.org; Wed, 26 Sep 2018 20:10:49 +0100 Received: from User (unknown [184.108.40.206]) by smtp.31808888.com (Postfix) with ESMTPA id 8F2AD2C84E0; Thu, 27 Sep 2018 01:38:37 +0800 (HKT) Reply-To: <email@example.com> From: "TAX OFFICE"<Donotreply@incometaxefilling.gov> Subject: RE: TAX CLEARANCE CERTIFICATE Date: Wed, 26 Sep 2018 14:38:54 -0300 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0112_01C2A9A6.5F99B1E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000