Sponsored by..

Thursday 11 June 2015

Phish: "New_Order_#056253_Hf_Constructions" / "joseph.zhou@hong-kee.com"

I've seen a few of these today, presumably they aren't quite spammy enough to get blocked by our mail filters..

From: Kang Li [mailto:joseph.zhou@hong-kee.com]
Sent: 10. juni 2015 09:35
Subject: New_Order_#056253_Hf_Constructions

Dear,

Please find attached our new order and send P/I against 50% advance payemnt

best regards
kang
The attachment is New_Order_#056253_Hf_Constructions.pdf which looks like a purchase order, but there is a blurred out section.


An examination of the underlying PDF file shows two URLs listed:

[donotclick]designaffair.com.my/js/jss/accesslogin.php
[donotclick]perm.ly/importers-buyers-exporters

In turn these redirect to:

[donotclick]megatrading.hol.es/order/0exbligh0bwwciagica8is0tw2lmielfidhdpia8ahrtbcbk/index.html
[donotclick]tips-and-travel.com/~saulitoo/imgs/0exbligh0bwwciagica8is0tw2lmielfidhdpia8ahrtbcbk/index.html

The second URL listed 404s, but the first one is active. According to the URLquery report, it looks harmless, just leading to a phishing page. But when I tried it in a test environment, the behaviour was somewhat different and it also attempted to load a page at:

[donotclick]guest.lifevericalls.xyz/outlandish_litigant_tuners_nudeness/03737928145651311

This page 404s, but was previously hosted on a bad server at 92.222.42.183 [VT report]. That server has been offline for a few days, but the URL is suggestive of an exploit kit of some sort.

The "megatrading.hol.es" (hosted on 31.220.16.16 by Hostinger - VT report) landing page looks like a straightforward phish:


Entering the username and password always seems to return an error, even if you are absolutely certain the combination are correct..


I suspect that all this portion is doing is collecting email addresses and passwords for use later. Webmail accounts have some value to the bad guys, and of course many people re-use passwords all over the place, so it could be used as a way to get access to other services. Take care.

Recommended blocklist:
31.220.16.16
92.222.42.183

No comments: