Sponsored by..

Thursday 11 June 2015

Phish: "New_Order_#056253_Hf_Constructions" / "joseph.zhou@hong-kee.com"

I've seen a few of these today, presumably they aren't quite spammy enough to get blocked by our mail filters..

From: Kang Li [mailto:joseph.zhou@hong-kee.com]
Sent: 10. juni 2015 09:35
Subject: New_Order_#056253_Hf_Constructions


Please find attached our new order and send P/I against 50% advance payemnt

best regards
The attachment is New_Order_#056253_Hf_Constructions.pdf which looks like a purchase order, but there is a blurred out section.

An examination of the underlying PDF file shows two URLs listed:


In turn these redirect to:


The second URL listed 404s, but the first one is active. According to the URLquery report, it looks harmless, just leading to a phishing page. But when I tried it in a test environment, the behaviour was somewhat different and it also attempted to load a page at:


This page 404s, but was previously hosted on a bad server at [VT report]. That server has been offline for a few days, but the URL is suggestive of an exploit kit of some sort.

The "megatrading.hol.es" (hosted on by Hostinger - VT report) landing page looks like a straightforward phish:

Entering the username and password always seems to return an error, even if you are absolutely certain the combination are correct..

I suspect that all this portion is doing is collecting email addresses and passwords for use later. Webmail accounts have some value to the bad guys, and of course many people re-use passwords all over the place, so it could be used as a way to get access to other services. Take care.

Recommended blocklist:

No comments: