Sponsored by..

Tuesday, 24 May 2016

Phish: "TNT Consignment Notification" via rit.edu

This fake TNT notification is phishing for credentials:

From:    TNT Express
Reply-To:    sh3llsh0p@yahoo.com
Date:    24 May 2016 at 11:34
Subject:    TNT Consignment Notification

Attention: [redacted],

TNT is pleased to advise you that ANTONIOU KONSTANTINOS has arranged for a shipment to be collected from them on May 23, 2016 , and delivered to You on 275th May 2016.
The shipment has a TNT CONSIGNMENT NOTE NUMBER: 119138390

To be able to check the status of the shipment simply visit or click below to track.



http://www.tnt.com/webtracker/tracking.do?navigation=1&searchType=CON&respLang=en&respCountry=GENERIC&genericSiteIdent=.&cons=119138390


From :
ANTONIOU KONSTANTINOS
Theokritou 5
THESSALONIKI
THESSALONIKIS
546 27
GR

Pieces : 1
Weight : 0.5 KG
Shipment reference :
Description : sample
If you would like to find out about the many ways TNT helps you to track your shipment, or if you would like to know more about the services provided by TNT, simply connect to www.tnt.com and select your location at any time.


---------------------------------------------------------------------------------------------------------------
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure.
If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system.
If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person.
Please consider the environmental impact before printing this document and its attachment(s). Print black and white and double-sided where possible.
------------------------------------------------------------------------------
The link in the email is disguised to make it look like a link to tnt.com, but in face it goes to:

heurica.dk/tnt1/?email=[redacted]

which then forwards to

booking-smart-swim-school.co.uk/images/TNT/index.php?rand=13InboxLightaspxn.1774256418&fid&1252899642&fid.1&fav.1&email=[redacted]

This URLquery report shows what is going on, as the victim ends up on a laughably fake phishing page:


Presumably this is phishing for general email credentials rather than a TNT login. Orignating IP is 87.106.178.108 (1&1, Germany) via an apparently compromised account or server at pmdf01b.rit.edu



No comments: