Recently, our monitoring detected a new email phishing campaign circulating in the wild. The targets are individuals who are using email from providers such as YahooMail and Gmail. Our analysis below will tell more about this phishing campaign and what you should do to avoid becoming a victim of this campaign.
Below is a screenshot of the phishing email:
Figure 1: Phishing email
From figure 1, you can see the content of the email used by hacker for phishing. The attachment is a RAR file containing a simple HTML page used as a fake Yahoo login page.
Figure 2: Fake Yahoo login page
This page is a simple html version of the original Yahoo login page that has been modified for phishing.
Figure 3: Alert from fake login page
This alert lures users to believe that the download of the supposed “document” has failed and that they need to sign in. Additionally, it attempts to focus the attention of users on the page itself and not notice browser address bar. At this point, the user will believe that they are in the real login page and login as usual.
Figure 4: The address bar with file:// scheme
Once a user unwittingly logs in to this page, all login credentials will be submitted to the hacker’s website. The code in the phishing html “Invoice.htm” shows that:
Figure 5: Modified post location
Figure 6: Original Yahoo post
When users attempt to submit a login request in the fake login page, some information will be transmitted:
Figure 7: Some transmitted data (captured by Mozilla Firefox Tamper Data plugin)
Figure 8: Data captured by Wireshark
The above information will then be stored at the hacker’s database.
New Campaign, Old Technique, Same Actor
Looking into some email phishing campaigns in the past few months, we also found that the author of this campaign had also phished Outlook and Cpanel Webmail:
Figure 9: Outlook phishing campaign (credit to malwr.com)
Figure 10: CPanel Webmail phishing campaign (credit to malwr.com)
These Outlook and Cpanel Webmail campaigns were hosted at coalcitymag.com, which was registered by the same email address of the current campaign, firstname.lastname@example.org. Below is a list of malicious domains registered by this email address:
This phishing campaign employs a simple and unsophisticated approach although it may prove effective to unfamiliar users. To prevent falling victim from this attack, we advise users to:
Fortinet detects the malicious html attachment as HTML/Phising.A838!tr and blocks all related URLs under Phishing category.
-= FortiGuard Lion Team =-