Threat Research

New Phishing Campaign Making the Rounds

By Tien Phan | October 20, 2015

Recently, our monitoring detected a new email phishing campaign circulating in the wild. The targets are individuals who are using email from providers such as YahooMail and Gmail. Our analysis below will tell more about this phishing campaign and what you should do to avoid becoming a victim of this campaign.

Below is a screenshot of the phishing email:

Figure 1: Phishing email

From figure 1, you can see the content of the email used by hacker for phishing. The attachment is a RAR file containing a simple HTML page used as a fake Yahoo login page.

Figure 2: Fake Yahoo login page

This page is a simple html version of the original Yahoo login page that has been modified for phishing.

A Javascript code had been added in the first lines of the page to instruct the browser to open a window alert box:

Figure 3: Alert from fake login page

This alert lures users to believe that the download of the supposed “document” has failed and that they need to sign in. Additionally, it attempts to focus the attention of users on the page itself and not notice browser address bar. At this point, the user will believe that they are in the real login page and login as usual.

Figure 4: The address bar with file:// scheme

Once a user unwittingly logs in to this page, all login credentials will be submitted to the hacker’s website. The code in the phishing html “Invoice.htm” shows that:

Figure 5: Modified post location

Figure 6: Original Yahoo post

When users attempt to submit a login request in the fake login page, some information will be transmitted:

Figure 7: Some transmitted data (captured by Mozilla Firefox Tamper Data plugin)

Figure 8: Data captured by Wireshark

The above information will then be stored at the hacker’s database.

New Campaign, Old Technique, Same Actor

Looking into some email phishing campaigns in the past few months, we also found that the author of this campaign had also phished Outlook and Cpanel Webmail:

Figure 9: Outlook phishing campaign (credit to malwr.com)

Figure 10: CPanel Webmail phishing campaign (credit to malwr.com)

These Outlook and Cpanel Webmail campaigns were hosted at coalcitymag.com, which was registered by the same email address of the current campaign, rodriguez_psm@yahoo.com. Below is a list of malicious domains registered by this email address:

xtrernemg.com
coalcitymag.com
jukisin.com
coalcitymag.net
coalcitymag.org
ydkk.biz

Conclusion

This phishing campaign employs a simple and unsophisticated approach although it may prove effective to unfamiliar users. To prevent falling victim from this attack, we advise users to:

  • Always check the site address when submitting credentials.
  • Never open the file attachment of emails coming from untrusted people. If a suspicious email came from a trusted individual, confirm to that person via other channels such as making a phone call or approaching the person.
  • Users of Fortigate can enable FortiGuard Webfiltering and set Phishing category to block.

Fortinet detects the malicious html attachment as HTML/Phising.A838!tr and blocks all related URLs under Phishing category.

-= FortiGuard Lion Team =-