phishing

This set of phishing scams is noteworthy because the emails all originate from a compromised email account belonging to the Mexican Government or at least using the Mexico Gov domain. It seems to track back to the Ministry of Justice of Guanajuato state. They all pass authentication checks so are more likely to be delivered to prospective victims.

various phishing scams via compromised Mexican Gov email address

list of phishing emails from compromised Mexican Government email address

 

The actual phishing scams are all hosted on what appears to be a compromised Romanian company website.

You can now submit suspicious sites, emails and files via our Submissions system

Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.

We had 2 sets of emails so far in this series

The 1st  email looks like:

From: ! <This email address is being protected from spambots. You need JavaScript enabled to view it.>

Date: Wed 08/05/2019 11:02

Subject: A deposit of 350,000.00 GBP was paid today

Body content:

Hello,

 

A deposit of 350,000.00 GBP was paid today please kindly look in to the file and see if its to the company account.

 

View File Document Here

Screenshot:

 

Phishing email

Phishing email

 

If you follow the link in the email you see a webpage looking like this: http://fortimpex.ro/documentation/my-pdlvel/

fake Adobe PDF phishing scam

fake Adobe PDF phishing scam

 

After you input your email address and password, you get sent to a page asking you for your phone number to confirm that you are the owner of the email. ( I used the Action Fraud UK Police crime reporting number for this one:  01612349230 ) So hopefully when the criminal tries to use it they will get a somewhat rude awakening.

Phishing scam site

Phishing scam site

 

Then you get asked for an alternative email address and password and are then diverted to the domain in this email address.

Phishing scam site

Phishing scam site

The 2nd  email looks like:

From: ! <This email address is being protected from spambots. You need JavaScript enabled to view it.>

Date: Wed 08/05/2019 11:02

Subject: A deposit of 350,000.00 GBP was paid today

Body content:

Office 365 Outlook

Dear email user,

We notice that you recently mistakenly requested your email account to be deactivated, if you know you did not make this request cancel now here: ( Click Here To Cancel Deactivation )

If not your email will be blocked in the next 48 hours.

Phishing email

Phishing email

This leads to http://fortimpex.ro/images/my-ukalld/

Office 365 Phishing site

Office 365 Phishing site

Once you give an email address & password, you then get told incorrect details try again. Then you get a page not displayed, so it is quite possible that something has gone wrong with this scam, although it is very likely that the criminal has got the details.

But then I looked around and found that http://fortimpex.ro/images/ has an open directory where I found another scam phishing site http://fortimpex.ro/images/ebywb8829123/

phishing scam

phishing scam site

After you insert an email address and the password ( twice) you are then sent to the domain in the email address

We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.

IOC

http://fortimpex.ro/images/ebywb8829123/http://fortimpex.ro/images/my-ukalld/http://fortimpex.ro/documentation/my-pdlvel/176.126.201.2

This email address is being protected from spambots. You need JavaScript enabled to view it.

Email headers:

IP Hostname City Region Country Organisation
201.144.51.202  mx.pgjgto.gob.mx Morelia Michoac�n MX AS8151 Uninet S.A. de C.V.
172.16.4.3 Private IP
127.0.0.1 Local IP
Received: from mx.pgjgto.gob.mx ([201.144.51.202]:51871)
by my email server with esmtps (TLSv1.2:ECDHE-RSA-AES256-SHA:256)
(Exim 4.91)
(envelope-from <This email address is being protected from spambots. You need JavaScript enabled to view it.>)
id 1hOUjx-0003SG-T5
for This email address is being protected from spambots. You need JavaScript enabled to view it.; Wed, 08 May 2019 23:08:42 +0100
Received: from correo.pgjgto.gob.mx ([172.16.4.3])
by mx.pgjgto.gob.mx with ESMTP id x48M74nD015846-x48M74nF015846
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO);
Wed, 8 May 2019 17:07:04 -0500
Received: from localhost (localhost [127.0.0.1])
by correo.pgjgto.gob.mx (Postfix) with ESMTP id 3B22439A878;
Wed, 8 May 2019 16:50:27 -0500 (CDT)
Received: from correo.pgjgto.gob.mx ([127.0.0.1])
by localhost (correo.pgjgto.gob.mx [127.0.0.1]) (amavisd-new, port 10032)
with ESMTP id ZJLq168gsG32; Wed, 8 May 2019 16:50:26 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1])
by correo.pgjgto.gob.mx (Postfix) with ESMTP id CB79539A87A;
Wed, 8 May 2019 16:50:22 -0500 (CDT)
DKIM-Filter: OpenDKIM Filter v2.9.2 correo.pgjgto.gob.mx CB79539A87A
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pgjgto.gob.mx;
s=07B25216-77B0-11E6-AF77-8ADE1752B4C3; t=1557352223;
bh=yYin322KywJZNKOTk97zO3Cnu3BXFYnO4fR3FhJddX0=;
h=Date:From:Message-ID:Subject:MIME-Version:Content-Type;
b=iZsMcKAx01kCVNtb2M+HrpQHUbQQ8F74WPCtD0BK+5k7bYUmGaHVh66VqhvqGZMvZ
kmAl+i+zb3kIOVk2M9uc86zvRNmKMvVAXYpZdUBlLno/VrlCCvrBeIyCGeoQJpAp0X
8MhhfLIeY3kn2D+Li2di9/7Va2S/7DHWd/v/+rjM=
X-Virus-Scanned: amavisd-new at pgjgto.gob.mx
Received: from correo.pgjgto.gob.mx ([127.0.0.1])
by localhost (correo.pgjgto.gob.mx [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id dprej0qW1aew; Wed, 8 May 2019 16:50:22 -0500 (CDT)
Received: from correo.pgjgto.gob.mx (correo.pgjgto.gob.mx [172.16.4.3])
by correo.pgjgto.gob.mx (Postfix) with ESMTP id 9EC4839A870;
Wed, 8 May 2019 16:50:13 -0500 (CDT)
Date: Wed, 8 May 2019 16:50:13 -0500 (CDT)
From: "Microsoft Support <This email address is being protected from spambots. You need JavaScript enabled to view it.>" <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Message-ID: <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Subject: =?utf-8?Q?Attention_|_|_Ema=C3=ADl_deactivation_Warning?=
MIME-Version: 1.0
Content-Type: multipart/alternative; 
boundary="----=_Part_237282_1893123566.1557352213431"
X-Originating-IP: [172.16.4.26]
X-Mailer: Zimbra 8.6.0_GA_1200 (zclient/8.6.0_GA_1200)
Thread-Topic: Attention | | =?utf-8?Q?Ema=C3=ADl?= deactivation Warning
Thread-Index: kHKKWOIX+zth91tOABL02KzNpIC+GQ==
IP Hostname City Region Country Organisation
201.144.51.202  mx.pgjgto.gob.mx Morelia Michoac�n MX AS8151 Uninet S.A. de C.V.
172.16.4.3 Private IP
127.0.0.1 Local IP
Received: from mx.pgjgto.gob.mx ([201.144.51.202]:57781)
	by my email server with esmtps (TLSv1.2:ECDHE-RSA-AES256-SHA:256)
	(Exim 4.91)
	(envelope-from <This email address is being protected from spambots. You need JavaScript enabled to view it.>)
	id 1hOJfz-0002pf-7T; Wed, 08 May 2019 11:19:51 +0100
Received: from correo.pgjgto.gob.mx ([172.16.4.3])
	by mx.pgjgto.gob.mx  with ESMTP id x48AIHnv008874-x48AIHnx008874
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 8 May 2019 05:18:17 -0500
Received: from localhost (localhost [127.0.0.1])
	by correo.pgjgto.gob.mx (Postfix) with ESMTP id C1E0F39A873;
	Wed,  8 May 2019 05:01:42 -0500 (CDT)
Received: from correo.pgjgto.gob.mx ([127.0.0.1])
	by localhost (correo.pgjgto.gob.mx [127.0.0.1]) (amavisd-new, port 10032)
	with ESMTP id 9tedA3hgg4N0; Wed,  8 May 2019 05:01:41 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1])
	by correo.pgjgto.gob.mx (Postfix) with ESMTP id 7B8D539A882;
	Wed,  8 May 2019 05:01:40 -0500 (CDT)
DKIM-Filter: OpenDKIM Filter v2.9.2 correo.pgjgto.gob.mx 7B8D539A882
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pgjgto.gob.mx;
	s=07B25216-77B0-11E6-AF77-8ADE1752B4C3; t=1557309700;
	bh=nfsTadJ1SZU+Kl138pvgkiohhBW7evigPL3mdYRsKUE=;
	h=Date:From:Message-ID:Subject:MIME-Version:Content-Type;
	b=TrGIFWxPieRANnkeUfN0t+lGIQT5Li6wB7qT0a3bVOgT3CoOTjouBGvJcYTMX1HUs
	 x8YSRgA8WE9M8mGgjE7QhhJNviydtRq2HSnbiTFZVW2+pSs4BcmfGVR2Llmp9WmByU
	 +w1jCxA8+dcgO+jDHQc5FFkVd0X+nHu6/EPthOSY=
X-Virus-Scanned: amavisd-new at pgjgto.gob.mx
Received: from correo.pgjgto.gob.mx ([127.0.0.1])
	by localhost (correo.pgjgto.gob.mx [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id dX3eBdusIpAG; Wed,  8 May 2019 05:01:39 -0500 (CDT)
Received: from correo.pgjgto.gob.mx (correo.pgjgto.gob.mx [172.16.4.3])
	by correo.pgjgto.gob.mx (Postfix) with ESMTP id 38EE539A875;
	Wed,  8 May 2019 05:01:33 -0500 (CDT)
Date: Wed, 8 May 2019 05:01:32 -0500 (CDT)
From: ! <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Message-ID: <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Subject: A deposit of 350,000.00 GBP was paid today
MIME-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="----=_Part_220036_1591273551.1557309692853"
X-Originating-IP: [172.16.4.26]
X-Mailer: Zimbra 8.6.0_GA_1200 (zclient/8.6.0_GA_1200)
Thread-Topic: A deposit of 350,000.00 GBP was paid today
Thread-Index: XhbpuLGwpWW2zUJdtzDvqfRYBg8EPw==

Read more https://myonlinesecurity.co.uk/various-phishing-scams-via-compromised-mexican-gov-email-address/

Add comment

By entering a comment, if it is of a commercial nature, you will be auto enrolled in our customer care course as detailed in our rate card.
By entering a comment you legally agree to the course and to pay. Thanks


Security code
Refresh