phishing

Just a very quick post about a phishing scam this morning. This is only noteworthy because the phishing takes place on a compromised website belonging to a small Brazilian ISP. https://www.agilinker.com.br/ 

The email pretends to be a fax message from your own domain, so the ones I received pretended to come from This email address is being protected from spambots. You need JavaScript enabled to view it.. I received lots of these all addressed to various different email addresses on the myonlinesecurity.co.uk domain.

You can now submit suspicious sites, emails and files via our Submissions system

Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.

The email looks like:

From:Fax message <This email address is being protected from spambots. You need JavaScript enabled to view it.>

Date:Fri 17/05/2019 07:43

Subject: Fax message from +17174451**** – 6 page(s)

Attachment: Fax Message.html

Body content:

You have a new fax! Click the attachment to view.

Fax Details
Date Received: 2019-05-10 8:05:46 PDTType: Attached in pdfNumber of Pages: 4Reference #: fxi8083216-908876

Sign in using your This email address is being protected from spambots. You need JavaScript enabled to view it. and password to view fax.

Sincerely,The Fax Team

 

 

Fake Fax Message email

Fake Fax Message email

 

This email has an HTML attachment that when clicked on sends you to “http://agilinker.com.br/wp-content/plugins/themler-core/shortcodes/assets/js/_manage?x=x&a=This email address is being protected from spambots. You need JavaScript enabled to view it.

Phishing page

Phishing page

 

The content of the attachment is a simple html meta refresh

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN”

“http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”><html xmlns=”http://www.w3.org/1999/xhtml”><head><meta http-equiv=”Content-Type” content=”text/html; charset=iso-8859-1″ /><meta http-equiv=”REFRESH”content=”1;url=http://agilinker.com.br/wp-content/plugins/themler-core/shortcodes/assets/js/_manage?x=x&a=This email address is being protected from spambots. You need JavaScript enabled to view it.“><title>Untitled Document</title></head>

<body>

</body></html>

 

After you input your email address and password, you get told incorrect details and forwarded to an almost identical looking page where you can put it in again.

Then you get forwarded to the home page of the domain in the email address

Now as I mentioned earlier this phishing scam takes place on the compromised website of a small local ISP in Brazil.  There is an open directory listing on the site. If you try to visit the phish folder without the ?x=x you get diverted to the google home page. As you also do if using the “wrong” IP address.

Open directory listing of phishing site

Open directory listing of phishing site

Compromised ISP home page  ( translated) 

Compromised ISP home page  ( translated)

I wonder what else is compromised on that ISP and whether any customer information is leaking to the scammers or whether they can gain access to customer services & accounts and either change or remove services.  Hopefully it is just the compromised website, which is obviously running on WordPress, probably using an out of date version or vulnerable theme. This website is using what looks like shared hosting on  Dreamhost in USA

Address lookup

canonical name agilinker.com.br.
aliases
addresses 208.113.219.140

Domain Whois record

Queried whois.nic.br with “agilinker.com.br“…

domain:      agilinker.com.br
owner:       Eudis Rodrigues Boarato
owner-c:     ROASO75
admin-c:     ROASO75
tech-c:      ROASO75
billing-c:   ROASO75
nserver:     ns1.dreamhost.com
nsstat:      20190517 AA
nslastaa:    20190517
nserver:     ns2.dreamhost.com
nsstat:      20190517 AA
nslastaa:    20190517
saci:        yes
created:     20180313 #18129128
changed:     20180330
expires:     20200313
status:      published

nic-hdl-br:  ROASO75
person:      Robson A. de Souza
created:     20100114
changed:     20160418

% Security and mail abuse issues should also be addressed to
% cert.br, http://www.cert.br/ , respectivelly to This email address is being protected from spambots. You need JavaScript enabled to view it.
% and This email address is being protected from spambots. You need JavaScript enabled to view it.
%
% whois.registro.br accepts only direct match queries. Types
% of queries are: domain (.br), registrant (tax ID), ticket,
% provider, contact handle (ID), CIDR block, IP and ASN.

Network Whois record

Queried whois.arin.net with “n 208.113.219.140“…

NetRange:       208.113.128.0 - 208.113.255.255
CIDR:           208.113.128.0/17
NetName:        DREAMHOST-BLK6
NetHandle:      NET-208-113-128-0-1
Parent:         NET208 (NET-208-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   New Dream Network, LLC (NDN)
RegDate:        2006-04-12
Updated:        2012-03-02
Ref:            https://rdap.arin.net/registry/ip/208.113.128.0


OrgName:        New Dream Network, LLC
OrgId:          NDN
Address:        417 Associated Rd.
Address:        PMB #257
City:           Brea
StateProv:      CA
PostalCode:     92821
Country:        US
RegDate:        2001-04-16
Updated:        2017-01-28
Comment:        Address location was created regardless of geographic location.
Ref:            https://rdap.arin.net/registry/entity/NDN


OrgAbuseHandle: DAT5-ARIN
OrgAbuseName:   DreamHost Abuse Team
OrgAbusePhone:  +1-714-706-4182 
OrgAbuseEmail:  This email address is being protected from spambots. You need JavaScript enabled to view it.
OrgAbuseRef:    https://rdap.arin.net/registry/entity/DAT5-ARIN

 

Email Headers:

IP Hostname City Region Country Organisation
150.101.137.129  ipmail06.adl2.internode.on.net AU AS4739 Internode Pty Ltd
124.148.188.241  124-148-188-241.dyn.iinet.net.au Melbourne Victoria AU AS4739 Internode Pty Ltd

 

Received: from ipmail06.adl2.internode.on.net ([150.101.137.129]:6134)
	by my email serverwith esmtp (Exim 4.91)
	(envelope-from <This email address is being protected from spambots. You need JavaScript enabled to view it.>)
	id 1hRWZr-0001cL-0t
	for This email address is being protected from spambots. You need JavaScript enabled to view it.; Fri, 17 May 2019 07:42:48 +0100
Received: from 124-148-188-241.dyn.iinet.net.au (HELO myonlinesecurity.co.uk) ([124.148.188.241])
  by ipmail06.adl2.internode.on.net with ESMTP; 17 May 2019 16:12:45 +0930
From: Fax message <This email address is being protected from spambots. You need JavaScript enabled to view it.>
To: This email address is being protected from spambots. You need JavaScript enabled to view it.
Subject: Fax message from +17174451**** - 6 page(s)
Date: 16 May 2019 23:42:41 -0700
Message-ID: <This email address is being protected from spambots. You need JavaScript enabled to view it.>
MIME-Version: 1.0
Priority: Urgent
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0012_246459E9.7739B4E7"

We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

 

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.

 

Read more https://myonlinesecurity.co.uk/phishing-on-a-compromised-brazilian-isp-via-fake-fax-email/

Add comment

By entering a comment, if it is of a commercial nature, you will be auto enrolled in our customer care course as detailed in our rate card.
By entering a comment you legally agree to the course and to pay. Thanks


Security code
Refresh