2017-12-01 - PHISHING EMAILS FOR SHOPPING JOB AT TARGET
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-12-01-phishing-web-page-spoofing-Target.pcap.zip 4.5 kB (4,521 bytes)
- 2017-12-01-phishing-web-page-spoofing-Target.pcap (848,321 bytes)
- 2017-12-01-phishing-emails-spoofing-Target-12-examples.zip 6.1 kB (6,081 bytes)
- 2017-12-01-header-lines-from-12-phishing-emails-spoofing-Target.txt (9,800 bytes)
- 2017-12-01-phishing-email-spoofing-Target-full-example.eml (18,706 bytes)
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following URLs:
- hxxp[:]//www.tomtomsports[.]tech/wp-content/plugins/signup.html
- hxxp[:]//www.tomtomsports[.]tech/wp-content/plugins/variable1.php
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Friday 2017-12-01 as early as 15:45 UTC through at least 17:01 UTC
- From: "Target[.]com" <career@target[.]com>
- From: "Target[.]com" <careers@target[.]com>
- From: "Target[.]com" <jobs@target[.]co>
- Subject: Job Offer
- Received: from royaweb[.]com ([88.99.109[.]55])
- Received: from mail.site2site[.]com ([52.26.213[.]196])
- Received: from toppenskrivare[.]nu ([37.233.77[.]120])
- Received: from mail.oreinlighting[.]com ([34.226.91[.]30])
- Received: from mail.blf-eps[.]de ([88.198.40[.]200])
- Received: from email01.riveroaksdental[.]local ([96.81.184[.]238])
- Received: from mail.hongyusky[.]cn ([122.96.149[.]116])
- Received: from plasse.hanyang[.]ac[.]kr ([166.104.245[.]157])
- Received: from mail.showmeinsurance[.]net ([12.196.106[.]194])
- Received: from mm.ubs.com[.]tw ([61.31.89[.]53])
- Received: from zeus.ee.kogakuin.ac[.]jp ([133.80.183[.]43])
- Received: from haywardcollision.officecentral[.]biz ([69.198.129[.]70])
TRAFFIC
Shown above: Network traffic filtered in Wireshark.
NETWORK TRAFFIC FROM MY LAB HOST:
- 104.24.105[.]53 port 80 - www.tomtomsports[.]tech - GET /wp-content/plugins/signup.html
- 104.24.105[.]53 port 80 - www.tomtomsports[.]tech - POST /wp-content/plugins/variable1.php
IMAGES
Shown above: Fake login page for Target job advertisement.
Shown above: After submitting information to the fake login page for Target job advertisement.
Click here to return to the main page.