2017-10-11 - PHISHING WEBSITE TRAFFIC

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-10-11-Docusign-themed-phish-traffic.saz.zip   311.1 kB (311,077 bytes)
• 2017-10-11-Docusign-phish-1425-UTC.eml.zip   1.7 kB (1,744 bytes)
• 2017-10-11-phishing-kit-from-compromised-site.zip   1.8 MB (1,808,714 bytes)

NOTES:

• I submitted the associated URLs to PhishTank, so feel free to verify them.  Accounts on PhishTank are free, and they only require a working email address.

• https://www.phishtank.com/phish_detail.php?phish_id=5275836
• https://www.phishtank.com/phish_detail.php?phish_id=5275837

 

EMAIL

Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

• Date:  Wednesday, 2017-10-11 14:25 UTC
• Message-ID:  <E1e2HwY-0000sz-2w@SRV-WEB>
• Subject:  Completed Title Work :Please DocuSign
• From:  <Land Title Guarantee Company@accountiin-serviciin>
• Reply-To:  Land Title Guarantee Company@accountiin-serviciin
• Link in the email:  hxxp[:]//bit[.]ly/2yWGWZc

 

Shown above:  Initial phishing page.

 

Shown above:  Fake gmail login (one of many different login options).

 

Shown above:  Fake recovery email and phone.

 

Shown above:  Phishing kit zip archive from the compromised website.

 

TRAFFIC

Shown above:  Traffic in Wireshark shows Bit[.]ly link going to HTTPS URL.

 

Shown above:  HTTPS URLs as recorded in Fiddler.

 

ASSOCIATED URLS:

• port 80 - bit[.]ly - GET /2yWGWZc
• port 443 (HTTPS) - beckermaquinaria[.]com - GET /wordfile/dokin/index.php
• port 443 (HTTPS) - beckermaquinaria[.]com - GET /wordfile/dokin/ganton_files/style1.css
• port 443 (HTTPS) - beckermaquinaria[.]com - GET /wordfile/dokin/gmilo.php
• port 443 (HTTPS) - beckermaquinaria[.]com - GET /wordfile/dokin/css/gmilofile.png
• port 443 (HTTPS) - beckermaquinaria[.]com - GET /wordfile/dokin/actiongmilo.php
• port 443 (HTTPS) - beckermaquinaria[.]com - GET /wordfile/dokin/recova.php
• port 443 (HTTPS) - beckermaquinaria[.]com - GET /wordfile/dokin/css/recova.png
• port 443 (HTTPS) - beckermaquinaria[.]com - GET /wordfile/dokin/action2.php
• port 443 (HTTPS) - beckermaquinaria[.]com - GET /wordfile/dokin/plswt.php
• port 443 (HTTPS) - beckermaquinaria[.]com - GET /wordfile/dokin/css/plswt.png

 

MALWARE

PHISHING KIT FROM COMPROMISED SITE:

• SHA256 hash:  3d7e7ee432f5c9843f48bce7a4b42a25bcdfc5f4083598ef40ff59c10a01bd0d
  File size:  1,808,204 bytes
  File name:  ydmnot.zip

Shown above:  Contents of the phishing kit.

 

Click here to return to the main page.