2017-12-01 - PHISHING EMAILS FOR SHOPPING JOB AT TARGET
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-12-01-target-phishing-web-page-traffic.pcap.zip 4.5 kB (4,519 bytes)
- 2017-12-01-target-phishing-web-page-traffic.pcapp (848,321 bytes)
- Zip archive of the emails: 2017-12-01-target-job-phishing-emails.zip 5.6 kB (5,565 bytes)
- 2017-12-01-target-job-phishing-email-example.eml (18,706 bytes)
- 2017-12-01-target-job-phishing-email-headers.txt (9,800 bytes)
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following URLs:
- hxxp://www.tomtomsports.tech/wp-content/plugins/signup.html
- hxxp://www.tomtomsports.tech/wp-content/plugins/variable1.php
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Friday 2017-12-01 as early as 15:45 UTC through at least 17:01 UTC
- From: "Target.com" <career@target.com>
- From: "Target.com" <careers@target.com>
- From: "Target.com" <jobs@target.co>
- Subject: Job Offer
- Received: from royaweb.com ([88.99.109.55])
- Received: from mail.site2site.com ([52.26.213.196])
- Received: from toppenskrivare.nu ([37.233.77.120])
- Received: from mail.oreinlighting.com ([34.226.91.30])
- Received: from mail.blf-eps.de ([88.198.40.200])
- Received: from email01.riveroaksdental.local ([96.81.184.238])
- Received: from mail.hongyusky.cn ([122.96.149.116])
- Received: from plasse.hanyang.ac.kr ([166.104.245.157])
- Received: from mail.showmeinsurance.net ([12.196.106.194])
- Received: from mm.ubs.com.tw ([61.31.89.53])
- Received: from zeus.ee.kogakuin.ac.jp ([133.80.183.43])
- Received: from haywardcollision.officecentral.biz ([69.198.129.70])
TRAFFIC
Shown above: Network traffic filtered in Wireshark.
NETWORK TRAFFIC FROM MY LAB HOST:
- 104.24.105.53 port 80 - www.tomtomsports.tech - GET /wp-content/plugins/signup.html
- 104.24.105.53 port 80 - www.tomtomsports.tech - POST /wp-content/plugins/variable1.php
IMAGES
Shown above: Fake login page for Target job advertisement.
Shown above: After submitting information to the fake login page for Target job advertisement.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-12-01-target-phishing-web-page-traffic.pcap.zip 4.5 kB (4,519 bytes)
- Zip archive of the emails: 2017-12-01-target-job-phishing-emails.zip 5.6 kB (5,565 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.