2017-12-01 - PHISHING EMAILS FOR SHOPPING JOB AT TARGET

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-12-01-target-phishing-web-page-traffic.pcap.zip   4.5 kB (4,519 bytes)

• 2017-12-01-target-phishing-web-page-traffic.pcapp   (848,321 bytes)

• Zip archive of the emails:  2017-12-01-target-job-phishing-emails.zip   5.6 kB (5,565 bytes)

• 2017-12-01-target-job-phishing-email-example.eml   (18,706 bytes)
• 2017-12-01-target-job-phishing-email-headers.txt   (9,800 bytes)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

• hxxp://www.tomtomsports.tech/wp-content/plugins/signup.html
• hxxp://www.tomtomsports.tech/wp-content/plugins/variable1.php

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Friday 2017-12-01 as early as 15:45 UTC through at least 17:01 UTC

• From:  "Target.com" <career@target.com>
• From:  "Target.com" <careers@target.com>
• From:  "Target.com" <jobs@target.co>

• Subject:  Job Offer

• Received: from royaweb.com ([88.99.109.55])
• Received: from mail.site2site.com ([52.26.213.196])
• Received: from toppenskrivare.nu ([37.233.77.120])
• Received: from mail.oreinlighting.com ([34.226.91.30])
• Received: from mail.blf-eps.de ([88.198.40.200])
• Received: from email01.riveroaksdental.local ([96.81.184.238])
• Received: from mail.hongyusky.cn ([122.96.149.116])
• Received: from plasse.hanyang.ac.kr ([166.104.245.157])
• Received: from mail.showmeinsurance.net ([12.196.106.194])
• Received: from mm.ubs.com.tw ([61.31.89.53])
• Received: from zeus.ee.kogakuin.ac.jp ([133.80.183.43])
• Received: from haywardcollision.officecentral.biz ([69.198.129.70])

 

TRAFFIC

Shown above:  Network traffic filtered in Wireshark.

 

NETWORK TRAFFIC FROM MY LAB HOST:

• 104.24.105.53 port 80 - www.tomtomsports.tech - GET /wp-content/plugins/signup.html
• 104.24.105.53 port 80 - www.tomtomsports.tech - POST /wp-content/plugins/variable1.php

 

IMAGES

Shown above:  Fake login page for Target job advertisement.

 

Shown above:  After submitting information to the fake login page for Target job advertisement.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2017-12-01-target-phishing-web-page-traffic.pcap.zip   4.5 kB (4,519 bytes)
• Zip archive of the emails:  2017-12-01-target-job-phishing-emails.zip   5.6 kB (5,565 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.