Exploit This

Security News, Exploits, and Vulnerabilities.

TGIF(P) – Thank god it’s fried phish

no-image

There is that expression “TGIF” and I recently noticed that some of my Japanese colleagues/friends would not know what it actually stands for.

Spoiler: It commonly means “Thank god it’s Friday” and probably many working people will be able to appreciate such a feeling.

On the other hand, while many offices may close down for the weekend, it’s the time for bad guys to boost their activity because they count on the fact that they may go unnoticed for some time, at least until the upcoming Monday morning.

The IT community is working hard to find and take down malicious sites as soon as possible, but then … the weekend is the weekend for many.

What happened just last Friday may be a good example of such malicious weekend activity. We received the following email to one of our inboxes:

tgf-01

The email body utilizes some social engineering in order to scare the email receiver about possible loss of emails. It also somehow mentions “high massage” but that may just be a spelling error on the bad guy’s side.

When we click the contained link (which is, of course, one of those “don’t do this at home” things), we see the following:

tgf-02

After clicking “OK”, we get a popup which looks very much like the popup of a Microsoft email client. Note that it is quite well crafted, containing the domain name of the email receiver several times.

tgf-03

When we input some data into that form, we get this:

tgf-04

Again, it looks well crafted, containing the domain name several times, and even including a copyright notice.

To top it all, that page contains functionality to search the web for the mentioned domain name and finally directs the user’s browser to the search result:

tgf-05

The above content may not seem too convincing to an average home user. This phish seems more likely to target corporate users, as the style of the information shown above mimics the corporate environment very well.

However, attentive users may spot the following details which give away the fake:

  1. Email sender à mismatching the domain name;
  2. “Hello User” à is probably not commonly used to address staff;
  3. All clickable links in the email body point to the same location;
  4. Spelling mistakes like “massage”;

We have added the malicious site to our anti-phishing blacklist.

 

Leave a Reply

%d bloggers like this: