MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

28.12.08

Phishing and "stories" in Christmas

The end of each year represents a special relish for malicious users due to the celebration of the holidays, where, through Christmas-related lies, seek to capture the attention of users.


So from a few hours ago, a new phishing attack through spam, or spam, is flooding our mailboxes. Under the pretext of winning the lottery of Christmas, the spam appears to be issued by a company called PostFinance. The appearance of spam is as follows:


To get the alleged prize, you must previously activate an account with WesternUnion. In the body of the message are embedded two links, the first of which, under the caption"GO TO LOGIN PAGE FOR ACTIVATION (CLICKHERE)", it redirects to a real page Company (https: / / e-finance.postfinance . ch), while the second link,"CLICK HERE", it redirects to a fake site requesting personal information (http://203. [REMOVED] .149/js/default.html).

However, when you click on this second link, there is a new but redirect to a site with an IP address (http://203. [REMOVED] .6/panel / [REMOVED] en.html), which presents the form above. The purpose of this is that the user enters personal information that can be used to commit fraud.

If we compare both pages, the real and fake, we see that there are differences between them, but, viewed by a user who does not know these methods of deception, the fraudulent scheme may be effective for the attacker.


As can be seen in the capture, phishing has two more fields of data, email address and telephone number. The main objective of this is that the attacker, in one instance get all the information you need to then commit fraud.

It is clear that the techniques of deception and fraud are increasing and there for everyone, however, it is important that we know how to identify and avoid falling into traps how are you, especially on important dates such as Christmas is where many we tend to shop online.

UPDATE 19:30pm: apparently, the IP address 203. [DELETED] 149 belongs to an Internet service provider in Pakistan called Supernet. In contrast, the second address, 203. [REMOVED] .6 (where it is hosted the fake site) would be under the Ministry of Education of Thailand.

IP
203. [DELETED] 149
SuperNet NetBlockAdmin
10th Floor, Tower B,
75,600 Karachi, Pakistan.

IP
203. [REMOVED] .6
MINISTRY OF EDUCATION
319 Thanon wangchankasem Ratchadamnoen-nok Dusit Bangkok
THAILAND 10,300

Jorge Mieres

0 comentarios:

Post a Comment