I’ve seen two instances now where one of my customers has been sent an email from a trusted contact, supplier or customer. The sender has obviously had their account already compromised.
A near-single line email saying “find the enclosed” and then a a hyperlinked picture hosted at imgur.
Going by the statistics on the image, at least 724 people had opened the email.
Now the clever bit starts.
The hyperlink takes you to a Google URL Shortner service.
This then sends you on to
(Somehow the email address email@example.com ** is associated with this domain and a few other suspicious and phishing domains going back to December 2015.)
Sad that this feature can be abused in such a way and I wonder how long and what the browser vendors response will be.
Anyway. The actor behind this phishing campaign seems to have had at least 750 responses (possibly some fake) to their phishing page. Given the number of people who had opened the phishing email (probably a low count as most webmail or mail browsers block external images) the return rate on this scam seems to be quite high.
The details are collected (Username, Password, IP Address, Country of IP) and are then sent to “firstname.lastname@example.org” from the spoofed email address “Hamidi <email@example.com>”
**The email is associated with coheroheath.com which is hosted on the same IP [220.127.116.11] as the current phishing domain julierhantrgenuscarrcr.top. The IP and the coherohealth domain seem to be constants between most of the domains I can attribute to these scammers.
Other associated domains:
This website doesn’t seem to have anything on it except for 1 single zip file containing a phishing php script.
Within this script the phishing results are sent to “firstname.lastname@example.org”. This e-mail address has previously been associated with another suspicious domain “smtpcart.com”.