I’ve seen two instances now where one of my customers has been sent an email from a trusted contact, supplier or customer. The sender has obviously had their account already compromised.
A near-single line email saying “find the enclosed” and then a a hyperlinked picture hosted at imgur.
Going by the statistics on the image, at least 724 people had opened the email.
Now the clever bit starts.
The hyperlink takes you to a Google URL Shortner service.
This then sends you on to
and then
http://julierhantrgenuscarrcr.top/news/dailynews.htm
(Somehow the email address loairealtors@gmail.com ** is associated with this domain and a few other suspicious and phishing domains going back to December 2015.)
Here some javascript code in the page does a META Refresh to a text/html content containing a script. The up-shot is this trick makes the address bar look as though the visitor / victim is actually on google.com! Note the address bar in the example below!
Sad that this feature can be abused in such a way and I wonder how long and what the browser vendors response will be.
Anyway. The actor behind this phishing campaign seems to have had at least 750 responses (possibly some fake) to their phishing page. Given the number of people who had opened the phishing email (probably a low count as most webmail or mail browsers block external images) the return rate on this scam seems to be quite high.
The details are collected (Username, Password, IP Address, Country of IP) and are then sent to “wolfros07t48@yandex.ru” from the spoofed email address “Hamidi <custdddddupport@main.com>”
**The email is associated with coheroheath.com which is hosted on the same IP [190.14.38.161] as the current phishing domain julierhantrgenuscarrcr.top. The IP and the coherohealth domain seem to be constants between most of the domains I can attribute to these scammers.
Other associated domains:
sackworthassociatesm.top
pabulum-catering.club
drremereaskhi.online
bluevoicepgh.club
sandrsowdesdssb.top
dailypoppins.club
marksgarsclugst.top
cwadairstevej.tech
hstelmontrhotercorkew.igg.biz
coheroheath.com
This website doesn’t seem to have anything on it except for 1 single zip file containing a phishing php script.
Within this script the phishing results are sent to “resurrectionevang@gmail.com”. This e-mail address has previously been associated with another suspicious domain “smtpcart.com”.
thecomputerperson 
Pingback: theokalam.com / “0808 238 7541” tech support scammers | thecomputerperson