wolfros07t48@yandex.ru clever Google phishing actor.

I’ve seen two instances now where one of my customers has been sent an email from a trusted contact, supplier or customer. The sender has obviously had their account already compromised.

googlephishstart1.png

A near-single line email saying “find the enclosed” and then a a hyperlinked picture hosted at imgur.

http://i.imgur.com/PNyODdz.png

Going by the statistics on the image, at least 724 people had opened the email.

Now the clever bit starts.

The hyperlink takes you to a Google URL Shortner service.

http://goo.gl/RU21F2

This then sends you on to

http://shirreleyrebotreanicranurseeriesrk.igg.biz/

and then

http://julierhantrgenuscarrcr.top/news/dailynews.htm
(Somehow the email address loairealtors@gmail.com ** is associated with this domain and a few other suspicious and phishing domains going back to December 2015.)

Here some javascript code in the page does a META Refresh to a text/html content containing a script. The up-shot is this trick makes the address bar look as though the visitor / victim is actually on google.com! Note the address bar in the example below!

google data text html phishing trick

Sad that this feature can be abused in such a way and I wonder how long and what the browser vendors response will be.

Anyway. The actor behind this phishing campaign seems to have had at least 750 responses (possibly some fake) to their phishing page. Given the number of people who had opened the phishing email (probably a low count as most webmail or mail browsers block external images) the return rate on this scam seems to be quite high.

The details are collected (Username, Password, IP Address, Country of IP) and are then sent to “wolfros07t48@yandex.ru” from the spoofed email address “Hamidi <custdddddupport@main.com>”

google data text html phishing trick code

**The email is associated with coheroheath.com which is hosted on the same IP [190.14.38.161] as the current phishing domain julierhantrgenuscarrcr.top. The IP and the coherohealth domain seem to be constants between most of the domains I can attribute to these scammers.

Other associated domains:
sackworthassociatesm.top
pabulum-catering.club
drremereaskhi.online
bluevoicepgh.club
sandrsowdesdssb.top
dailypoppins.club
marksgarsclugst.top
cwadairstevej.tech
hstelmontrhotercorkew.igg.biz

coheroheath.com

This website doesn’t seem to have anything on it except for 1 single zip file containing a phishing php script.

Within this script the phishing results are sent to “resurrectionevang@gmail.com”. This e-mail address has previously been associated with another suspicious domain “smtpcart.com”.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to wolfros07t48@yandex.ru clever Google phishing actor.

  1. Pingback: theokalam.com / “0808 238 7541” tech support scammers | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s