Name:

Important Document Phishing Scam

Descr. Added:

July 24, 2013

Type:

Phishing and Fraud

Risk:

Medium

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/7/8/NT/2003

Malware problems?   We can help.  Free Removal Tools.

Description:

The latest ’Important Document’ Phishing Scam arrives in a user’s inbox as a html-based email stating that the sender has uploaded an important document for the recipients to view.  Below is just one of many examples emails recently intercepted by the Thirtyseven4 Team:




How it works:

If the recipient of the email clicks on the “Click Here” link to “view” the supposedly uploaded document, the user is directed to the website:

hxxp://blessingand.altervista.xxx (as seen below)




Once on the website, a user will see the following screen:




When the user clicks on the email provider they utilize, another pop-up screen loads that closely mimics that of the service provider selected (for example the below, we clicked on Gmail):




If a user enters their credentials into the pop-up screen, the information they provided than gets relayed back (posted) to the attackers target site, such as:

blessingand.altervxxta.org\yahoo.php
blessingand.altervxxta.org\gmail.php
blessingand.altervxxta.org\hotmail.php
blessingand.altervxxta.org\other.php
blessingand.altervxxta.org\aol.php

An example is below:


 

After the user enters his/her login information, the webpage will then re-direct the user to the legitimate target website so that the user doesn’t suspect anything.

While it is impossible to speculate the attackers mindset, the collected information will likely be sold and/or reused to collect additional email account information.  What makes this Phishing email a higher risk to end users over most Phishing attempts or ordinary spam runs is that fact that these emails are arriving from otherwise trusted email accounts.   We have already seen these emails getting sent from Business Owners (with employee’s as recipients), from Administration Staff at small and large schools (with teachers and students as recipients) and within government agencies.  Many of the organizations noted above have standardized on Google services like Gmail and Google Docs so you can easily see why these emails are widely circulating.

Thirtyseven4’s Content Filter module under its Web Security feature is already categorizing the noted webiste above as “Phishing and Fraud” and the Thirtyseven4 Browser Protection module is updated for the site above as well.