• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Recent Phishing Research Leads Us To Access Scammers Logs

November 23, 2020 By Trevor Collins

Over the first week of November, we saw an increase in the malware family Phishing.ADA reporting into the Firebox Feed, our threat intelligence feed fueled by opt-in reports from Firebox security appliances deployed around the world. We found this phishing email primarily targeted users in Southeast Asia to steal email credentials. We retrieved a sample of this malware and the email to review it.

The email states that it comes from [email protected] but further investigation of the email header indicates the source comes from mail[.]stavebni-centrum[.]cz. Mail[.]stavebni-centrum[.]cz may strip previous headers hiding the original source.

Received: from mail.stavebni-centrum.cz ([193.165.139.238])

The TLD (Top Level Domain) and the IP address in the email header indicates the sender sent the email or routed the email through the Czech Republic, not a Hong Kong IP as indicated by the TLD in the From field.

The email body contains a request to view the attached “payment e-Advice” but the attachment contains a basic HTML file for a web page. We also found random characters in the email that we suspect the sender put there to throw off spam filters. Finally, in the email, we found a copyright date of 2005 even though the email header indicates a sent date of August 20th, 2020.

Finishing the review of the email, we opened the attached file to find a basic login and what looks like a blurred Excel document in the background. Entering your credentials doesn’t open the document but sends your credentials to tj[.]teamkdhomes[.]com/me/document[.]php, a previously compromised domain. Following this web page now leads to 404 errors but a Google-cached version of the site shows logs from possible tests including spots for email addresses, Passwords, IPs address, Hostnames, and Country. Please use caution when visiting. http://webcache.googleusercontent.com/search?q=cache:e-i1naZ6cJwJ:tj.teamkdhomes.com/myhotmail/logs.txt+&cd=13&hl=en&ct=clnk&gl=us

==================+[ YH LOGS ]+==================
Email Address : [[-Email-]]
Password : trfghjbhg
Client IP : 41.58.106.92
HostName : 41.58.106.92
Country Name: Nigeria
=============+ [ 2K17 ] +=============

==================+[ YH LOGS ]+==================
Email Address : 
Password : 
Client IP : 52.114.128.37
HostName : 52.114.128.37
Country Name: United States
=============+ [ 2K17 ] +=============

One of the easiest phishing emails for an attacker to send typically prompts some type of login to access a document. A scammer can quickly make up multiple versions like this one every day and send out thousands. Only a few need to succeed for them to continue. Whoever falls for the phish will likely lose access to their email account. If you have your email tied to your corporate login or some other login, then they will likely lose access to this as well. What the email sender does next depends on who they work for, but they would likely try to install ransomware or some remote access trojan on your computer. If they have access to a corporate account and no additional safeguards are in place, then this likely means ransomware on a corporate computer.

We expect that most of our users who read our blog would spot this email, but others may not. You may receive an email without the mistakes we found and if you expected an email from your bank then perhaps some of us would fall for this phish. A good malware blocker will block most phishing emails and we also recommend using DNS based protection to block compromised domains like tj[.]teamkdhomes[.]com. Above all, carefully review any email you receive for signs of phishing.

Share This:

Related

Filed Under: Editorial Articles Tagged With: Phishing, scam

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use