Over the first week of November, we saw an increase in the malware family Phishing.ADA reporting into the Firebox Feed, our threat intelligence feed fueled by opt-in reports from Firebox security appliances deployed around the world. We found this phishing email primarily targeted users in Southeast Asia to steal email credentials. We retrieved a sample of this malware and the email to review it.
The email states that it comes from Payment@hsbc.com.hk but further investigation of the email header indicates the source comes from mail[.]stavebni-centrum[.]cz. Mail[.]stavebni-centrum[.]cz may strip previous headers hiding the original source.
Received: from mail.stavebni-centrum.cz ([193.165.139.238])
The TLD (Top Level Domain) and the IP address in the email header indicates the sender sent the email or routed the email through the Czech Republic, not a Hong Kong IP as indicated by the TLD in the From field.
The email body contains a request to view the attached “payment e-Advice” but the attachment contains a basic HTML file for a web page. We also found random characters in the email that we suspect the sender put there to throw off spam filters. Finally, in the email, we found a copyright date of 2005 even though the email header indicates a sent date of August 20th, 2020.
Finishing the review of the email, we opened the attached file to find a basic login and what looks like a blurred Excel document in the background. Entering your credentials doesn’t open the document but sends your credentials to tj[.]teamkdhomes[.]com/me/document[.]php, a previously compromised domain. Following this web page now leads to 404 errors but a Google-cached version of the site shows logs from possible tests including spots for email addresses, Passwords, IPs address, Hostnames, and Country. Please use caution when visiting. http://webcache.googleusercontent.com/search?q=cache:e-i1naZ6cJwJ:tj.teamkdhomes.com/myhotmail/logs.txt+&cd=13&hl=en&ct=clnk&gl=us
==================+[ YH LOGS ]+================== Email Address : [[-Email-]] Password : trfghjbhg Client IP : 41.58.106.92 HostName : 41.58.106.92 Country Name: Nigeria =============+ [ 2K17 ] +============= ==================+[ YH LOGS ]+================== Email Address : Password : Client IP : 52.114.128.37 HostName : 52.114.128.37 Country Name: United States =============+ [ 2K17 ] +=============
One of the easiest phishing emails for an attacker to send typically prompts some type of login to access a document. A scammer can quickly make up multiple versions like this one every day and send out thousands. Only a few need to succeed for them to continue. Whoever falls for the phish will likely lose access to their email account. If you have your email tied to your corporate login or some other login, then they will likely lose access to this as well. What the email sender does next depends on who they work for, but they would likely try to install ransomware or some remote access trojan on your computer. If they have access to a corporate account and no additional safeguards are in place, then this likely means ransomware on a corporate computer.
We expect that most of our users who read our blog would spot this email, but others may not. You may receive an email without the mistakes we found and if you expected an email from your bank then perhaps some of us would fall for this phish. A good malware blocker will block most phishing emails and we also recommend using DNS based protection to block compromised domains like tj[.]teamkdhomes[.]com. Above all, carefully review any email you receive for signs of phishing.