Fake American Express mails

Pondus · February 18, 2017, 7:58pm

Just recived 4 fake American Express mails with same attachment (same MD5)

No detection on VT
First submission 2017-02-18 15:48:31 UTC ( 4 hours, 8 minutes ago )
https://virustotal.com/en/file/8f4d9765a806a426a7b6b18e900dfae69ad741a014a6ad90e487423960627a7b/analysis/1487446790/

TrueIndian · February 19, 2017, 3:23am

A fake page trying to trick the user into putting his details in…Interesting

Pondus · February 19, 2017, 9:32am

We call it Phishing

DavidR · February 19, 2017, 10:23am

This social engineering (phishing) scam has been going on for years, just change the name of the carrier to any of the major carriers. If you aren’t expecting a parcel, then it is most likely fake.

If you are expecting a parcel, who you ordered goods from should have given you a tracking reference number, visit the carriers site, don’t use the link in an unsolicited email.

Secondmineboy · February 19, 2017, 12:03pm

@Pondus: Whats the URL of the page thatwants to have your credentials?

Pondus · February 19, 2017, 1:40pm

https://virustotal.com/en/url/b2acbcce26f20069041151ae6df28fafe8a9743d243d8928657a9986cc9c87d2/analysis/1487511535/

TrueIndian · February 19, 2017, 5:17pm

This phishing site is a week old.No detection though:
https://virustotal.com/en/file/7015912b8da817db50a2eb45b43e100bf45eef54785843498c429254b2cea9a4/analysis/1486498511/

polonus · February 19, 2017, 6:28pm

Hi True Indian,

The url is now being flagged by ESET. See script and obfuscation patterns here: -https://aw-snap.info/file-viewer/?tgt=https%3A%2F%2Fiao.org.il%2Fwp-content%2Fuploads%2Fcreative.php&ref_sel=GSP2&ua_sel=ff&fs=1
(visit if you know what you are doing) There is a heuristical DNS block active for that domain there: http://urlquery.net/report.php?id=1487535990195

We see php malware here at work, like creative.php, and we could use programs like php-malware finder to detect:
https://github.com/creativeprogramming/php-malware-finder

Inbuilt:

Detect:
- phpencode.org
- http://www.pipsomania.com/best_php_obfuscator.do
- http://atomiku.com/online-php-code-obfuscator/
- http://www.webtoolsvn.com/en-decode/
- http://obfuscator.uk/example/
- http://w3webtools.com/encode-php-online/
- http://www.joeswebtools.com/security/php-obfuscator/
- https://github.com/epinna/weevely3
- http://cipherdesign.co.uk/service/php-obfuscator
- http://sysadmin.cyklodev.com/online-php-obfuscator/
- http://mohssen.org/SpinObf.php
- https://code.google.com/p/carbylamine/
- https://github.com/tennc/webshell

It is an old form of misdirected creativity: https://blog.sucuri.net/2013/08/more-creative-backdoors-using-filename-typos.html

polonus

savcin · February 20, 2017, 1:21pm

MultiString detection has been created.

Fake American Express mails

Announcements