The spam messages started flowing shortly before 9 AM, and by 10:30 we had received 548 copies of a spam email that looked like this:
The subject line was always "Fraud Alert: Irregular Card Activity"
The From address was always "American Express (fraud@aexp.com)"
But the highlighted link that claims it will take you to https://www.americanexpress.com/ actually goes to one of 419 URLs on one of 57 compromised webservers. The list of servers is:
0067959.netsolhost.com 02fbd07.netsolhost.com 119.245.150.94 184.168.170.184 188.165.206.52 209.173.242.165 anggieystratega.com bentleycrossing.com bluestreakfinancial.com bobjonesaccounting.com certificaat.ledtechno.be copyrman.site.aplus.net criminalsearchcanada.com dinnerat8.mywebcommunity.org durushayakkabi.com entertainindy.com etbroderi.no expert-log.com fassion.toypark.in feuerwehr-queckborn.de flat.bplaced.net fmax.in.th ftp.ccmanitowoc.org ftp.likvidace-aut.cz ftp.selectstl.com idealmobilemedia.com mircomultimedia.com missionwild.ieasysite.com orbitek.hosting24.com.au peterottenzonwering.nl pm.vertigry.com proteebar.com quarksocial.net russiantheatre.ca secomimages.co.uk shiragellman.com spanglaw.www65.a2hosting.com sprintcar1.com swansonhaskamp.com tastemasters.de tvbox.veria.eu user4634.vs.easily.co.uk w7u20zuyb.homepage.t-online.de walegion.comcastbiz.net watertechnology.gr wer1globle.com www.59-90.com www.contactl.www66.a2hosting.com www.g4amt.com www.myspringriver.com www.purecoat.com www.qigong-yangsheng-koeln.de www.regionshg.com www.teammoutai.com www.yardvilleheights.com www.zen65048.zen.co.uk yourbabyname.awardspace.comOn each server there was a selection of randomly named dictionary word directory names, followed by a "/index.html" such as:
/lipid/index.html /juno/index.html /tarnished/index.html /linker/index.html /musicologist/index.html /village/index.html /mered/index.html /satan/index.html /laconic/index.html /parsons/index.html /strayed/index.htmlEach of those index.html pages was actually a redirector that posted a message in a box that said "Connecting to server..." while it tried to load one of three JavaScript files from three different locations. Between all of the boxes, we saw a total of ten of these JavaScript files:
http://184.177.180.52/boers/ghostwrote.js http://194.15.212.104/hemispherical/inbounding.js http://208.106.191.91/glamored/pans.js http://ghanamusicbox.com/crystallization/carcinomas.js http://hamidebirsengur.com.tr/honduras/wildernesses.js http://kaindustries.comcastbiz.net/imaginable/emulsion.js http://msco-iraq.com/chervil/capturing.js http://naturesfinest.eu/eroding/patricians.js http://portel.home.pl/aborigines/nerveless.js http://winklersmagicwarehouse.com/handmade/analects.js http://www.greenerhomesnortheast.co.uk/jacksonian/barrettes.js http://zuniweb.com/burliest/squeaking.jsEach of THOSE files in turn did a "document.location" redirection to one of the three actual phishing sites:
steelhorsecomputers[.]net/americanexpress/ birddogpaperandhome[.]com/americanexpress/ cyfairfamilyfest[.]com/americanexpress/
Here's the Phish Walk Through once we finally arrive at one of the three destination phishing sites:
First they ask for the Userid and password
Then the Social Security number, your birthdate, your mother's maiden name, her birthdate, and a PIN.
Now the card number . . .
And the expiration date . . .
And finally your 5,000 Reward points are awarded, and you are forwarded to the actual AmEx page.
So, to gather the userid and password of a few hundred American Express card holders, the phisher today was willing and able to break in to SEVENTY web servers ... 57 used in the spam ... 10 more used for the JavaScript Redirection scrips ... and 3 used for the actual phishing hosts.
Quite an elaborate scheme. We'll be talking about MORE elaborate phishing schemes and webserver compromises in our Malcovery Webinar on Halloween Day, October 31, 2013 @ 1:00 Eastern / noon Central -- How Threat Intelligence Reveals The Scariest Cyber Attacks" -- (click the link to Register)
Posts
