We had two primary spam subject lines for this campaign. On March 17, 2014 the Malcovery Spam Data Mine gathered:
468 copies = Subject: Important: Personal Security Key
290 copies = Irregular card activity
The messages were BEAUTIFUL! Here's one:
Isn't that gorgeous? Every single link in that email is actually just another copy of the phishing URL. No matter what you click on, the phishing process starts. And what a process it is! Just in the samples that we had at Malcovery Security, we saw 574 distinct URLs on 77 different web hosts! (the full list is available as amex.urls.txt.
The AmEx Phishing Payload
Why am I writing about this three days later? BECAUSE THE PHISH IS STILL LIVE!Just a few minutes ago, I revisited one URL per webhost and found that 40 of the 77 servers were still delivering payload.
What was the payload?
Here's a sample from one of those 40 sites:
A small box containing the words "Connecting to server..." appears, but in the background, the machine is trying to pull content from these scripts (defanged below):(script) src equals http://theblazingfiddles.com/responsive/rhone.js (script) src equals http://haus-an-der-treene.de/irrigated/bewaring.js (script) src equals http://qualifyformedi-cal.com/mortician/amicably.js (script) src equals http://ufofurniture.com.au/curries/searchlights.js
But actually between the 40 sites I was able to access this morning (March 20, 2014) there were a total of 38 redirectors!
Each of those actually does a "document location" to forward you to the actual phishing page, which was hosted on five different URLS: hxxp: (slash) (slash) e4business.net (slash) americanexpress (slash)hxxp: (slash) (slash) nebucom.com (slash) instanced (slash) inconsolable.js hxxp: (slash) (slash) e-translation.pl (slash) ditty (slash) appetizing.js hxxp: (slash) (slash) grupovordcab.com (slash) expiration (slash) eddies.js hxxp: (slash) (slash) user22809.vs.easily.co.uk (slash) healed (slash) pulsation.js hxxp: (slash) (slash) cescconstructionsupply.com (slash) diminished (slash) somalian.js hxxp: (slash) (slash) majstri.net (slash) donning (slash) slaved.js hxxp: (slash) (slash) ohsspiritwear.com (slash) nike (slash) robbing.js hxxp: (slash) (slash) songingeternally.com (slash) maracaibo (slash) your.js hxxp: (slash) (slash) 03629e3.netsolhost.com (slash) altaic (slash) scarify.js hxxp: (slash) (slash) mobifone-sy.com (slash) inflated (slash) minstrels.js hxxp: (slash) (slash) shashwathomes.com (slash) pleader (slash) socialized.js hxxp: (slash) (slash) www.netpolis.gr (slash) emulate (slash) loved.js hxxp: (slash) (slash) theblazingfiddles.com (slash) responsive (slash) rhone.js hxxp: (slash) (slash) haus-an-der-treene.de (slash) irrigated (slash) bewaring.js hxxp: (slash) (slash) qualifyformedi-cal.com (slash) mortician (slash) amicably.js hxxp: (slash) (slash) ufofurniture.com.au (slash) curries (slash) searchlights.js hxxp: (slash) (slash) amerapremier.com (slash) cesar (slash) viewers.js hxxp: (slash) (slash) www.deacomunicazione.it (slash) doyen (slash) undermining.js hxxp: (slash) (slash) orbitek.hosting24.com.au (slash) trespasses (slash) earthly.js hxxp: (slash) (slash) www.mypafamilylawyer.com (slash) desultory (slash) interrelated.js hxxp: (slash) (slash) blog.myragold.com (slash) hastening (slash) contemporaries.js hxxp: (slash) (slash) loveworks365.com (slash) howe (slash) corsets.js hxxp: (slash) (slash) SNC.NO-IP.ORG (slash) drywalls (slash) liquefy.js hxxp: (slash) (slash) conseguidomaquinaria.com (slash) hollyhocks (slash) propels.js hxxp: (slash) (slash) 034ED86.NETSOLHOST.COM (slash) lodestone (slash) shilled.js hxxp: (slash) (slash) almesa.gr (slash) furious (slash) zygotes.js hxxp: (slash) (slash) hosted.proaal.com (slash) enchanted (slash) handel.js hxxp: (slash) (slash) hnuaaa.org (slash) spitfires (slash) winks.js hxxp: (slash) (slash) www.tstn.org (slash) churchyard (slash) wealthy.js hxxp: (slash) (slash) filtron.gr (slash) skited (slash) menages.js hxxp: (slash) (slash) 3914f5c7a46c5f05.lolipop.jp (slash) andre (slash) fastidiously.js hxxp: (slash) (slash) geeologee.com (slash) bawls (slash) cubbyholes.js hxxp: (slash) (slash) ghs.boehmenkirch.de (slash) executrix (slash) straps.js hxxp: (slash) (slash) besttrainer.co.nz (slash) phrasings (slash) vehicle.js hxxp: (slash) (slash) ftp.fasady-zateplovani.eu (slash) conduces (slash) garrote.js hxxp: (slash) (slash) sewhot.ca (slash) househusbands (slash) piing.js hxxp: (slash) (slash) animalspirits-lva.de (slash) instruction (slash) propounds.js hxxp: (slash) (slash) wildtrackpictures.com (slash) dracula (slash) archenemy.js
hxxp: (slash) (slash) paitoanderson.com:8080 (slash) americanexpress (slash)
hxxp: (slash) (slash) advisorbuysell.com (slash) americanexpress (slash)
hxxp: (slash) (slash) advisor-connect.info (slash) americanexpress (slash)
hxxp: (slash) (slash) 173.246.103.84 (slash) americanexpress (slash)
The Phish Itself
Here's a walk-through of the five page phish.
(Each of those three pages actually had this footer on the bottom! Good to see they included a link to the Fraud page at AmEx!)
When you were finished, you got a friendly thank you . . . letting you know your certificate was all set up . . .
and then got forwarded to the real AmEx page: