http://www.toms-blog.com/tags/phishing/index.xml Recent content on TomsBlog Hugo -- gohugo.io en-uk http://www.toms-blog.com/post/401-phishing-site-call-support/ Mon, 31 Oct 2016 22:49:19 +0000 http://www.toms-blog.com/post/401-phishing-site-call-support/ <p>Recently I was contacted about an alert popping up on a laptop asking the user to phone a support number because their computer was compromised. My initial thoughts were that this was some malware most likely some form of Ransomware asking the user to phone the number to get their files back.</p> <p>After analysing the laptop it turned out to be a much more simple but annoying phishing technique. It looked like the user had clicked an advert on facebook which redirected them to the fishing page</p> <p><img src="http://www.toms-blog.com/images/posts/401-phishing/facebook-urls.JPG" alt="Facebook and phishing site links" /></p> <div class="box"> http://facebook.com-00004.info/report.php?num=44(203) 868-8617 </div> <p>As you can see this is passing the number in as a parameter, usually now you would see a page that looks like Facebook or some other legitimate web page. In this case however you are greated with a HTTP 401 Unauthorised page:</p> <p><img src="http://www.toms-blog.com/images/posts/401-phishing/windows-support-uk.JPG" alt="401 Phishing technique" /></p> <p>Doing some Google Dorking for the message:</p> <p><em>&ldquo;0x80070424 Warning: Activation Key Damaged. Your System Has Been Compromised. Call Windows Support Immediately: 44(203) 868-8617 (TOLL-FREE)&rdquo;</em></p> <p>It would appear these popups are usually used by adware but in this case it was a more standalone approach linking straight from facebook.</p> <p>Multiple differnet URL&rsquo;s were discovered:</p> <p><div class="box"> microsoft.com-00007.info/report.php </div> <div class="box"> microsoft.com-00007.info </div> <div class="box"> microsoft.com-00007.info/msie1.php?num=855-444-2788 </div> <div class="box"> facebook.com-00004.info/fbie1.php?num=888-727-1127 </div> <div class="box"> facebook.com-00001.info </div> <div class="box"> facebook.com-00001.info/fbie1.php?num=888-876-2545 </div></p> <p>A simple curl command can be used to test the site without visiting with a browser:</p> <div class="highlight" style="background: #f0f3f3"><pre style="line-height: 125%"><span></span>curl -c <span style="color: #CC3300">&#39;/tmp/cookies&#39;</span> -L -e <span style="color: #CC3300">&#39;;auto&#39;</span> -H <span style="color: #CC3300">&quot;User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13&quot;</span> -i <span style="color: #CC3300">&#39;facebook.com-00004.info/report.php?num=44645646&#39;</span> </pre></div> <p>Doing a whois of course shows nothing as the domains were registered using privacy protectors:</p> <p><img src="http://www.toms-blog.com/images/posts/401-phishing/domain-whois.JPG" alt="Domain whois lookup" /></p> <p>Doing a lookup on the IP address shows its owned by CONFLUENCE-NETWORK-INC</p> <p><img src="http://www.toms-blog.com/images/posts/401-phishing/ip-whois.JPG" alt="Domain whois lookup" /></p> <p>Looking at the other URL&rsquo;s the microsoft ones were more like a traditional Phishing site but with the 401 over the top with a lot more popups. This one even had a nice voice over the top.</p> <p><img src="http://www.toms-blog.com/images/posts/401-phishing/microsoft-scam.JPG" alt="Microsoft Phishing site" /></p> <p>All URL&rsquo;s have been reported to the relavant parties.</p> <p><strong>UPDATE:</strong> Confluence Networks have disable the facebook site and some of the domains have been taken back.</p>