Phishing Threatens Deadly Viruses


Thought Leadership

Phishing Threatens Deadly Viruses

David Pickett

A new phishing campaign caught our attention recently due to the unique wording and varying tactics it uses in this "Security Alert." It threatens that the recipient's mailbox is infected with 3 deadly viruses and will shutdown if the warning is ignored.

Let's take a quick look at this credential-harvesting attack.

Security Alert - 3 Deadly Viruses

The phishing theme follows typical email shutdown threats, however, contains this unique "3 deadly virus" scare twist. The URL, which includes the intended victim's email address, directs to a compromised Wordpress page. The phishing site uses that address to generate content customized to the recipient.



Classic Hacker Themed Black & Green Phishing Site

The phishing site's hacker theme is a departure from the emails antivirus alert theme. It's no secret that phishing attacks are more successful when they create a sense of urgency and fear, this one attempts to do both. While viewing the site (video below), a rather unconvincing countdown clock appears, and the site acts as if it is deleting email addresses on the target's domain. 

There is a field for the target to enter in their email password to "Validate Email." If entered, this would provide the attacker the target's credentials. These generic style of credential gathering attacks are often used in follow-up attacks that are customized and typically financially-themed spearphishing such as Business Email Compromise (BEC) attacks


{% video_player "embed_player" overrideable=False, type='scriptV4', hide_playlist=True, viral_sharing=False, embed_button=False, width='1920', height='975', player_id='7153090388', style='' %}


URL Encoded Javascript to Fool Web Scans 

Taking a brief look at the website source code, the attacker has URL encoded the javascript source code running on the website. This potentially helps the site to persist longer from detection by some scanners. The list of email addresses is the same for every target, just customized to the recipient's domain. 



Decoding the URL Encoded Javascript

Decoding the URL encoded javascript, this site posts credentials to post.php. Server-side php scripting helps prevent displaying where the attackers captured credentials are sent. Often we see captured credentials delivered to an email box displayed in the raw source. Free Gmail accounts are especially favorites of the lesser skilled attackers using generic phish kits.


To ensure you are protected against phishing and malware attacks - contact us for a free trial of our Advanced Email Security