This holiday season give the gift of harvested credentials! It’s the gift that keeps on giving!

Santa, who is most definitely real, stopped by the office early this year and dropped off a present in the form of another phishing attempt. If you haven’t read my last post involving a fake banking site you can check it out here.

This attempt came via email to a C-suite exec at a very prestigious company. Him and I have a pretty good working relationship so when he offered me up the email I jumped at the chance. After making sure he didn’t click on the link of course. Let’s start with the email itself:

It appears he received a fax from Rap!dfax. RapidFax is indeed a fax to email service but you can’t put exclamation marks in a valid domain name so there’s something to take note of. Let’s check out the .htm attachment.

There’s a lot of exclamation marks in this whole situation. I don’t think I’ve ever been that excited to receive a fax. The only part of this file that’s live is the view fax message portion.  Let’s have a look at what VIEW ANCIENT TECHNOLOGY FAX MESSAGE has in store. Clicking on that link would bring one to: hxxps://nbffc.com/vsv/login/index.php

Office365? I thought this was a fax?? Me right now:

I’m betting dollars to donuts that if I were to enter any sort of credential into that Email ID and Password field Santa would put me on the naughty list. Let’s check out the names of the fields first.

The Email ID field seems to be named ‘frm-email’.

And the Email Password field looks to be named ‘from-pass’. Right above those two fields we see what happens when Download is clicked. It looks like action.php is called. Here’s what that does:

If you read my last blog post this should look familiar. It’s basically the same phishing kit with the geolocation and all. We see in these following two lines:

$message .= “|eMail : “.$_POST[‘frm-email’].”n”;

$message .= “|PasSword : “.$_POST[‘frm-pass’].”n”;

The user’s email ID and password (frm-email and frm-pass as we discovered are the field names) will be sent to the scammer. A quick search for the scammer’s email leads to some interesting information including names and phone numbers. I’ve blurred out some of the info in the event it’s legitimate and the owner of the email is an unwilling participant in this fraudulent scheme:

Now pardon me while I ready the milk and cookies. The big night is right around the corner. Happy holidays!