Incidents

Phishing extreme

Recent advances in browsers as seen in Netscape 8 or IE7 have made it harder for the bad guys to succeed with their phishing schemes. In the malware world, technological advances stimulate the development of new ways to evade detection. And we’ve came by some interesting e-mails which seem to indicate the same is happening in the phishing area as well.

Our colleague Michael Molsner in Japan got an odd phishing e-mail on his address. The text is the usual “help keep your identity safe” and it pretends to come from PayPal. What’s interesting is the URL to the spoofed site, which points to a page on www.aafe.cn – the “Academy of Armoured Force Engenering”.

The Academy of Armoured Force Engenering

While the website appears to be legit, the page from the PayPal e-mail is not. It redirects the browser to a page on http://www.skycar.net.cn/ which loads an interesting Javascript.

This script runs maximized in the browser and presents the user with a window which looks like this:

As you can see, there is an Address field in the window which says “https://www.paypal.com/us”, but it is not the real browser address editbox! It’s a special field inside the Java applet which makes it look like it’s part of the browser window. Do note the real website address, as displayed by Opera – www.skycar.net.cn, in the blue bar. However, users who aren’t too careful about entering their PayPal data on websites might well be fooled.

Interestingly, Firefox doesn’t fall for this “trick” – it shows the fake “address bar” for a short time, then it hides it.

Phishing extreme

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox