A new attack involving fake news and CNN websites is spreading malware. The attack is very similar to the Classmates.com attack where an email is sent to the victim with a link to a fake CNN.COM website that features a fake video that is really a trojan and rootkit.
Interestingly, the content looks like it was ripped off of CNN’s website because the links referenced CNN.com content.
WARNING: Websites hosting malicious content!
Domains involved:
createnewsforccn.com
downloadplayersnews.com
enemyisraelattack.com
exlporernews.com
israelgazaconflict.com
newsforusacnn.com
startinstalladobe.com
Fake video malware file:
Adobe_Player10.exe
–mwdisector
In the past couple months there has been phishing campaigns against Classmates.com. On a regular basis emails talking about class reunions containing links pointing to fake Classmates.com websites have spewed onto the Internet. These fake websites have fake videos which are actually malware (EXE file) designed to take control of your computer and using trojans and keyloggers. Oh and by the way, these EXE files will automatically try to download onto your PC without you clicking them.
WARNING: Websites hosting malicious content!
FROM ADDRESSES:
Classmates Alert Center
Classmates Community
Classmates Help Center
Classmates Management
Classmates Meeteng Center
Classmates Member Center
Classmates Messagebox#
Classmates Online Center
Classmates Reunion Center
Classmates Shedule Center
Classmates Support Center
Classmates Technical Support
Classmates Video Center
SUBJECTS:
Classmates Important Meeting Information
Classmates Organisation.Class Reunion Information
Classmates Organisation.Class Reunion Planner
Classmates Organiser Warning – Meeting high school and junior college classmates
Classmates Organiser Warning – This is a forum where you can make any suggestions for the Reunion.
Classmates Party invitation…
Classmates Party invitation…
Classmates Preview, public invitation
Classmates Reunion - Invitation
Classmates Reunion – Classmates Reunion – Special Preview Invitation
Classmates Reunion – Congratulations Today !
Classmates Reunion – Invitation: Ready
Classmates Reunion – Your Classmates Invitation – He’s Ready, Are You?
Classmates Reunion – unique invitation.
Classmates Reunion Soon – Classmates Organisation.What Have You Been Up To
Classmates Reunion Soon – Important Dates for Classmates Meeting
Classmates Video your personal invitation by John
Currently planning the 2009 Year Reunion
Do Not Miss Tonight’s Classmates Reunion !
Please Do Not Miss the Classmates Meeting!
Revised reunion date announced
Webster meetings among former classmates
Welcome to Classmates Personal Invitation
You have one new message. Classmates
Your Classmates Are Waiting – AN URGENT MESSAGE
Your classmates Day New Date..How can someone miss a Classmates meeting?
Your classmates Day New Date.A Meeting with my HighSchool Classmates
Your own unique invitations from classmates.
ROOT DOMAINS:
adobeflasplayer10.com
classmateqs.com
classmatersunion.com (24.136.176.91, 68.51.164.175, 75.63.170.53, 76.27.148.240, 98.217.125.105)
classmatesupdates.com
dnuemjsi.com
downloadservers7.com
downloadupdateadobe10.com
flashadobeplayer9.com
getinstallations.com
happynewyearclassmates.com
indexguideclassmates.com (68.40.193.72, 75.58.247.185, 75.63.170.53, 76.27.148.240, 67.172.60.164)
installationsadobeflash10.com
keiortue.com
kertuierp.com
meetingclassmaterss.com
meetwithyourfriends.com
merrychristmassclass.com (208.78.242.184)
newflashadobe.com
newklassmates.com (208.73.210.121)
newyearclassmates.com
reinstallflash.com (67.172.60.164, 68.40.193.72, 75.58.247.185, 75.63.170.53, 76.27.148.240)
reunionclassmates.com
sdunsosdu.com
serveronlines.com
serversupdates.com
user-X1aR1qC1newclasshost.com
user-j1oz1zj1newklassmates.com
user-m1qa1nk1updatedclassmates.com
user-p1pc1iu1getinstallations.com
user-x1ar1qc1newclasshost.com
vreied.com
vreixs.com
FAKE VIDEO MALWARE FILE:
Adobe_Player10.exe
VT coverage 27/38:
https://www.virustotal.com/analisis/4d17de3d6ba580900af852ed5ad9a52f
–mwdisector
STAY AWAY from these because in reality they are being used to collect email addresses likely for future SPAM campaigns. I also suspect these domains are part of a current fake XP activation SPAM campaign.
DOMAINS:
campingchip.com
daily–movie-code.info
daily–movie-code.net
daily–movie-code.org
daily-movie–code.info
daily-movie–code.net
daily-movie-code.info
get–activation-code1.com
movie–code–online.info
movie–online-promo.info
movie-code-online.com
movie-code-online.info
movie-code-online.net
movie-code-online.org
movie-online-promo.info
movie-online-promo.org
net–activation–code1.com
net–activation–code1.net
net–activation-code1.info
net–activation-code1.net
net–activation-code1.org
net–code–activation.com
net–code–activation.info
net–code–activation.net
net–code-activation.com
net–code-activation.info
net–code-activation.net
net–code-activation.org
net–movie–promo.net
net–online–product.info
net–online–product.org
net–online-product.info
net–online-product.org
net–pdf–promo.info
net–pdf–promo.net
net–pdf-promo.com
net–pdf-promo.info
net–pdf-promo.net
net–pdf-promo.org
net-activation–code1.info
net-activation–code1.net
net-activation-code.com
net-activation-code1.info
net-activation-code1.net
net-activation-code1.org
net-online–product.info
net-online–promos.info
net-online-product.info
net-online-product.org
net-pdf–promo.info
net-pdf–promo.net
net-pdf-promo.com
net-pdf-promo.info
net-pdf-promo.net
net-pdf-promo.org
new–movie–code.net
new–product–offer.com
new–product–offers.com
new-movie–code.info
new-movie–code.net
new-movie–code.org
online–activation–code.net
online–activation-code.org
online–movie–promo.info
online–movie-promo.info
online–product-promos.info
online–promo–products.info
online–promo–products.org
online–promo-products.info
online–promo-products.org
online-activation–code.org
online-activation-code.com
online-activation-code.org
online-movie–promo.info
online-movie-promo.info
online-product–promo.net
online-product-promo.com
online-promo–products.info
online-promo-products.info
online-tv–promo.info
pdf–online–promo.org
pdf–online-promo.info
pdf–online-promo.org
pdf–promo-info1.net
pdf-online–promo.info
pdf-online–promo.org
pdf-online-promo.info
pdf-promo–code.org
pdf-promo–info1.net
pdf-promo-info.net
pdf-promo-info1.net
superiway.com
tv-new-promo.info
IPs INVOLVED:
27645 | 66.79.162.82 | ASN-NA-MSG-01 – Managed Solutions Group, Inc.
33314 | 66.79.162.82 | ASN-AKANOC-SJC-01 – AKANOC Solutions Inc.
16131 | 91.199.50.101 | GRAFIX-IS GrafiX Internet B.V.
–mwdisector
In the past few days I’ve seen many websites pop up pretending to be mailing list unsubscription sites. And per usual, these sites feature legit sounding names like antivirus-activation-code1.org or online-activation-code.info.
Example screenshot.
STAY AWAY from these because in reality they are being used to collect email addresses likely for future SPAM campaigns. I also suspect these domains are part of a current fake XP activation SPAM campaign.
Domains involved:
antivirus–activation–code1.org
antivirus–activation-code2.org
antivirus-activation–code1.org
antivirus-activation-code1.org
antivirus-activation-code2.org
antivirus-activation–code.info
antivirus–activation–code.info
new-activation-code.info
new–activation-code.info
online-activation-code.info
online–activation-code.info
online-activation–code.info
online–activation–code.info
pdf-activation-code.info
pdf–activation-code.info
pdf-activation–code.info
IPs associated with these:
66.79.162.82
67.209.140.130
antivirus-activation–code2.org
91.199.50.101
BE ADVISED: These sites may still be active, be careful!
–mwdisector
Found another phishing/malware distribution scheme this time using Ocean Bank. Just as the ones we’ve seen in the past, it pushes a file to download that they say is a SSL certificate needed for security purposes. As you’ll see below there are quite a few URL’s pushing this malware and the ones listed are just a fraction of the total number. Once the file is run, it installs a rootkit to the system. The sample is available in /pnuemo-malware/.
BE ADVISED: These URL’s may still be active. Proceed at your own risk.
Oceanmultissl.exe (Downloads or Creates: s.exe)
Result: 21/34 (61.77%)
MD5: c4906f64d0ea19dab7a9e7626ee40781
VirusTotal
ThreatExpert Analysis
s.exe & 9129837.exe (Downloads or Creates: 9129837.exe & new_drv.sys)
Result: 18/36 (50%)
MD5: d951f3a8e3485c3c150ba17c0f53db86
VirusTotal
ThreatExpert Analysis
new_drv.sys
Result: 34/36 (94.45%)
MD5: a54de1d46ff7bdefbf9d9284c1916c5e
VirusTotal
ThreatExpert Analysis
ns1.domensinter.com
ns2.domensinter.com
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.siteminderagent.verification.0wylzehgk.edfrkti.com/103541.html?/renewmirror/verification
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.siteminderagent.demystifying.1vzohkwd0.edfrkti.com/103541.html?/ptcontrol/services
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.procedure.gnyit07m8.edfrkti.com/103541.html?/onlineupdate/rnalid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.portalserver.jdv6kcukz.ceuewys.com/103541.html?/comreportid/onlineupdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.portalserver.ifzsgwhsm.edfrkti.com/103541.html?/customerlogin/comservlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.bankonenet.9sxkghaq8.gineehg.com/103541.html?/viewcontent/rnalid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.renewmirror.mnskscirl.ceuewys.com/103541.html?/sitesurvey/encrypted
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.ptcontrol.jcpptbgdz.ceuewys.com/103541.html?/procedure/actionvalidate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.carehtmlclient.lg3qhifus.ceuewys.com/103541.html?/memberverify/onlineupdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.bankonenet.aldz11d6n.gineehg.com/103541.html?/bankonenet/bankonline
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.services.rnalid.gyomouftr.reueys.com/103541.html?/securitychallenge/memberverify
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.services.portalserver.fkquawuv8.ceuewys.com/103541.html?/verification/exacttrget
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.selfservice.servletdologin.jgu801sal.edfrkti.com/103541.html?/servletdologin/bankonenet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.securitychallenge.certificateupdate.dpf29qakc.edfrkti.com/103541.html?/bankonline/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.rnalid.portalserver.rczkjzpmm.reuybso.com/103541.html?/memberverify/procedure
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.rnalid.onlineupdatemirror.pqwzbc38r.reueys.com/103541.html?/communitypage/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.slapiservlet.kjlxlurym.gineehg.com/103541.html?/certificateUpdate/carehtmlclient
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.demystifying.kululslhk.edfrkti.com/103541.html?/cfmasternbank/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.comreportid.0hbfmxry5.reueys.com/103541.html?/configlogin/selfservice
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.bankonenet.jrbks5mu1.reueys.com/103541.html?/demystifying/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.sessionervlet.zsbtlddf1.gineehg.com/103541.html?/doexte/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.ptcontrol.e9s82vmjo.edfrkti.com/103541.html?/ptcontrol/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.productsremote.uj8mqt7af.edfrkti.com/103541.html?/carehtmlclient/verification
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.portalserver.uhdirryyz.edfrkti.com/103541.html?/services/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.bankonline.xfadkkfg9.reueys.com/103541.html?/services/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.onlineupdatemirror.hia3rhicq.edfrkti.com/103541.html?/linkbrowse/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.exacttrget.sl1iyagjp.reueys.com/103541.html?/comservlet/communitypage
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.demystifying.ebulerhz1.reuybso.com/103541.html?/linkbrowse/selfservice
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.carehtmlclient.m0fz6fjtp.reuybso.com/103541.html?/customerlogin/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.renewmirror.e4s0uhfhb.edfrkti.com/103541.html?/communitypage/comservlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.exacttrget.mkcxdf604.reueys.com/103541.html?/onlineupdatemirror/portalserver
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.communitypage.f3lg1sydw.edfrkti.com/103541.html?/carehtmlclient/demystifying
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.onlineupdate.services.bodkqha20.edfrkti.com/103541.html?/communitypage/carehtmlclient
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.memberverify.certificateupdate.h5sfn919q.gineehg.com/103541.html?/exacttrget/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.linkbrowse.privatelogin.ehe2hxod6.edfrkti.com/103541.html?/privatelogin/services
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.exacttrget.demystifying.djzxt6l3z.edfrkti.com/103541.html?/bankonenet/portalserver
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.encrypted.siteminderagent.oit17c3jq.edfrkti.com/103541.html?/sessionervlet/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.demystifying.rnalid.p7jzbwnji.gineehg.com/103541.html?/renewmirror/sitesurvey
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.demystifying.ptcontrol.utqnl5dg0.ceuewys.com/103541.html?/exacttrget/privatelogin
Here are some domains hosting eBay phishing sites. These are intended to harvest user credentials for the popular auction site. This along with the M&I Bank post are intended to show how well these pages are created and can trick even an educated web surfer.
Below is a screenshot of the phishing website along with domains that are currently hosting the phishing site.
hxxp://signin.ebay.com.pwitr7y9scfbu51yl.333krv7olw2ynfgw1n.web.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=x&ref=eb&sspagename=ADME:X:CEM:US
hxxp://signin.ebay.com.gdriyip90t1a.333m9ocosl9h7fo985.info.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=belfire27@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.j4eupml07uipz.333ana77x9jwudokll.net.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=mattlisab28@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.ri0g9apjjlf4algqb8k.333krv7olw2ynfgw1n.info.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=saco252@aol.com&ref=eba1&sspagename=ADME:X:CEM:US
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.f033ab37c30201f73f142449d037028d.mldfki29y30x11lpx3.com/ws/eBayISAPI.dll/?cmd=SignIn&co_partnerId=2&pUserId=&email=dropshippeddirect@verizon.net&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=&confirm=&ebxPageType=&existingEmail=&isCheckout=&migrateVisitor&MfcISAPICommand=ConfirmRegistration
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.44f683a84163b3523afe57c2e008bc8c.df34uifyn389o13f1c.com/ws/eBayISAPI.dll/?cmd=SignIn&
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.ea5d2f1c4608232e07d3aa3d998e5135.df34uifyn389o13f1c.com/ws/eBayISAPI.dll/?cmd=SignIn&
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.fe9fc289c3ff0af142b6d3bead98a923.pqmdcjh8y2tnx2i3rc.com/ws/eBayISAPI.dll/?cmd=SignIn&co_partnerId=2&pUserId=&email=margimac@earthlink.net&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=&confirm=&ebxPageType=&existingEmail=&isCheckout=&migrateVisitor&MfcISAPICommand=ConfirmRegistration
hxxp://signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.yes.copartnerid.siteid.pagetype.update.service.account.login.d82c8d1619ad8176d665453cfb2e55f0.pqmdcjh8y2tnx2i3rc.com/ws/eBayISAPI.dll/?cmd=SecurityMeasure&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&email=lance@lbcad.com
hxxp://signin.ebay.com.pwitr7y9scfbu51yl.333krv7olw2ynfgw1n.web.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=x&ref=eb&sspagename=ADME:X:CEM:US
hxxp://signin.ebay.com.0m3kw84y2qx3mdf.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=lisettechiasson@hotmail.com&ref=eb&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.j03tlcwradrnyl6ecj.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=tlizzie1@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.rbjvo7q3uk3dpnj.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=moskaterx@yahoo.com&ref=eb&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.5ya63pn8gzhev4ko413.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=robdebaa@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.4oz0i3iiahwup.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=fx94@aol.com&ref=eba1&sspagename=ADME:X:CEM:U
hxxp://signin.ebay.com.cflc4xfunpul.333krv7olw2ynfgw1n.com.ve/saw-cgi/eBayISAPI.dll/?M2MContact&requested=estate-agency&qid=90405648&redirect=0&emaddr=jackster@consolidated.net&ref=eb&sspagename=ADME:X:CEM:U
There is a campaign to spread malware through fake M&I Bank websites. The malware that these pages try to install were feature in todays database update and can be accessed through /pnuemo-malware/MIbankcertificate.zip in our repository.
Below is a screenshot of the website along with a list of some of the domains hosting these pages. Luckily both Firefox and Internet Explorer detected these as suspicious pages.
hxxp://businessportal.mibank.mibusinessonlinebanking.qzbpkh9in1q7mzd.bankonenet.services.wlienex.com/subsections.htm?/actionvalidate/onlineupdate/OSL.htm?LOB=3163895149&refer=bpkH9iN1Q7mzDrZ
hxxp://businessportal.mibank.mibusinessonlinebanking.sybzjefp95juuqd.bankonline.configlogin.bineeo.com/subsections.htm?/viewcontent/privatelogin/OSL.htm?LOB=0820757379&refer=bZjEFP95juuQd8T
hxxp://businessportal.mibank.mibusinessonlinebanking.hgt7nxvcm13ieqf.renewmirror.siteminderagent.sddgus.com/subsections.htm?/carehtmlclient/bankonline/OSL.htm?LOB=6355552810&refer=T7nXvCm13IEqfNX
hxxp://businessportal.mibank.mibusinessonlinebanking.4xgbf1wlvys8xl4.doexte.linkbrowse.sddgus.com/subsections.htm?/actionvalidate/ptcontrol/OSL.htm?LOB=5425746488&refer=gbf1WlVyS8xl4Xg
hxxp://businessportal.mibank.mibusinessonlinebanking.sb0pryfloi89guq.renewmirror.productsremote.bineeo.com/subsections.htm?/doexte/exacttrget/OSL.htm?LOB=8754725917&refer=0PrYFloI89GuQAR
hxxp://businessportal.mibank.mibusinessonlinebanking.ibxtphpk5roeojr.comservlet.servletdologin.bineeo.com/subsections.htm?/procedure/privatelogin/OSL.htm?LOB=5359068295&refer=XTPHPk5rOEOJrK4
hxxp://businessportal.mibank.mibusinessonlinebanking.9cl3xftk4ni9t9t.servletdologin.ptcontrol.bineeo.com/subsections.htm?/onlineupdate/configlogin/OSL.htm?LOB=1831421831&refer=L3Xftk4nI9T9tv5
hxxp://businessportal.mibank.mibusinessonlinebanking.ynqcyrmfqwjt2st.bankonenet.comreportid.bueozia.com/subsections.htm?/bankonline/customerlogin/OSL.htm?LOB=2678391850&refer=QCyrmFqWJt2stbY
hxxp://businessportal.mibank.mibusinessonlinebanking.j880s7k6hjwpqsz.onlineupdate.onlineupdate.bueozia.com/subsections.htm?/configlogin/customerlogin/OSL.htm?LOB=2783087268&refer=80S7k6HjwpQSzmp
hxxp://businessportal.mibank.mibusinessonlinebanking.4vlhcq1ray5plj8.securitychallenge.configlogin.sddgus.com/subsections.htm?/verification/encrypted/OSL.htm?LOB=1963750084&refer=lhCQ1RAy5Plj8qn
hxxp://businessportal.mibank.mibusinessonlinebanking.w4kjtij48tuycyg.bankonenet.carehtmlclient.bueozia.com/subsections.htm?/cfmasternbank/doexte/OSL.htm?LOB=7399944416&refer=kJtij48TUYCYgR6
We found a new phishing site today targeting Gmail usernames and passwords. The site (gmail-security.com) uses authentic parts of the Gmail website and one of the few things that unsuspecting users might notice is the unofficial Google domain and some minor aesthetic differences. If credentials are entered into the site a POST will be sent via load.php and then a forward to the official Gmail site is made.
Here is what the “gmail-security” phishing site looks like:
Here is what the official Gmail site looks like:
