The other day a client received the below email with an attached .html file (“dropbox file share.html”):
From: Jonathan Wunrow [mailto:jonwunrow@gmail.com]
Sent: Wednesday, June 15, 2016 11:33 AM
Subject: Attached scan docSee the Attached quote file
—
Make it a Great Day!
Jonathan Wunrow
Program Manager/Grant Writer
Cell – (907) 617-9956
The attached .html file contained the following:
I send you a file “Documents” with a Dropbox file share
Click here to view
scan011.pdf
scan012.pdf
The only actionable item is the “Click here to view” link which directs us to:
http://weightlossaltamontesprings.com/wp-admin/Secured Document attached/index.php
As of today, Chrome is now popping up their nice phishing warning screen, but were not yesterday when I first received a copy.
Upon opening the page, you are greeted with the following screen:
Now, you can sign in to dropbox with your email
Other Email Provider
After clicking any of the email providers on the right (or the “Other Email Provider” link), the large left Dropbox image is replaced by a custom form for the selected email provider that asks for a username/ID/email and password. Each form uses custom variable names and submits to its own PHP file on the server (aol.php gmail.php hotmail.php yahoo.php other.php). Regardless of the form/provider selected, upon submitting you are 302 redirected to the following PDF:
http://www.fmbwealth.com/sites/default/files/CEG_JWMC_evan_article_pages_with_foto.pdf
The large amount of CSS in the remotely hosted page was the most interesting part of this phishing attempt as it accounted for about 80% of the contents of the file.