The other day a client received the below email with an attached .html file (“dropbox file share.html”):
From: Jonathan Wunrow [mailto:[email protected]]
Sent: Wednesday, June 15, 2016 11:33 AM
Subject: Attached scan doc
See the Attached quote file
Make it a Great Day!
Program Manager/Grant Writer
Cell – (907) 617-9956
The attached .html file contained the following:
The only actionable item is the “Click here to view” link which directs us to:
http://weightlossaltamontesprings.com/wp-admin/Secured Document attached/index.php
As of today, Chrome is now popping up their nice phishing warning screen, but were not yesterday when I first received a copy.
Upon opening the page, you are greeted with the following screen:
After clicking any of the email providers on the right (or the “Other Email Provider” link), the large left Dropbox image is replaced by a custom form for the selected email provider that asks for a username/ID/email and password. Each form uses custom variable names and submits to its own PHP file on the server (aol.php gmail.php hotmail.php yahoo.php other.php). Regardless of the form/provider selected, upon submitting you are 302 redirected to the following PDF:
The large amount of CSS in the remotely hosted page was the most interesting part of this phishing attempt as it accounted for about 80% of the contents of the file.