Fake American Express mails

[Pondus]

Just recived 4 fake American Express mails with same attachment (same MD5)

No detection on VT
First submission 2017-02-18 15:48:31 UTC ( 4 hours, 8 minutes ago )
https://virustotal.com/en/file/8f4d9765a806a426a7b6b18e900dfae69ad741a014a6ad90e487423960627a7b/analysis/1487446790/

[TrueIndian]

A fake page trying to trick the user into putting his details in...Interesting

[Pondus]

A fake page trying to trick the user into putting his details in...Interesting

We call it Phishing   

[DavidR]

Just recived 4 fake American Express mails with same attachment (same MD5)

No detection on VT
First submission 2017-02-18 15:48:31 UTC ( 4 hours, 8 minutes ago )
https://virustotal.com/en/file/8f4d9765a806a426a7b6b18e900dfae69ad741a014a6ad90e487423960627a7b/analysis/1487446790/

This social engineering (phishing) scam has been going on for years, just change the name of the carrier to any of the major carriers. If you aren't expecting a parcel, then it is most likely fake.

If you are expecting a parcel, who you ordered goods from should have given you a tracking reference number, visit the carriers site, don't use the link in an unsolicited email.

[Secondmineboy]

@Pondus: Whats the URL of the page thatwants to have your credentials?

[Pondus]

@Pondus: Whats the URL of the page thatwants to have your credentials?

https://virustotal.com/en/url/b2acbcce26f20069041151ae6df28fafe8a9743d243d8928657a9986cc9c87d2/analysis/1487511535/

[TrueIndian]

A fake page trying to trick the user into putting his details in...Interesting

We call it Phishing   

This phishing site is a week old.No detection though:
https://virustotal.com/en/file/7015912b8da817db50a2eb45b43e100bf45eef54785843498c429254b2cea9a4/analysis/1486498511/

[polonus]

Hi True Indian,

The url is now being flagged by ESET. See script and obfuscation patterns here: -https://aw-snap.info/file-viewer/?tgt=https%3A%2F%2Fiao.org.il%2Fwp-content%2Fuploads%2Fcreative.php&ref_sel=GSP2&ua_sel=ff&fs=1
(visit if you know what you are doing) There is a heuristical DNS block active for that domain there: http://urlquery.net/report.php?id=1487535990195

We see php malware here at work, like creative.php, and we could use programs like php-malware finder to detect:
https://github.com/creativeprogramming/php-malware-finder

Inbuilt:

Detect:
        - phpencode.org
        - http://www.pipsomania.com/best_php_obfuscator.do
        - http://atomiku.com/online-php-code-obfuscator/
        - http://www.webtoolsvn.com/en-decode/
        - http://obfuscator.uk/example/
        - http://w3webtools.com/encode-php-online/
        - http://www.joeswebtools.com/security/php-obfuscator/
        - https://github.com/epinna/weevely3
        - http://cipherdesign.co.uk/service/php-obfuscator
        - http://sysadmin.cyklodev.com/online-php-obfuscator/
        - http://mohssen.org/SpinObf.php
        - https://code.google.com/p/carbylamine/
        - https://github.com/tennc/webshell

It is an old form of misdirected creativity: https://blog.sucuri.net/2013/08/more-creative-backdoors-using-filename-typos.html

polonus

[savcin]

MultiString detection has been created.