Another day, another phish. This day it concerns a phishing e-mail for a Belgian bank. The phishing e-mail looked like this
The link is only viewable if you enable HTML content in the e-mail client.
The link points to the URL shortening service Bitly and then follows a couple of redirects (including another URL shortening service).
- bitly.com, via HTTPS, received 301 Moved Permanently;
- go2l.ink, via HTTP, received 302 FOUND;
- A PHP page hosted on a WordPress site, via HTTPS, received 302 Moved Temporarily;
- go2l.ink, via HTTP, received 302 Found;
- phishing site, via HTTP, received 301 Moved Permanently (last 302 in graph above should be 301, will update soon);
- phishing site, via HTTP, received 200.
Notice the different redirect codes and the switching between HTTP and HTTPS.
The phishing URL received well above 100 clicks per hour since it was distributed.
The phishing website used in this e-mail is a bit different. Not entirely new but because there were quite a few of these messages in my spamtrap I thought it to be useful to have a closer look.
The website is in essence one big image that is set as the background of the web page together with one simple form. The form contains one input field (1) and the submit button is replaced with an image (2). All the form elements have an ‘absolute’ (position: absolute;) position. There’s not a lot of content in the source of the page as a basis for content inspection for phishing.
This is how the HTML looks like, spot the two image references to imgur (background + submit button)
Detection of these type of sites is again a little bit harder.
The site has been reported (bank + CSIRT). IOCs are available via Botvrij.eu – Free IOCs via MISP or direct via https://www.botvrij.eu/data/feed-osint/5a722b97-31d8-4e4c-b860-03a7c0a8ab16.json.
Note that Imgur itself is not a malicious website, it’s a photo/imagery website.