close
close

Traffic-Analysis.net – 2024-08-29: Phishing email and traffic to fake webmail login page

Traffic-Analysis.net – 2024-08-29: Phishing email and traffic to fake webmail login page

2024-08-29 (THURSDAY): PHISHING EMAIL AND TRAFFIC TO FAKE WEBMAIL SIGN UP PAGE

NOTES:

  • Zip files are password protected. Please note that this site has a new password scheme. For the password, see the “about” page of this website.
  • Every now and then I get a good example of a phishing email and web traffic to the fake login page.
  • In this case I could use HTTP instead of HTTPS for the URL to the fake webmail login page.
  • I have recorded the packet capture (pcap), cleaned up portions of the email, and posted the information here.

ASSOCIATED FILES:

  • 1.7 KB (1,686 bytes)
  • 721.9 KB (721,947 bytes)

E-MAIL

INFORMATION IN THE HEADER OF THE EMAIL:

  • Received: from s940027.srvape

(.)com (s940027.srvape(.)with (188,127,247(.)252))
(information removed); Thu, Aug 29, 2024 04:15:53 ​​​​+0000 (UTC)

  • Received: from ip172.ip-149-56-149
  • (.)net (localhost (IPv6:::1))
    by s940027.srvape
    (.)com (Postfix) with ESMTP ID 617B56EE2A2
    for (.)net>; Wed, 28 Aug 2024 12:06:27 +0200 (CEST)

  • From: SupportDesk (.)government(.)iq>
  • Account Validation!! For admin@malware-traffic-analysis
  • (.)Net only!!

  • Date: Aug 28, 2024 03:06:26 -0700
  • Message ID: (.)government(.)iq>
  • TRAFFIC

    URL FROM THE EMAIL:

    • hxxps(:)//e-mail.procedure(.)best/management.aspx?good=admin@malware-traffic-analysis(.)net

    • NOTE: The server for this fake webmail page is behind Cloudflare, so the IP address is dynamic and somewhere between 172.67. 0(.)0/16 or 104.21. 0(.)0/16.

    IMAGES

    Traffic-Analysis.net – 2024-08-29: Phishing email and traffic to fake webmail login page
    Above you can see a screenshot of the email.


    Shown above: The website is being viewed in Microsoft Edge and HTTP instead of HTTPS is being used for the URL.


    Shown above: Filtered in Wireshark, traffic from visiting the fake webmail page with HTTP instead of HTTPS for the URL.


    Shown above: TCP stream of the HTTP POST request sending my credentials.

    to return to the main page.