Traffic-Analysis.net - 2024-08-29: Phishing email and traffic to fake webmail login page

2024-08-29 (THURSDAY): PHISHING EMAIL AND TRAFFIC TO FAKE WEBMAIL SIGN UP PAGE

NOTES:

Zip files are password protected. Please note that this site has a new password scheme. For the password, see the “about” page of this website.

Every now and then I get a good example of a phishing email and web traffic to the fake login page.
In this case I could use HTTP instead of HTTPS for the URL to the fake webmail login page.
I have recorded the packet capture (pcap), cleaned up portions of the email, and posted the information here.

ASSOCIATED FILES:

1.7 KB (1,686 bytes)
721.9 KB (721,947 bytes)

E-MAIL

INFORMATION IN THE HEADER OF THE EMAIL:

Received: from s940027.srvape

(.)com (s940027.srvape(.)with (188,127,247(.)252))
(information removed); Thu, Aug 29, 2024 04:15:53 +0000 (UTC)

Received: from ip172.ip-149-56-149

(.)net (localhost (IPv6:::1))
by s940027.srvape(.)com (Postfix) with ESMTP ID 617B56EE2A2
for (.)net>; Wed, 28 Aug 2024 12:06:27 +0200 (CEST)

From: SupportDesk (.)government(.)iq>

Account Validation!! For admin@malware-traffic-analysis

(.)Net only!!

Date: Aug 28, 2024 03:06:26 -0700

Message ID: (.)government(.)iq>

TRAFFIC

URL FROM THE EMAIL:

hxxps(:)//e-mail.procedure(.)best/management.aspx?good=admin@malware-traffic-analysis(.)net

NOTE: The server for this fake webmail page is behind Cloudflare, so the IP address is dynamic and somewhere between 172.67. 0(.)0/16 or 104.21. 0(.)0/16.