Jump to content

Multiple Email type account Phish


Recommended Posts

I know these kind of posts usually stop here, but I have a question about this. The PDF was labeled HUD-1.pdf. Can you tell me more about it? I often research HUD and wouldn't want to stumble across whatever this is. Since the label of the topic is Email, can I assume it came uninvited through a mail client?

Thanks for your patience.

Link to post
Share on other sites

 I'll ask @AdvancedSetup to split this off as a discussion on the thread; Multiple Email type account Phish

I can't speak to the the method of dissemination so I'll start with this file.

File names, email subjects and content use Social Engineering.  That is the Human Exploit.  They exploit many different human constructs; love, hate, loneliness, poverty, sex, politics, local and regional events, and other things that take the attention of a person.  Malicious Actors create a narrative of subject that exploits one or more of these constructs.  For example, payment of taxes in tax season.

Maybe HUD stands for Housing and Urban Development and maybe not.  Its familiar and creates curiosity and a reason to view the content.  In this case the file name is;  HUD-1.pdf  a Portable Document Format file.  It is possible it was received in email but I do not have its backstory.

Here is the content of the PDF


As you can see it is rather simple.  Its is basically graphic that is the Front End to a 1Shortened URL.  The Shortened URL is not the Phish.  It is a redirection URL to the actual PHISH site.  The service is used to obfuscate the Phish URL.  An email system Spam and Content Filter will not block the actual Phish, it will only see a URL that is in itself not malicious.  

The Phish is actually hosted on Google [ googleapis.com ] via a Blob URI and as the graphic shows masquerades as Adobe.  For the "victim" to see the supposed Adobe content, you have to logon.  This 2Phish Kit provides what is intended to look like portals to various email systems [ AOL, Yahoo, Google and Microsoft ].  If you choose one of them, as my posted screenshot shows, the text of the email system's URL is exhibited to lend credulity to the Phish.  For example in my screen capture in the referenced thread it shows I chose AOL and the dialogue shows the AOL Webmail URL.  But it is a Phish and is Fake.  Because this Phish is hosted on  googleapis.com the code uses a HTTPS POST to pass the harvested Login Credentials to a third party site.

I labeled the thread Multiple Email type account Phish because that was its intention.  The Phish Kit exhibited fake logons for multiple email systems.  It did not have to do with the method of dissemination but for the type of account credential harvesting.


1.  Shortened URL - There are web services that take a long URL [ such as;  https://forums.malwarebytes.com/topic/297020-multiple-email-type-account-phish/  ] and they will create a substitute via a simple, short URL [ such as;  https://tinyurl.com/My-Short1 ]

2.  Phish Kit - Usually is in the form of a ZIP file that contains the Graphics, PHP and JavaScript and structure such that when the contents of the ZIP file are extracted to a web server (host), a URL on that web server can then be used to display the full content of the Phishing content that is shown as a fully rendered web page content.

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
  • Thanks 1
Link to post
Share on other sites

@David H. Lipman  I assumed HUD was Housing and Urban Development.

On 4/19/2023 at 3:21 PM, David H. Lipman said:

and maybe not

Sometimes I take things at face value. 

I'm familiar with:

  1. social engineering/human exploit.
  2. PDF
  3. shortened URLs.

Question: I've watched the 18 second video multiple times and at the 11 second mark see


overlaid on the Download PDF button briefly.  Is this a clue regarding a phishing site? if not, what is that? I didn't know about BLOB URI,  Phish Kits or googleapis.

Thank you for the links to descriptions. That's always helpful. This year is the first time I've learned about phishing in depth. It's sad (for lack of a better descriptive word which might be allowed) that people work so hard to steal and exploit others in such a "ready made" way for the wanna be scammers. On the other hand, are those templates what give them away and enable more educated minds to spot them? 

Thank you.




Edited by AdvancedSetup
Disabled live hyperlinks
Link to post
Share on other sites

You are extracting the wrong URL from the video.  The URL was meant to be obfuscated.  All malicious, suspicious and/or nefarious URL should be posted "obfuscated" by using Code Tags.


That represents the Shortened URL service and it "redirects" to the Phish site which has since been taken down.

  • Like 1
Link to post
Share on other sites

Unless you are in the anti malware community or experienced with handling malicious content you don't take the time to "expose" these you just recognize them for what they are (recognize the Red Flags) and DELETE them.

If you are still of a mind to have action taken action against malicious content, you can place them in an Archive file and submit them in the appropriate sub-forum and submitted according to the associated submission guidelines.

In the case of @Firefox. he has a  mind to take action against malicious content found in his employers purview and pass it on to me to make a judgement call on the content and post if it is something that Malwarebytes can act upon and then provide him a more detailed explanation of the malicious actions of the content.  I will also do this on the behalf of others upon request.

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
  • Like 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.