Multiple Email type account Phish

[NewTricks]

I know these kind of posts usually stop here, but I have a question about this. The PDF was labeled HUD-1.pdf. Can you tell me more about it? I often research HUD and wouldn't want to stumble across whatever this is. Since the label of the topic is Email, can I assume it came uninvited through a mail client?

Thanks for your patience.

[David H. Lipman]

 I'll ask @AdvancedSetup to split this off as a discussion on the thread; Multiple Email type account Phish

I can't speak to the the method of dissemination so I'll start with this file.

File names, email subjects and content use Social Engineering.  That is the Human Exploit.  They exploit many different human constructs; love, hate, loneliness, poverty, sex, politics, local and regional events, and other things that take the attention of a person.  Malicious Actors create a narrative of subject that exploits one or more of these constructs.  For example, payment of taxes in tax season.

Maybe HUD stands for Housing and Urban Development and maybe not.  Its familiar and creates curiosity and a reason to view the content.  In this case the file name is;  HUD-1.pdf  a Portable Document Format file.  It is possible it was received in email but I do not have its backstory.

Here is the content of the PDF

 

As you can see it is rather simple.  Its is basically graphic that is the Front End to a ¹Shortened URL.  The Shortened URL is not the Phish.  It is a redirection URL to the actual PHISH site.  The service is used to obfuscate the Phish URL.  An email system Spam and Content Filter will not block the actual Phish, it will only see a URL that is in itself not malicious.  

The Phish is actually hosted on Google [ googleapis.com ] via a Blob URI and as the graphic shows masquerades as Adobe.  For the "victim" to see the supposed Adobe content, you have to logon.  This ²Phish Kit provides what is intended to look like portals to various email systems [ AOL, Yahoo, Google and Microsoft ].  If you choose one of them, as my posted screenshot shows, the text of the email system's URL is exhibited to lend credulity to the Phish.  For example in my screen capture in the referenced thread it shows I chose AOL and the dialogue shows the AOL Webmail URL.  But it is a Phish and is Fake.  Because this Phish is hosted on  googleapis.com the code uses a HTTPS POST to pass the harvested Login Credentials to a third party site.

I labeled the thread Multiple Email type account Phish because that was its intention.  The Phish Kit exhibited fake logons for multiple email systems.  It did not have to do with the method of dissemination but for the type of account credential harvesting.

 

---

1.  Shortened URL - There are web services that take a long URL [ such as;  https://forums.malwarebytes.com/topic/297020-multiple-email-type-account-phish/  ] and they will create a substitute via a simple, short URL [ such as;  https://tinyurl.com/My-Short1 ]

2.  Phish Kit - Usually is in the form of a ZIP file that contains the Graphics, PHP and JavaScript and structure such that when the contents of the ZIP file are extracted to a web server (host), a URL on that web server can then be used to display the full content of the Phishing content that is shown as a fully rendered web page content.

Edited April 21, 2023 by David H. Lipman
Edited for content, clarity, spelling and/or grammar

[AdvancedSetup]

Post split to new topic @NewTricks @David H. Lipman

[NewTricks]

@David H. Lipman  I assumed HUD was Housing and Urban Development.

On 4/19/2023 at 3:21 PM, David H. Lipman said:

and maybe not

Sometimes I take things at face value. 

I'm familiar with:

1. social engineering/human exploit.
2. PDF
3. shortened URLs.

Question: I've watched the 18 second video multiple times and at the 11 second mark see

https://s.id/EBBj

overlaid on the Download PDF button briefly.  Is this a clue regarding a phishing site? if not, what is that? I didn't know about BLOB URI,  Phish Kits or googleapis.

Thank you for the links to descriptions. That's always helpful. This year is the first time I've learned about phishing in depth. It's sad (for lack of a better descriptive word which might be allowed) that people work so hard to steal and exploit others in such a "ready made" way for the wanna be scammers. On the other hand, are those templates what give them away and enable more educated minds to spot them? 

Thank you.
 

 

 

 

Edited April 21, 2023 by AdvancedSetup
Disabled live hyperlinks

[David H. Lipman]

You are extracting the wrong URL from the video.  The URL was meant to be obfuscated.  All malicious, suspicious and/or nefarious URL should be posted "obfuscated" by using Code Tags.

https://s.id/1EBBj

That represents the Shortened URL service and it "redirects" to the Phish site which has since been taken down.

[NewTricks]

35 minutes ago, David H. Lipman said:

That represents the Shortened URL service and it "redirects" to the Phish site which has since been taken down.

OK, yes, I'm sure it has. But I did catch it, if only because I wasn't supposed to. This is tricky stuff.

[NewTricks]

Next question: what are the specific steps/programs or methods Firefox/anyone  uses to expose this?

[David H. Lipman]

Unless you are in the anti malware community or experienced with handling malicious content you don't take the time to "expose" these you just recognize them for what they are (recognize the Red Flags) and DELETE them.

If you are still of a mind to have action taken action against malicious content, you can place them in an Archive file and submit them in the appropriate sub-forum and submitted according to the associated submission guidelines.

In the case of @Firefox. he has a  mind to take action against malicious content found in his employers purview and pass it on to me to make a judgement call on the content and post if it is something that Malwarebytes can act upon and then provide him a more detailed explanation of the malicious actions of the content.  I will also do this on the behalf of others upon request.

Edited April 21, 2023 by David H. Lipman
Edited for content, clarity, spelling and/or grammar

[NewTricks]

Thanks for the primer on who does what, when and why.