The spam messages started flowing shortly before 9 AM, and by 10:30 we had received 548 copies of a spam email that looked like this:
The subject line was always "Fraud Alert: Irregular Card Activity"
The From address was always "American Express (fraud@aexp.com)"
But the highlighted link that claims it will take you to https://www.americanexpress.com/ actually goes to one of 419 URLs on one of 57 compromised webservers. The list of servers is:
0067959.netsolhost.comOn each server there was a selection of randomly named dictionary word directory names, followed by a "/index.html" such as:
02fbd07.netsolhost.com
119.245.150.94
184.168.170.184
188.165.206.52
209.173.242.165
anggieystratega.com
bentleycrossing.com
bluestreakfinancial.com
bobjonesaccounting.com
certificaat.ledtechno.be
copyrman.site.aplus.net
criminalsearchcanada.com
dinnerat8.mywebcommunity.org
durushayakkabi.com
entertainindy.com
etbroderi.no
expert-log.com
fassion.toypark.in
feuerwehr-queckborn.de
flat.bplaced.net
fmax.in.th
ftp.ccmanitowoc.org
ftp.likvidace-aut.cz
ftp.selectstl.com
idealmobilemedia.com
mircomultimedia.com
missionwild.ieasysite.com
orbitek.hosting24.com.au
peterottenzonwering.nl
pm.vertigry.com
proteebar.com
quarksocial.net
russiantheatre.ca
secomimages.co.uk
shiragellman.com
spanglaw.www65.a2hosting.com
sprintcar1.com
swansonhaskamp.com
tastemasters.de
tvbox.veria.eu
user4634.vs.easily.co.uk
w7u20zuyb.homepage.t-online.de
walegion.comcastbiz.net
watertechnology.gr
wer1globle.com
www.59-90.com
www.contactl.www66.a2hosting.com
www.g4amt.com
www.myspringriver.com
www.purecoat.com
www.qigong-yangsheng-koeln.de
www.regionshg.com
www.teammoutai.com
www.yardvilleheights.com
www.zen65048.zen.co.uk
yourbabyname.awardspace.com
Each of those index.html pages was actually a redirector that posted a message in a box that said "Connecting to server..." while it tried to load one of three JavaScript files from three different locations. Between all of the boxes, we saw a total of ten of these JavaScript files:
/lipid/index.html
/juno/index.html
/tarnished/index.html
/linker/index.html
/musicologist/index.html
/village/index.html
/mered/index.html
/satan/index.html
/laconic/index.html
/parsons/index.html
/strayed/index.html
http://184.177.180.52/boers/ghostwrote.jsEach of THOSE files in turn did a "document.location" redirection to one of the three actual phishing sites:
http://194.15.212.104/hemispherical/inbounding.js
http://208.106.191.91/glamored/pans.js
http://ghanamusicbox.com/crystallization/carcinomas.js
http://hamidebirsengur.com.tr/honduras/wildernesses.js
http://kaindustries.comcastbiz.net/imaginable/emulsion.js
http://msco-iraq.com/chervil/capturing.js
http://naturesfinest.eu/eroding/patricians.js
http://portel.home.pl/aborigines/nerveless.js
http://winklersmagicwarehouse.com/handmade/analects.js
http://www.greenerhomesnortheast.co.uk/jacksonian/barrettes.js
http://zuniweb.com/burliest/squeaking.js
steelhorsecomputers[.]net/americanexpress/
birddogpaperandhome[.]com/americanexpress/
cyfairfamilyfest[.]com/americanexpress/
Here's the Phish Walk Through once we finally arrive at one of the three destination phishing sites:
First they ask for the Userid and password
Then the Social Security number, your birthdate, your mother's maiden name, her birthdate, and a PIN.
Now the card number . . .
And the expiration date . . .
And finally your 5,000 Reward points are awarded, and you are forwarded to the actual AmEx page.
So, to gather the userid and password of a few hundred American Express card holders, the phisher today was willing and able to break in to SEVENTY web servers ... 57 used in the spam ... 10 more used for the JavaScript Redirection scrips ... and 3 used for the actual phishing hosts.
Quite an elaborate scheme. We'll be talking about MORE elaborate phishing schemes and webserver compromises in our Malcovery Webinar on Halloween Day, October 31, 2013 @ 1:00 Eastern / noon Central -- How Threat Intelligence Reveals The Scariest Cyber Attacks" -- (click the link to Register)
