The spam messages started flowing shortly before 9 AM, and by 10:30 we had received 548 copies of a spam email that looked like this:
The subject line was always "Fraud Alert: Irregular Card Activity"
The From address was always "American Express (email@example.com)"
But the highlighted link that claims it will take you to https://www.americanexpress.com/ actually goes to one of 419 URLs on one of 57 compromised webservers. The list of servers is:
0067959.netsolhost.com 02fbd07.netsolhost.com 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 anggieystratega.com bentleycrossing.com bluestreakfinancial.com bobjonesaccounting.com certificaat.ledtechno.be copyrman.site.aplus.net criminalsearchcanada.com dinnerat8.mywebcommunity.org durushayakkabi.com entertainindy.com etbroderi.no expert-log.com fassion.toypark.in feuerwehr-queckborn.de flat.bplaced.net fmax.in.th ftp.ccmanitowoc.org ftp.likvidace-aut.cz ftp.selectstl.com idealmobilemedia.com mircomultimedia.com missionwild.ieasysite.com orbitek.hosting24.com.au peterottenzonwering.nl pm.vertigry.com proteebar.com quarksocial.net russiantheatre.ca secomimages.co.uk shiragellman.com spanglaw.www65.a2hosting.com sprintcar1.com swansonhaskamp.com tastemasters.de tvbox.veria.eu user4634.vs.easily.co.uk w7u20zuyb.homepage.t-online.de walegion.comcastbiz.net watertechnology.gr wer1globle.com www.59-90.com www.contactl.www66.a2hosting.com www.g4amt.com www.myspringriver.com www.purecoat.com www.qigong-yangsheng-koeln.de www.regionshg.com www.teammoutai.com www.yardvilleheights.com www.zen65048.zen.co.uk yourbabyname.awardspace.comOn each server there was a selection of randomly named dictionary word directory names, followed by a "/index.html" such as:
http://22.214.171.124/boers/ghostwrote.js http://126.96.36.199/hemispherical/inbounding.js http://188.8.131.52/glamored/pans.js http://ghanamusicbox.com/crystallization/carcinomas.js http://hamidebirsengur.com.tr/honduras/wildernesses.js http://kaindustries.comcastbiz.net/imaginable/emulsion.js http://msco-iraq.com/chervil/capturing.js http://naturesfinest.eu/eroding/patricians.js http://portel.home.pl/aborigines/nerveless.js http://winklersmagicwarehouse.com/handmade/analects.js http://www.greenerhomesnortheast.co.uk/jacksonian/barrettes.js http://zuniweb.com/burliest/squeaking.jsEach of THOSE files in turn did a "document.location" redirection to one of the three actual phishing sites:
steelhorsecomputers[.]net/americanexpress/ birddogpaperandhome[.]com/americanexpress/ cyfairfamilyfest[.]com/americanexpress/
Here's the Phish Walk Through once we finally arrive at one of the three destination phishing sites:
First they ask for the Userid and password
Then the Social Security number, your birthdate, your mother's maiden name, her birthdate, and a PIN.
Now the card number . . .
And the expiration date . . .
And finally your 5,000 Reward points are awarded, and you are forwarded to the actual AmEx page.
Quite an elaborate scheme. We'll be talking about MORE elaborate phishing schemes and webserver compromises in our Malcovery Webinar on Halloween Day, October 31, 2013 @ 1:00 Eastern / noon Central -- How Threat Intelligence Reveals The Scariest Cyber Attacks" -- (click the link to Register)