The ASEC analysis team has introduced numerous phishing websites disguised as various companies. The team has recently discovered a malicious email disguised as Emirates Post, a transport company, during the overseas direct purchase season.
As shown in the figure below, the malicious email states that there is a problem with the shipping address, requesting the purchaser to check and return. The texts “Tracking Number” and “Click Here” contain a malicious URL that redirects the clicker to the phishing website. It also prompts the user to click the link by stating that the link expires after 24 hours.
As shown in the address of the link in the email below, the address of the malicious website was created similarly to the normal Emirates Post website, therefore, the users must take great caution as it can be mistaken for the normal website.
- hxxps://emirates-ae-post-shipping.com/ (Malicious)
- https://emiratespost.ae (Normal)
Upon accessing the phishing website, the user is flashed with the page disguised as the Emirates Post website, which prompts the user to enter their phone number to check the shipping status.
Upon entering the phone number and clicking Continue on the page, the user is redirected to the URL below. The redirected page prompts the user to enter the 4-digit number sent to the entered phone number. The team has confirmed that entering any numbers will redirect the user to the next page.
Upon entering the data and clicking Confirm, the user is redirected to a page to enter additional user credentials. The figures and the URLs below are the redirected pages the users get upon entering the data and clicking the button. As shown in the figures, they prompt the user to enter their home address and credit card information in order.
The figure below shows the final redirected page, and it prompts the user to enter the code sent to the user’s phone number.
During the overseas direct purchase season, the distribution of malicious emails containing shipping-related texts has recently been increasing, and it can cause financial damage due to the leakage of user’s credit card information. Users should refrain from opening the URL attached or included in emails from unknown sources.
[Relevant IOC Info]
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.