Phishing email + URL redirection attack

Mr.X

Mr.X

Level 8
Thread author
Verified
Well-known
Aug 2, 2014
368
I have a question about the mechanism of an email to deliver a phishing and URL redirection attack.
Note: the following links/urls are reported by me so they are nonfunctional anymore to be safe.

1. Today I received an email from "my bank" informing I had my account blocked.

2. There's a link embedded in the text of the message like this:
Code: 
http://www.banorte.com/portal/personas/home.web

3. When I hover the mouse over the link, I can see down below in the browser the real url:
Code: 
http://www.uniformesbordados.com.mx/karen/Logos%20Vida%20Nocturna%20200x200/03bhy.html

4. Next, if I click on the link it redirects to:
Code: 
http://baainoirtee-14121.gotdns.ch

Question:
Does the uniformesbordados.com.mx domain is compromised?
If so, the Hosting service, in this case Servnet Mexico, SA de CV, has already a compromised infrastructure or something?

http://whois.domaintools.com/uniformesbordados.com.mx

Actually www.uniformesbordados.com.mx is a working domain and legit owned by a company in Mexico.
 
  • Like
Reactions: Deleted member 2913, frogboy and DardiM
DardiM

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
http ://www .uniformesbordados.com.mx/karen/Logos%20Vida%20Nocturna%20200x200/03bhy.html

Redirection with :
<html>
<META HTTP-EQUIV="REFRESH" CONTENT="0;URL=http ://baainoirtee-14121.gotdns.ch/">
</html>

So yes there is a problem, maybe a hacker that has successfully put this part there (if there is a hole in the protection of the website)
 
Last edited:
  • Like
Reactions: Deleted member 2913, frogboy, MalwareBlockerYT and 2 others
Mr.X

Mr.X

Level 8
Thread author
Verified
Well-known
Aug 2, 2014
368
And I supposed it is Servnet Mexico, SA de CV (hosting) responsibility to eradicate at least mitigate and set countermeasures in-place, to ensure security to its customers. Right?
 
  • Like
Reactions: Deleted member 2913 and DardiM
Mr.X

Mr.X

Level 8
Thread author
Verified
Well-known
Aug 2, 2014
368
  • Like
Reactions: Deleted member 2913
DardiM

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Mr.X said:
And I supposed it is Servnet Mexico, SA de CV (hosting) responsibility to eradicate at least mitigate and set countermeasures in-place, to ensure security to its customers. Right?
Click to expand...
Not specifically.
If a hacker can successfully (different possibilities) have a remote access to the hosted website , and play with the permissions (read, write,create, delete), then he can change (add, modify, remove) some files.
Or, for example, if an admin of the website can log as admin and modify the structure remotely (I mean using the website interface, to manage the website, add products, etc), and its account has been hacked (credentials stolen on its computer by a malware,etc)
=> It is then linked with the person that manages the website.
 
Last edited:
  • Like
Reactions: Deleted member 2913, frogboy, tim one and 1 other person
Mr.X

Mr.X

Level 8
Thread author
Verified
Well-known
Aug 2, 2014
368
DardiM said:
Not specifically.
If a hacker can successfully (different possibilities) have a remote access to the hosted website , and play with the permissions (read, write,create, delete), then he can change (add, modify, remove) some files.
Or, for example, if an admin of the website can log as admin and modify the structure remotely (I mean using the website interface, to manage the website, add products, etc), and its account has been hacked (credentials stolen on its computer by a malware,etc)
=> It is then linked with the person that manages the website.
Click to expand...
Got the picture. But let me make you to know that yesterday I reported to Servnet Mexico the situation (note that I got nothing to do with all parties, I was just reporting for the sake of acquiring knowledge) so I think Servnet should already solved this redirection somehow.
 
  • Like
Reactions: Deleted member 2913 and DardiM
DardiM

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Mr.X said:
Got the picture. But let me make you to know that yesterday I reported to Servnet Mexico the situation (note that I got nothing to do with all parties, I was just reporting for the sake of acquiring knowledge) so I think Servnet should already solved this redirection somehow.
Click to expand...
The redirection is easy to be removed : only need to delete the webpage that only contains what I have written in previous post. After, they have to resolve the security pb.
If it is a security issue on their side, they are concerned to improve it.
If it is by stealing credential from the users / admin of the website : they can warn them and change (ask them to change) the login / pw.
But I wonder how many other "bad" webpage have been put on their website to do the same stuff :)
 
Last edited:
  • Like
Reactions: Deleted member 2913, frogboy, MalwareBlockerYT and 2 others
T

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
It seems strange, but often these actions on web sites is made by a BOT software running continuous and systematic scans of the internet, looking for sites that are easy to violate in “automatic” mode, without human intervention.

A site always has some vulnerability, for example in plugins or themes.
It can happen that a plugin has a vulnerability that can be distributed and exploited.

But one of the most widespread techniques concerns the password to access the site: a BOT tries to log in on the site, trying random passwords, chosen from a library of millions of common passwords through brute force attacks.
 
  • Like
Reactions: Deleted member 2913, frogboy, MalwareBlockerYT and 2 others
DardiM

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
tim one said:
But one of the most widespread techniques concerns the password to access the site: a BOT tries to log in on the site, trying random passwords, chosen from a library of millions of common passwords through brute force attacks.
Click to expand...
Yes, one of the possibilities, and I think, the most used.
 
  • Like
Reactions: Deleted member 2913, frogboy, Mr.X and 1 other person
Mr.X

Mr.X

Level 8
Thread author
Verified
Well-known
Aug 2, 2014
368
tim one said:
It seems strange, but often these actions on web sites is made by a BOT software running continuous and systematic scans of the internet, looking for sites that are easy to violate in “automatic” mode, without human intervention.
Click to expand...
Can you give some links to learn a bit more about this class of bots?
 
  • Like
Reactions: Deleted member 2913 and tim one
You must log in or register to reply here.

Similar threads

enaph
    • Like
    • Wow
    • Sad
Security News Inside the Massive Naz.API Credential Stuffing List
Replies
1
Views
1,799
Security News
ProblematicPions
P
Lymphocyte
    • Like
    • +Reputation
Security News ESET repports that OilRig’s persistent attacks using cloud service-powered downloaders
Replies
0
Views
2,100
Security News
Lymphocyte
Lymphocyte
Gandalf_The_Grey
    • Like
    • HaHa
    • +Reputation
Cybercriminals are already sending phishing emails about Twitter's verification revamp
Replies
0
Views
761
News Archive
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top