Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00124.outbound.protection.outlook.com [40.107.0.124]) by anna.lesderid.net (Postfix) with ESMTP id 149EDDB893 for ; Fri, 10 Feb 2017 22:45:02 +0100 (CET) Received: from DB4PR06MB298.eurprd06.prod.outlook.com (10.141.233.143) by DB4PR06MB298.eurprd06.prod.outlook.com (10.141.233.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Fri, 10 Feb 2017 21:44:58 +0000 Received: from DB4PR06MB298.eurprd06.prod.outlook.com ([fe80::61a7:f513:d2af:d50b]) by DB4PR06MB298.eurprd06.prod.outlook.com ([fe80::61a7:f513:d2af:d50b%15]) with mapi id 15.01.0888.029; Fri, 10 Feb 2017 21:44:58 +0000 From: MADALINA MARIA MARGINEAN To: Les De Ridder CC: DS_TSOL_phishing Subject: RE: We have detected that fuwafuwa.moe is hosting a fraudulent website Thread-Topic: We have detected that fuwafuwa.moe is hosting a fraudulent website Thread-Index: AQHSg8WlnqZYjGn9YUyU+YaKMb86QaFin+lg Date: Fri, 10 Feb 2017 21:44:58 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: es-ES X-MS-Has-Attach: yes X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=madalinamaria.marginean.ext@telefonica.com; x-originating-ip: [81.40.110.204] x-ms-office365-filtering-correlation-id: 773e011f-8055-4ec2-b7f5-08d451fe0f2d x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(48565401081);SRVR:DB4PR06MB298; x-microsoft-exchange-diagnostics: 1;DB4PR06MB298;7:wEqenEA7FpimOt219hRT9aLiuJIG1vgFYHmf8hRqea45l3wVTMT62X2FrysgOqpMnPXF/DDfYRYcog7DwhW74wq1PhFb33E4C1W/vFf9TcCJWOLxxzTTfNY5zrGA4CjOut0jlP/EPtObItpBH3leM83iRq0DFha50rHt3nbN0PQZ2DI+zAoISJncaz5Lvzw9lBd+v5BzXp/sgY8QD9qBlnfu3s9PmI/nRmah7CZUatVQZLYRL+G/owfhm1xDfO5Kgg1OHdDs9kZL4G56/S+B47sIKdBFmPA2N0DWaXa7W6VsWmPIic4bHyTRIji9F8fmrJvXQ4OlrlVcjgu6nvmliQRvpr+g8cf2CpcKikIJUn0JIjzMnRQPY4HFJ3ZFuNSktIxRnV1wJvok0yoSAjeMO/jiDi3mrNY5dHWcFjzEBdraE4jkkcX8kEOIYEuyKt2dVHFhq6RQe3Ox70xMVPvBbAdN/pEWa+KAes1UclQ8FJveINxTRDJ62iusRksh7lQnF3zZ0E5nFIXAOvH0aicHwA== x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(40392960112811)(158342451672863)(209352067349851)(21748063052155); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(102415395)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(6041248)(20161123560025)(20161123555025)(20161123562025)(20161123558025)(20161123564025)(6072148);SRVR:DB4PR06MB298;BCL:0;PCL:0;RULEID:;SRVR:DB4PR06MB298; x-forefront-prvs: 0214EB3F68 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(7916002)(39850400002)(39860400002)(39840400002)(39410400002)(39450400003)(504964003)(24454002)(189002)(252514010)(199003)(54556002)(236005)(6306002)(53936002)(54896002)(450100001)(6436002)(97736004)(110136004)(107886003)(6506006)(7696004)(5660300001)(53346004)(2950100002)(9686003)(6916009)(38730400002)(74316002)(53386004)(8676002)(790700001)(81156014)(81166006)(3846002)(8936002)(229853002)(68736007)(102836003)(6116002)(106116001)(106356001)(2906002)(99936001)(1680700002)(86362001)(33656002)(15650500001)(66066001)(10710500007)(4326007)(101416001)(105586002)(189998001)(99286003)(7110500001)(2900100001)(55016002)(7906003)(92566002)(6246003)(5250100002)(7736002)(3660700001)(2420400007)(76176999)(54356999)(50986999)(3280700002)(733005)(606005)(7099028)(9010500006)(18823205002)(19627235001);DIR:OUT;SFP:1102;SCL:1;SRVR:DB4PR06MB298;H:DB4PR06MB298.eurprd06.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; received-spf: None (protection.outlook.com: telefonica.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/related; boundary="_011_DB4PR06MB2985FD2A163C0D1E468CB82C9440DB4PR06MB298eurprd_"; type="multipart/alternative" MIME-Version: 1.0 X-OriginatorOrg: telefonica.com X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Feb 2017 21:44:58.1567 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 9744600e-3e04-492e-baa1-25ec245c6f10 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB4PR06MB298 Dear Les, Few minutes ago we have detected a new phishing scam against Sociedad Estatal de Correos y Telégrafos S.A. Is hosted in the same website (https://a.lainfile.pw/), with the next URLs: hxxps://a.lainfile.pw/BF/detalle_app-sidioma=es_es.htm?//ss/Satellite/site/pagina-localizador_envios/busqueda-sidioma=es_ES hxxps://a.lainfile.pw/BE/1.html As you can see it has the same structure as the phishing that I reported a few days ago. In this case, as you can see if you consult the source code of the page, the phisher use the same CSS and JS files. Screenshot 1 07/02/2017 Screenshot 2 10/02/2017 I insist that these files are a copy of the JS/CSS of the original website of Correos with the name changed to avoid it could be compared, but if you check the content could see that have references to Correos website and paths of the original server: · hxxps://p.fuwafuwa.moe/wgzddk.js Screenshot 3 ORIGINAL Screenshot 4 COPY All these evidences are enougth to us to state that these files have been downloaded since Correos website, modified their filename to avoid detection and uploaded to a diferent server to persist if the phishing site gone and use it on future attacks. We are sure that to stop this fraud and avoid that is activated again it is necessary to delete the CSS and JS files. Could you check if these files have been uploaded by the same user who upload the phishing scam. Thank you in advance. Regards. ----------------------------------------------------------- CyberThreats - Anti-Fraud Service Telefónica España Phone: +34 900102230 (option 9) Email: phishing@telefonica.com servicio.antifraude@telefonica.com -----------------------------------------------------------