Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0091.outbound.protection.outlook.com [104.47.2.91]) by anna.lesderid.net (Postfix) with ESMTP id DD2BBDBB46 for <les@fuwafuwa.moe>; Sun, 12 Feb 2017 02:53:37 +0100 (CET)
Received: from AM5PR0601MB2402.eurprd06.prod.outlook.com (10.173.91.135) by AM5PR0601MB2404.eurprd06.prod.outlook.com (10.173.91.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Sun, 12 Feb 2017 01:53:33 +0000
Received: from AM5PR0601MB2402.eurprd06.prod.outlook.com ([10.173.91.135]) by AM5PR0601MB2402.eurprd06.prod.outlook.com ([10.173.91.135]) with mapi id 15.01.0888.029; Sun, 12 Feb 2017 01:53:32 +0000
From: JESUS MAQUEDA BUENO <jesus.maquedabueno.ext@telefonica.com>
To: "hostmaster@online.net" <hostmaster@online.net>, "abuse@online.net" <abuse@online.net>
CC: DS_TSOL_phishing <phishing@telefonica.com>, Les De Ridder <les@fuwafuwa.moe>, "cert-fr.cossi@ssi.gouv.fr" <cert-fr.cossi@ssi.gouv.fr>
Subject: We have detected that Online S.a.s is hosting a fraudulent website
Thread-Topic: We have detected that Online S.a.s is hosting a fraudulent website
Thread-Index: AdKE0UckTskOFbZlR3uEBhy/LTJ1nw==
Date: Sun, 12 Feb 2017 01:53:32 +0000
Message-ID: <AM5PR0601MB2402F6A6AC33A363675D6960A9460@AM5PR0601MB2402.eurprd06.prod.outlook.com>
Accept-Language: es-ES, en-US
Content-Language: es-ES
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jesus.maquedabueno.ext@telefonica.com;
x-originating-ip: [92.185.39.32]
x-ms-office365-filtering-correlation-id: 9285986a-c5a1-4a89-7f1f-08d452e9f35b
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(48565401081);SRVR:AM5PR0601MB2404;
x-microsoft-exchange-diagnostics: 1;AM5PR0601MB2404;7:b8CYA1qdTErryRT2Vxd9BGxLemRO15dJCxY/Kx400e7/LFmPjd+GJzoUSfC2qiHX90ZWVqSxG83FfM0wyFJYy5LHvp+tOW3ZhH3xinEGCGeH/neZgbJbca2TfoxotCEo/6XerjkMVA0syrftb6ApUjA82giRWBc0b76RORbp7fnvd3DyDMzKZ5QwEmUaWG6WenjARIpnDBr4xGPt1mc79wvul/LjtdpWzPvOac3VcQ1LvITaHRan4p6ckQMKl7uff5uzxouJ5Ek/exsjc3VBzZl0J5oqXWgPblEerjUmMZvFKMWTjLIGntMKzqWIOghHCKZswi7zdGpZRRVCv2dnrmBThG2im90Ve7oyGdJbZbBk33qpFQf5OZ0iUNnLPXPXnEz8+afbp8r8eEqCsVYXCB5syV6IAGMlMlHlEokr8KTGYxtZY14eB44l7mD+WtggopHoVkf6x8siHATdfr8Rox62O5hxVpG/zxrbBDd85bYsL1UkdYdPpXtMFBrue0fBY+F8VkX9AbA2BAguZJe0+w==
x-microsoft-antispam-prvs: <AM5PR0601MB2404103F371725CF3233E214A9460@AM5PR0601MB2404.eurprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(40392960112811)(158342451672863)(209352067349851)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(102415395)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(6041248)(20161123564025)(20161123555025)(20161123562025)(20161123560025)(20161123558025)(6072148);SRVR:AM5PR0601MB2404;BCL:0;PCL:0;RULEID:;SRVR:AM5PR0601MB2404;
x-forefront-prvs: 021670B4D2
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(7916002)(39410400002)(39850400002)(39450400003)(39840400002)(39860400002)(252514010)(504964003)(24454002)(189002)(199003)(106356001)(861006)(733005)(105586002)(6506006)(68736007)(33656002)(606005)(77096006)(102836003)(6116002)(3846002)(790700001)(10710500007)(74316002)(7906003)(7736002)(38730400002)(53346004)(15650500001)(2420400007)(2906002)(3280700002)(7696004)(5660300001)(3660700001)(2501003)(53386004)(2900100001)(345774005)(92566002)(86362001)(122556002)(53946003)(6436002)(54356999)(50986999)(53936002)(4326007)(66066001)(101416001)(25786008)(6306002)(81166006)(54906002)(54896002)(54556002)(81156014)(97736004)(236005)(9686003)(99286003)(8676002)(1680700002)(99936001)(7110500001)(8936002)(55016002)(189998001)(7099028)(9010500006)(559001)(579004)(19627235001)(18823205002);DIR:OUT;SFP:1102;SCL:1;SRVR:AM5PR0601MB2404;H:AM5PR0601MB2402.eurprd06.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
received-spf: None (protection.outlook.com: telefonica.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/mixed; boundary="_013_AM5PR0601MB2402F6A6AC33A363675D6960A9460AM5PR0601MB2402_"
MIME-Version: 1.0
X-OriginatorOrg: telefonica.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Feb 2017 01:53:32.8819 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9744600e-3e04-492e-baa1-25ec245c6f10
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0601MB2404

 To the attention of Online S.a.s,
 
Telefonica España is managing the fraudulent actions against La Caixa and all related with Phishing incidents against this company.
 
We have detected that Online S.a.s. is hosting a fraudulent website that offers a Phishing scam against Sociedad Estatal de Correos y Telégrafos S.A.  from the next URL(s):
 
hxxps://p.fuwafuwa.moe/qgrazk.css
hxxps://p.fuwafuwa.moe/urdelr.css
hxxps://p.fuwafuwa.moe/mdffth.css
hxxps://p.fuwafuwa.moe/nkjcoa.css
hxxps://p.fuwafuwa.moe/ygegkm.js
hxxps://p.fuwafuwa.moe/zdbkvk.js
hxxps://p.fuwafuwa.moe/ovisan.js
hxxps://p.fuwafuwa.moe/ifqnra.js
hxxps://p.fuwafuwa.moe/cbpisx.js
hxxps://p.fuwafuwa.moe/adkeer.js
hxxps://p.fuwafuwa.moe/vrmxsq.js
hxxps://p.fuwafuwa.moe/pyftal.js
hxxps://p.fuwafuwa.moe/mxkqsi.js
hxxps://p.fuwafuwa.moe/amwuzd.js
hxxps://p.fuwafuwa.moe/gtjjkc.js
hxxps://p.fuwafuwa.moe/ihibjo.js
hxxps://p.fuwafuwa.moe/eebxgu.js
hxxps://p.fuwafuwa.moe/hiqigm.js
hxxps://p.fuwafuwa.moe/wgzddk.js
hxxps://p.fuwafuwa.moe/wvczgj.js
hxxps://p.fuwafuwa.moe/cobvtt.js
hxxps://p.fuwafuwa.moe/puplbx.js
hxxps://p.fuwafuwa.moe/vivcvc.css
hxxps://p.fuwafuwa.moe/ypgwbn.css
hxxps://p.fuwafuwa.moe/btcpto.css
hxxps://p.fuwafuwa.moe/esaxve.css
hxxps://p.fuwafuwa.moe/ujnicm.css
 
These files aren’t phishing scam but are being used as part of a phishing scam against the state post office of Spain (Correos y Telegrafos).
You can check on the source code of the deleted phishing scam that is previosly hosted in your servers:

hxxps://a.lainfile.pw/8E/detalle_app-sidioma=es_es.htm?//ss/Satellite/site/pagina-localizador_envios/busqueda-sidioma=es_ES
 
image001.jpg
 
These files are a copy of the JS/CSS of the original website of Correos with the name changed to avoid it could be compared, but if you check the content could see that have references to Correos website and paths of the original server:
 
hxxps://p.fuwafuwa.moe/wgzddk.js
 
             
image002.jpg
 
Also you can compare the original files on Correos website and the ones that have been uploaded to your server and see that this is a copy with the same configuration:
 
image003.jpgimage004.jpg
 
And the same MD5:
 
image005.jpg
image006.jpg
 
You can check by yourself using any progam or website that compare MD5 checksum of files.
 
All these evidences are enougth to us to state that these files have been downloaded since Correos website, modified their filename to avoid detection and uploaded to a diferent server to persist if the phishing site gone and use it on future attacks. This not the first time we seen this tactic and this is the reason we request you the delete of this files.
 
So please, check this information, don’t hesitate to request us more information or detail if you think that these evidences are not enough and take the actions you consider against this fraudulent files in order to avoid it could be used on future attacks.
Regards.