Outlook Team E-mail Reactivation Phishing Scam 4 Dec 2015

Microsoft Outlook Phishing Scam

Outlook Team E-mail Reactivation Phishing Scam 4 Dec 2015

Its December holiday period and once again phishers are on a prerogative quest of phishing passwords. And as per norm Microsoft and Google are involved due to the ease of creating free email accounts.

In this Microsoft Outlook email phishing article I explain in detail the phishing codes used to aggregate usernames and passwords as well as the email accounts used and the destination of the stolen usernames and passwords. The article is exceptionally long due to all the snapshots and codes, but worth the read.

Coincidently, Microsoft and Google Chrome don't mark phishing that aggregates usernames and passwords to the same server.

They mark them as scam when the phisher uses a remote destination (link, email address or web-server) that's not associated with the login page. ​

Outlook Team Reactivation Phishing E-mail

Outlook Team E-mail Reactivation Scam

Above is a snap shot of the original phishing email and below a text version. As you may notice the first give away is Microsoft marking it as spam. The second give away is the email address used, its NOT a legitimate Microsoft email. Its a free Microsoft email account - jayco5@hotmail.ca

Third give away is, you were already logged into your Microsoft account to access the phishing email. Hense, no reason to verify your account.

E-mail Re-Activation

Outlook Team jayco5@hotmail.ca
Reply|
To:
......@hotmail.co.za; Fri 2015-12-04 04:53 AM
From:
Outlook Team (jayco5@hotmail.ca)
Sent: Fri 2015-12-04 04:53 AM
To:
......@hotmail.co.za;
This message was identified as spam. It's not spam
Your mailbox has exceeded the storage limit is 1 GB, which is defined by the administrator, are running at 99.8 gigabytes, you can not send or receive new messages until you re-validate your mailbox.

To renew the mailbox kindly CONFIRM your account
Thank you!
Web mail system administrator!

WARNING! Protect your privacy. Log-out when you are done and completely
exit your browser.

----------------------------------

Fourth give away is the 'CONFIRM' link itself, its not the Microsoft login page. The CONFIRM link attached to the phishers email navigates to - http://atmindia.org/adumik/Outlook-hotmail/Outlook-hotmail/Outlook-hotmail/Cae22.html which looks extremely authentic.

Outlook Phishing Scam

The phisher had copied an identical version of the login page and had uploaded it to atmindia.org, calling it Cae22.html

The only change made to the phishing page was the post action, which in this instance was 'Xconsole.php'

form method="post" action="Xconsole.php" autocomplete="" name="login_form" onsubmit="return hash2(this) style=" line-height:="" 19px;="" margin:="" 0px;"=""

Google Chrome did however mark it as a deceptive scam site, giving you an option of visiting the unsafe site or navigate back to safety. I chose to visit the site for further phishing code research (I'm addicted to trolling hackers, scammers, fraudsters and researching vulnerabilities ;)

Google Chrome Deceptive Scam Site Warning

Due to the PHP file not having a DOCTYPE declaration source code viewers only check against basic markup syntax. In this instance, they only display the javascript and not the PHP code.

PHP Phishing Code

Lets first have a look at the javascript code attached to the PHP document before moving onto the PHP code (atmindia.org/adumik/Outlook-hotmail/Outlook-hotmail/Outlook-hotmail/Xconsole.php)

If you'd been that stupid to type in your true credentials (i typed in a bogus email and password) you would have noticed a pop-up appeared stating you had upgraded your account alert('Account Upgraded.');

After killing the pop-up you are automatically redirected to outlook window.location='http://www.outlook.com/'; (always remembering you were already logged into outlook to read the phishing email. Hence, the phisher sends you back to outlook)

Reality is, Outlook users would have been unaware that the info typed into the outlook login form had been sent to a remote server. In this instance it was sent to an email address (brianmele1234@gmail.com)

The PHP code used looks as follows:

Reactivation Of Outlook Email Phishing Scam

Information aggregated was the users ID (email address) password and IP address. The phisher used the email 'infos@myworld.com' to send the stolen information to a free gmail account 'brianmele1234@gmail.com'.