The program asking for OTP that was sent to the victim's phone number. This serves as another layer of user authentication for a single transaction or session.įigure 11. The OTP is an automatically generates characters (numeric or alphanumeric) which are usually sent to the user’s registered mobile number. Once the victim fills out the form,clicking the “ PAY NOW” button will redirect the victim to a loading page, which after a few seconds will then redirect to an OTP (One-Time Password) page. One is card number validation, wherein it tries to not only check the validity of the card number but also determine the type of card the victim has inputed. The credit card page has some input validation methods. This time, trying to steal credit card information.įigure 10. Clicking the “ Schedule Delivery and Pay” button will redirect the victim again to another phishing page. The "chatbot" asking for the victim's email, password, and delivery address.Īt this point you might think that the perpetrators have taken what they want, but you would be wrong. The CAPTCHA is simply an image embedded in the HTML.īy clicking “ Confirm”, the victim will now be redirected to another page where the “ chatbot” asks for login credentials (i.e., email address and password) as well as the delivery address.įigure 9. Fake CAPTCHA requiring the victim to type the exact numbers presented.īy checking the page source, it can be confirmed that the CAPTCHA is nothing more than an embedded JPEG image file.įigure 8. However, something is odd here – nothing else is clickable except for the confirm and close button.įigure 7. To gain even more confidence and trust from the target, a CAPTCHA is presented right after the victim clicks the “ Schedule delivery” button. The “chatbot” giving more details and instructions to the recipient. Chatbot-like page confirming the order tracking number.īy clicking the “ yes” option, the program will try to engage at a higher level with the victim by showing the picture of the item and asking for the preferred delivery address (i.e., home or office address).įigure 6. The first part of the engagement simply confirms the tracking number of the supposedly ordered item.įigure 5. The portion of the JavaScript containing the predefined responses of the "chatbot". The application already has predefined responses based on the limited options given.įigure 4. We say “chatbot-like” because it is not an actual chatbot. The first stop is the chatbot-like page that tries to engage and establish trust with the victim. Downloadable PDF file carrying the DHL brand that contains the link to the phishing site.Įither of the two methods will redirect the user to the same website, and this is where the actual phishing starts. The first is through the “ Fix delivery” button, and the second one is by copying an alternative URL from the file.įigure 3. There are two ways that this file will redirect the recipient to the actual phishing site. The spoofed "From" header does not have an email component.Ĭlicking the “ Please follow our instructions” will open a browser and direct the recipient to a downloadable PDF file. Phishing email with spoofed “From” header (DHLexpress).įigure 2. A deeper inspection of the email header shows that the “ From” header is missing the email address component, which is a red flag already.įigure 1. Unlike a lot of phishing websites, this one establishes a conversation first, and bit-by-bit guides the victim to the actual phishing pages.Īlthough the phishing method is quite unique, it still uses email as the delivery channel. Recently, we have encountered an interesting phishing website containing an interactive component in it: a chatbot. Once clicked, these websites often show a single webpage that outright asks for sensitive information like account login credentials, credit card details, and other personally identifiable information (PII). Phishing website links are commonly delivered via email to their respective targets.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |