While I was on the train today I was checking email and found that I had received an interesting phish. It was sent to an email i haven't used in years that apparently still fowards:
The phish started off going to "outlake-q.hopto[.]com" and passing my email address as a parameter in the URL. I changed that up a bit as you'll see below. The HopTo address claims it is "Connecting to OneDrive" but it's really forwarding to the rest of the phish.
"Leak-weave[.]gq" says "Please wait ..." while it continues connecting to OneDrive I guess. . . ?
Once it connects to OneDrive (which apparently is now hosted at leak-weave) it asks me to "Please hold a while" as "OneDrive Security is scanning your file for virus!"
Great news! No Virus detected on file!
"Scan Complete! Your file is secure and safe for download. Office365 OneDrive." So I guess I can Download the file, right?
Not so fast! First we have to confirm the password for "[email protected]"
It takes the time to actually connect to the PleaseDonHackMe.org mail server and concludes that I have entered an "Invalid password"
No file for you!
Now, if a visitor actually believed there was a file, they may have been tempted to provide their REAL password at this time. I don't know if that would result in a Download or not, but I've decided not to find out!
Hope you enjoyed today's Adventure in Phishing! Tune in next time to see . . . well, we don't know what yet.
Article Link: http://garwarner.blogspot.com/2019/11/a-phish-that-scans-for-viruses.html