2018-03-22 - GODADDY-THEMED PHISH

ASSOCIATED FILES:

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domain:

 

EMAIL HEADERS

X-Originating-Ip: [173.201.193.102]
Authentication-Results: [removed]; iprev=pass policy.iprev="173.201.193.102"; spf=softfail smtp.mailfrom="id-referance-4232352611@bigmir.net" smtp.helo="p3plsmtpa08-01.prod.phx3.secureserver.net"; dkim=none (message not signed) header.d=none; dmarc=none (p=nil; dis=none) header.from=bigmir.net
X-Suspicious-Flag: NO
X-Classification-ID: 6cd03c44-2de9-11e8-b253-5254006a2e70-1-1
Received: from [173.201.193.102] ([173.201.193.102:40590] helo=p3plsmtpa08-01.prod.phx3.secureserver.net)
     by [removed] (envelope-from )
     [removed]; Thu, 22 Mar 2018 11:55:25 -0400
Received: from bigmir.net ([144.202.110.202])
     by :SMTPAUTH: with SMTP
     id z2XfexiIUDVohz2YeeorPA; Thu, 22 Mar 2018 08:55:19 -0700
X-Sender: 1f090ed@vatimen.com
From: Godaddy Team 2018<id-referance-4232352611@bigmir.net>
To: [removed]
Subject: Your Billing is attached !
Date: 22 Mar 2018 15:55:15 +0000
Message-ID: <20180322155515.BBCD5532FFAA2313@bigmir.net>
MIME-Version: 1.0
Content-Type: multipart/mixed;
     boundary="----=_NextPart_000_0012_E5C8996C.D4B90631"

 

TRAFFIC

2018-03-22 NETWORK TRAFFIC:

 

FILE HASHES

2018-03-22 PDF ATTACHMENT:

 

IMAGES


Shown above:  Email seen in my inbox earlier today.

 


Shown above:  Start of the attached PDF invoice.

 


Shown above:  End of the attached PDF invoice with link to the phishing page.

 


Shown above:  The fake GoDaddy login phishing page.

 


Shown above:  Traffic to the phishing page filtered in Wireshark.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.