A new phishing scam has been uncovered that attempts to steal credit card data and upload it to a compromised Joomla server.
The attack was spotted by V3 this week and sent to email security firm Mimecast for analysis. The email purported to be from Australian telecoms firm Telstra.
We were informed that clicking on the link directs the unsuspecting user to a fake Telstra portal log-in page.
Once logged in, the victim is asked for their credit card information which is transmitted straight to the cyber criminals. An error page on the original website is then shown to alleviate any suspicions and delay any attempt to cancel the card.
The information is sent to a compromised Joomla server from an Italian blog (hxxp://lanard.it/br/coco.php).
Matthew Gardiner, cyber security strategist at Mimecast, said that companies should ideally have an email security system that rewrites every URL, checks its safety on every click, and blocks or at least warns if the site is potentially dodgy.
"For those users that click through the warning the security team should warn the user to change their password immediately or take other steps depending on what was shared," he said.
"In this case if they shared their real credentials they should contact Telstra immediately to let them know that they were phished so that Telstra can take immediate steps to protect them against fraud."
Gardiner explained that employees should be encouraged not to trust random, unexpected emails that take them to a website that asks for personal information or log-in credentials. If they have an account with that vendor they should go directly to that website.
"Users should be coached to look at the URL in the website to see if it makes sense, such as https://www.telstra.com.au. Often attackers will take users to a totally different domain that doesn't make sense such as www.abc.com/telstra," he said.
Check out the top five phrases used by cyber criminals in phishing attacks for more tips on how to recognise these scams.
The full analysis of the malicious code is below:
POST [http:///br/coco.php]/br/coco.php HTTP/1.1
*Malicious page hosted on compromised Joomla server from an Italian blog ([ ]hxxp://lanard.it/br/coco.php)
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36
Accept-Encoding: gzip, deflate
Cookie: 2411d7ba43ddf72bc0ad8d206aa5b285=47080e4a120228618949205f10e9649a; _gat=1; _ga=GA1.2.844946446.1476719470
*After stealing credentials, the page redirects the user to an error page in the original website so once the user tries again they might see the authenticate page as expected.
*These variables below (written in French) hold the stolen user details - username, password, birthday and credit card numbers
Samsung very much in third place behind Android Pay and Apple Pay
Moribund Twitter ads nil, nada, zero users, while revenues fall five per cent to $574m
Wisconsin claims deal could result in 13,000 jobs and $10bn of investment from Foxconn by 2020
Streaming music is the future, whether you like it or not