Phishing Email: “Australia and New Zealand : You have 1 new Payment.”/”[email protected]

Today we have received an email that appeared to be originating from Australia and New Zealand Banking Group Limited (ANZ)

Let’s take a look at the email:

From: [email protected]
To:
Re: Australia and New Zealand : You have 1 new Payment.
Delivery-Date: Tue, 29 Sep 2015 20:17:34 -0500

Australia and New Zealand Banking Group Limited (ANZ)

If the potential victim clicks “click here” then they are directed to http[:]//kwiaciarniasoniabuczek.home[.]pl/wp-content/plugins/akismet/views/index.php on 79.96.76.66. The relevant website has already been categorised by VT as “malicious domain” by multiple antivirus engines (7/65)

The above URL would then imediately redirect the user to “http://unive[.]pl” using “meta refresh” tag. You can read more about it here

The new URL would then redirect the victim to as per HTTP response below

The redirected URL has already been categorised as malicious as well according to VT. It uses relative URL (you can read more about Relative URLs) to point the users to a phishing website that tries to harvest their credentials

Relevant URLs were unavailable at the time of writing this post so they were probably taken down

The email appears to have been sent from iba.gov.au on IP 115.254.55.26 which is already blacklisted.  The IP belongs to India Thiruvananthapuram Rcom Static Dia as per whois info below

Email-headers

 

 

Leave a Reply