Posts: 15,847
Threads: 10,149
Thanks Received: 9,306 in 7,452 posts
Thanks Given: 10,217
Joined: 12 September 18
20 December 19, 09:49
(This post was last modified: 20 December 19, 09:49 by harlan4096.)
Quote:
New phishing campaign spotted in Denmark
A new phishing campaign disguised as package notification is on the rampage. Initially discovered in Denmark, the malicious venture notifies users that they are expecting a package delivery.
The phishing attempt came to light when a Denmark cell user received the following SMS.
The message reads: “We were unable to deliver your package DK-XXXXXX as it had been shipped with too little postage. Pay the shipping fee now to have your package delivered.” Right beneath the message, is a link called ht7.biz (domain sanitized by Heimdal Security) that presumably redirects the user to the package center.
However, right before the browser lands on the package center’s search page, it’s being routed via another domain, called ai6.net (domain sanitized and blocked by Heimdal Security), before calling pakketinfo.paketexclusivo.com website.
The link takes the user to a package search page.
At this point, the user is required to search for the package’s number. The text above reads: “Quick and easy. Write your parcel number below. Search after shipping ID, address, postcode, etc.” Once the user writes down the parcel number flagged down in the SMS and presses the “Search” button, he will be redirected to the following screen.
The message reads: “Your package is on its way. Status: not sent from the Distribution Center – stopped in X post office, failing payment of 20 Danish crowns ($3). The package will be shipped when the fee is paid.” Motivated to pay the remaining postage fees, the user will press the “BETAL NU” (Pay now) button. Once again, the browser redirects the user to another website – dk.price-live.com (domain sanitized and blocked by Heimdal Security).
The DK appendage is just a bounce. Price Live, the root domain, which is listed under a United States IP, is not under CloudFlare’s protection and, therefore more visible in the wild. The root domain has also been sanitized and blocked by Heimdal Security.
Price Live’s payment processing page was specifically engineered to mimic a legitimate page. Notice in the picture below the credentials included to reinforce the illusion: Norton secured badge, SSL encryption certificate, PCI compliance, Verified by Visa, and MasterCard SecureCode and supported payment methods such as Visa, Visa Electron, MasterCard, Maestro.
Private info fields have also been added. To send the order through, which in this case is the additional postage fee, the user must fill in his first and last name, physical address, ZIP Code, city of residence, mobile number, and email address.
...
Continue Reading
SECURITY ALERT: New Denmark Phishing Campaign Uses Package Sending Notification as Pr
![[Image: heimdal-logo.svg]](https://heimdalsecurity.com/blog/wp-content/themes/heimdalv2/images/heimdal-logo.svg){kind=logo}
![[-]](https://www.geeks.fyi/images/collapse.png "[-]")
