A laughable fake Avast alert email tries to harvest email addresses via a spam message and leads to several malicious domains.Guess who hackers disguised themselves as in a recent phishing campaign? That’s right – Avast! A laughable fake Avast alert email trying to harvest webmail addresses is being sent out via a spam message which leads to several domains where attackers have prepared a simple form to collect victims’ email addresses and passwords. This is what it looks like:
Received spam in a phishing scheme impersonating Avast
The email shows the link as hxxp://scan.avast.com/, but in reality, this fake link directs to several hacked domains (www.hacked-domain.com/index.php?email=victims_email) where a simple PHP file, which immediately tries to support an alert message that your mailbox contains viruses, is located. There is even a list of some file names and their locations.
There is also a main part in the code of this form, which is <form method="post" action="post.php">, and post.php, where all the magic happens. After you hit ”Scan Email”, the following form will appear.
First attempt to gain password
After a password is entered into the form, the victim is automatically redirected to another HTML file. This triggers an error message stating that the user has incorrectly entered their credentials.
Resources of error.html
The purpose of all the fake alerts is to gain the victim's trust, but it all leads to this last simple form where you enter in your email address and password. This is a typical tactic of cybercrooks.
When your credentials are entered, post.php is called again and the previous alert message is shown once more. At this point, the victim can repeat the process again.
Simple encoding by escape() function
Social engineering used to trick Facebook users into downloading Advanced Persistent Threat disguised as Kik Messenger app.
The cryptominer botnet attacked over half a million Windows servers and computers so far...but that number is growing.