A Phish That Scans For Viruses

While I was on the train today I was checking email and found that I had received an interesting phish.  It was sent to an email i haven’t used in years that apparently still fowards:

I certainly didn’t want to miss my “incomming” fax, so I of course needed to click the link to “Preview Fax Message.” 

The phish started off going to “outlake-q.hopto[.]com” and passing my email address as a parameter in the URL.  I changed that up a bit as you’ll see below.  The HopTo address claims it is “Connecting to OneDrive” but it’s really forwarding to the rest of the phish.
“Leak-weave[.]gq” says “Please wait …” while it continues connecting to OneDrive I guess. . . ?
Once it connects to OneDrive (which apparently is now hosted at leak-weave) it asks me to “Please hold a while” as “OneDrive Security is scanning your file for virus!” 

Great news!  No Virus detected on file!

“Scan Complete!  Your file is secure and safe for download. Office365 OneDrive.”  So I guess I can Download the file, right?

Not so fast!  First we have to confirm the password for “ohno@pleasedonhackme.org” 

It takes the time to actually connect to the PleaseDonHackMe.org mail server and concludes that I have entered an “Invalid password”

No file for you!
Now, if a visitor actually believed there was a file, they may have been tempted to provide their REAL password at this time.  I don’t know if that would result in a Download or not, but I’ve decided not to find out!
Hope you enjoyed today’s Adventure in Phishing!  Tune in next time to see .  .  . well, we don’t know what yet.


*** This is a Security Bloggers Network syndicated blog from CyberCrime & Doing Time authored by Gary Warner, UAB. Read the original post at: http://garwarner.blogspot.com/2019/11/a-phish-that-scans-for-viruses.html