The “URGENT REQUEST FOR PRICE OFFER” and “Ürün 56787898 için sipariş” email attachments contain an exe: the malware. Data is stolen via SMTP and Telegram API.
Technical analysis by the Malware Hunter JAMESWT
New phishing campaign via “Emails Suspended on Server Postmaster”. A fake webmail login page, pre-compiled with the victim’s username, asks to digit the password to fix the problem. But it just steals credentials
New global phishing campaign exploits “Emails Suspended on Server Postmaster”. Cybercrime actors’ fake message is tailored on the victim’s mail address and asks to open a link to fix the problem.
It directs users to a fake webmail login website, with the username already compiled. So, they just have to digit the password.
But it isn’t recognized for three times.
After that, regardless ow what code has been given, a “successful” message appears for few seconds.
Finally, the victim will be redirected to a real homepage, basing on the domain name of the email address. Meanwhile, the credentials have been stolen.