The email message above looks very basic. It appears to be coming from a reliable source. The subject is “Document” and there is only one sentence in the body, “I sent a document to you, to view it click on the document below.”
For many users this would seem like a normal work email. Even if they didn’t think it was normal they might not assume it’s malicious or a phishing email.
Below you can see the URL when hovering over the “Document” text:
Clicking on that link redirects the user to the following webpage:
Scanning that URL (hxxps://dk-media.s3.amazonaws[.]com/media/1npoq/downloads/311511/share.html) via VirusTotal shows a detection ratio of 4/68 (as of 8/18/16) for “malicious” and “phishing” site. The link to that VirusTotal report can be found HERE.
Below is a snapshot of the source code showing a URL for hxxp://www.formbuddy[.]com/cgi-bin/form.pl, a method of “POST”, input values for “username” (rifart45f is the account name on FormBuddy.com), as well as a URL pointing to what appears to be a legitimate sub-domain (webmail.luriechildrens[.]org):
Using some fake credentials I attempted to “Sign In” and was redirected to the URL shown in the source code (hxxp://www.formbuddy[.]com/cgi-bin/form.pl). Again, this was a Web login page for an Outlook account.
The phishing site would appear to be targeting the legitimate web portal located at “hxxps://webmail.luriechildrens.org”. Luriechildrens.org is a site for the Ann & Robert H. Lurie Children’s Hospital in Chicago.
Scanning hxxp://www.formbuddy[.]com/cgi-bin/form.pl via VirusTotal shows a detection ratio of 3/68 for “malicious” and “phishing” site (as of 8/18/16). The link to that VirusTotal report can be found HERE.
Predictably I was able to capture my fake credentials via POST request being sent in the clear:
Trying to submit another set of credentials on hxxp://www.formbuddy[.]com/cgi-bin/form.pl doesn’t seem to do anything. I’m not finding any POST request or GET request and clicking the Sign In button doesn’t even return an error with my fake credentials.
Doing some research I found that hackers use FormBuddy as a means to steal victims passwords. Essentially FormBuddy allows anyone to have a remotely hosted form processor for their website. Here are the steps criminals use to steal passwords from their victims:
Step 1: Select a hosting form service like FormBuddy
Step 2: Create a fake login page used to grab user credentials
Step 3: Host the login page
Step 4: Send phishing emails pointing to your newly created fake login page.
Step 5: Stolen credentials are emailed to your FormBuddy account
Flagging traffic from FormBuddy might be the best solution for this type of phishing attack.