Friday, September 1, 2017

Fake Phishing CRA Canada revenue agency e-mail

as per last blog this is a yet another fake e-mail looking to take your PII this is another fake CRA e-mail.

You receive an e-mail that is a Phishing e-mail claiming to be form CRA Canada. The e-mail looks very real as the attacked had bought a domain name that looks very much like the old domain name that was used by CRA before they moved to the one domain.
See pic below.

When you click on here it send you to a page that looks like a forum submission page that is from CRA. That hacker/attacker was also smart enough to use a CloudFlare to hidethe page by encrypting it using a valid certificate from them so you even get a Green bar.  The average user that was always told to look for the green lock will think this is a real legit site. BUT IT IS NOT.
The page also is asking for PII data that should never be given away.
See image below.

Let’s say you dumb enough to fill in your PII info and click submit then you are redirected to 2nd page that asks for your Credit Card info.  See image below.

At the end when you do submit the page redirects you to the real CRA page. So a normal person think they just did the correct thing. 

Below are screen shoots of other IOC's first is the e-mail path and source servers.

This IOC is of the hosting provider, as you can see the attacker was smart enough to hide his domain name behind private registration to make it harder for take downs.