You receive an e-mail that is a Phishing e-mail claiming to
be form CRA Canada. The e-mail looks very real as the attacked had bought a
domain name https://cra.arc-cg.com that looks very much like the old domain name that was used by CRA
before they moved to the one Canada.ca domain.
See pic below.
When you click on here it send you to a page that looks like
a forum submission page that is from CRA. That hacker/attacker was also smart
enough to use a CloudFlare to hidethe page by encrypting it using a valid
certificate from them so you even get a Green bar. The average user that was always told to look
for the green lock will think this is a real legit site. BUT IT IS NOT.
The page also is asking for PII data that should never be
given away.
See image below.
Let’s say you dumb enough to fill in your PII info and click
submit then you are redirected to 2nd page that asks for your Credit
Card info. See image below.
At the end when you do submit the page redirects you to the
real CRA page. So a normal person think they just did the correct thing.
Below are screen shoots of other IOC's first is the e-mail path and source servers.
Below are screen shoots of other IOC's first is the e-mail path and source servers.
This IOC is of the hosting provider, as you can see the attacker was smart enough to hide his domain name behind private registration to make it harder for take downs.
No comments:
Post a Comment