I got a phishing email that was spoofing Amazon. It had a link that had this destination URL:
THIS URL IS A PHISHING SITE THAT SIMULATES AMAZON LOGIN POSSIBLY FOR A MAN-IN-THE-MIDDLE ATTACK
[link removed]
THIS URL IS A PHISHING SITE THAT SIMULATES AMAZON LOGIN POSSIBLY FOR A MAN-IN-THE-MIDDLE ATTACK
What I can’t figure out is how they are using the web site for the city of Greensburg PA do carry out this attack. If you go to greensburg.org it looks pretty legitimate, with limited content but it looks real.
The site is registered to the following, which is a private residence address.
Registrant Name:J D
Registrant Organization:Netico, Inc.
Registrant Street: 25134 Sagecrest Circle
Registrant City:Stevenson Ranch, Ca 91381
Registrant State/Province:CA
Registrant Postal Code:91381
Registrant Country:US
Registrant Phone:+1.7025265552
Registrant Phone Ext:
Registrant Fax: +1.7025265552
Registrant Fax Ext:
Registrant Email:netico@icloud.com
Registrant ID:CR195001089
Registrant Name:Unknown
Registrant Organization:City of Greensburg
Registrant Street: 416 South Main Street
Registrant City:Greensburg
Registrant State/Province:Pennsylvania
Registrant Postal Code:15601
Registrant Country:US
Registrant Phone:+1.72483284
Anyway, I don’t think there is anything terribly complex going on. Most likely, whoever actually hosts the site either has a breach in their security or a villainous employee. Either way, once they have access to the server the phishers drop their fake amazon site into a lonely, but web-accessible, sub-directory and wait for the suckers to start rolling in.
You posted the registration information for greensburg.org; the phishing link you posted is for greensburgpa.org. That’s why you and Baracus got different info - doesn’t answer your question, although I think Baracus did a good job of that.
http://greensburgpa.org/ uses Joomla (as one can see by viewing their source) which is a software package used to build sites (like WordPress). So everyone with a Joomla site has all the same files on their site. Hackers have access to all the source files and they can use this to find vulnerabilities in the code. When they find one they can exploit it like this and just get in remotely and run whatever they want on other people’s sites.
I run a Web server and while none of my sites run Joomla or WordPress or even PHP my sites’ web logs are about 50-90% full of hits from hackers looking for specific Joomla and WordPress URLs that allow them access to act maliciously.
For instance my site might not even have an index.php page but I will get 50 hits for “/Index.php?u=0&t=334&delete=yes” or something, which is someone just fishing for a known exploit on index.php.
Anyway, if you have a site built on a pre-packaged platform, please keep it updated. Otherwise, this is what happens.
Seeing the difference in the URL (greensburg vs greensburgpa), it probably isn’t the case here, but sometimes a legitimate website inadvertently lets their domain registration expire, and a vulture swoops in to claim it. This wouldn’t happen with a big site like Amazon, but could for a small mom-and-pop business or small-town chamber of commerce.
And since Viglink very helpfully turns any validly-structured URL string in a post into a live link, we appear to have a live link to a malware site in an SDMB post. That can’t be good. I’m reporting for moderator editing to be less… potentially harmful.
It appears to have been dealt with at greensburgpa.org - I got a 404 error. (OK - I live dangerously at times).
That said, it points out the fact that if you want to mention an unsafe link just to warn people you should explicitly break it (e.g. add some spaces inside it) so that it doesn’t accidentally get turned into a valid link through quoting. (it can happen even with Viglink blocked).
I removed the links completely, which is kinda the nuke it from orbit solution, but it will prevent viglink or anything else from making live malware links out of this thread.
FWIW, I’m almost certain ZipperJJ’s post is precisely right. Malware types scan for poorly-configured and inadequately-secured websites based on common content management software and use the weaknesses to drop in malware web pages into the content directories, but disconnected (no references) from the main intended content. Often at the same time, they’ll make modifications to the backing databases at those sites for data storage for their phished data (but not always – sometimes, the data gets stored someplace else by the malware web page).
Then they send out a phishing email with obscured links pointing directly to those drop-in web pages to complete the process. It can be pretty subtle.
Thanks for responses. I thought if I disabled linking it would not be clickable, didn’t think hard enough about downstream side effects.
I apologize for the sloppy transcription of the domain name. That was a red herring.
**ZipperJJ’s **response is the kind of thing I was looking for. Is there any way for Greensburg, PA, to disable the hack? They don’t show any webmaster contact info. I did forward the email to Amazon’s spam desk.
Just FYI the URL is a series of subdirectories ending in Amazon dot com. Might look legit to a very naive user.
They need to update Joomla, and if it’s not a virtual path they can delete the files called in the URL you got. In fact, they can probably delete whole swaths of code from the server if they don’t use it (IIRC the link called up some payment modules, which they don’t need).
turns any validly-structured URL string in a post into a live link, we appear to have a live link to a malware site in an SDMB post. That can’t be good. I’m reporting for moderator editing to be less… potentially harmful.