A small scam I found
May. 23rd, 2024 10:18 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
aleteoryxMost email scams are pretty boring, but this one was creative in its execution from what I've seen.
These links below are not harmless. Don't go getting your creds stolen.
I got an email from noreply@[[redacted]], saying to login to my cPanel account for "urgent messages".
Being that I don't use cPanel, I clicked on the link, assuming this would be entertaining. I did not expect to get sent to an IPFS proxy URL, and yet there I was. This "login page" is kinda neat! It stores an email in the URL fragment and then puts an iframe in the background to display the person getting scammed's website. Anyways, this just submits the credentials to https://encon-co.in/fireb/general/_apr/pb3/index2pb3.php. I assume encon-co.in is the actual attacker's server.
Anyways, I think it's neat that the strategy is essentially "spread through cPanel installs to gain a pool of usable emails." The IPFS obfuscation is also kinda fun.
I've let the affected company know about the security breach, and contacted the registrar of encon-co.in and cloudflare, in the hopes of stopping the scam dead in its tracks.
Cya next time!
