This is a clever phishing scam that targets Canadians:
I say clever because beyong the legitimate looks, the payload is distributed by a malicious URL combined with a legit one.
One thing we always tell people is to never trust links, even if they look fine. This is because it is easy to create a hyperlink that says: http://www.goodsite.com but instead really is http://www.badsite.com.
Let’s take a closer look:
By placing the mouse cursor over the link (NO CLICKING!!), you can see in the taskbar that this indeed is a match for the real site. If you did click on it, you will be sent to Canada Post’s official website:
At that point, you think this email must be legit after all and you are ready to click on the second link. That’s the catch!
Here I repeat the same mouse over process but look at the URL: it is NOT the same!! Sneaky…
What we have here is a zip file called shipment_capost_invoice.zip:
If you open it up, it contains the malicious file the bad guys want you to run:
The file is poorly detected by Anti-Virus products. (VirusTotal 3/42).
Let’s take a look at where this file is hosted: dayspringpreschool.org
This is the site for a preschool in California. They probably aren’t aware that they are being used to host a malicious file used by scammers. (I will let them know soon).
They are running the Content Management System (CMS) Joomla!:
and it is out-of-date (Joomla Version 1.5.15) current is 1.5.26 which could very well be why the site got hacked.
Speaking of out-of-date, WordPress released version 3.4 today, so if you haven’t updated your CMS yet, do so quickly
Hat tip to Marlee for reporting the phishing email.