IPS Phishing Block

For whatever reason, my wife comes across more phishing attempts than anyone I know. Had a chance to capture some of this data so you can see how it behaves in real life both with and without Zscaler.

Threat: Phishing
Initial Transport: Text Message
Method: Link
Target: Facebook credentials

Screenshot of actual text message
image

You’d think a link that looks like that nobody would actually click. You’d be surprised. The actual link is:

detasee-2088537327.poshakepejhvak.ir/

Not the phisher (is that even a word?) used http and not https.

The phisher asks the victim to confirm their identity:

When victim click the link, they are sent to:

detasee-2088537327.poshakepejhvak.ir/sign_in.html?statusid=7f32d959248fbf726aed8897ca690f52

Again, HTTP and not HTTPS

Where they are presented a facebook login page:
image

Once the victim types in their username and password are sent to:

detasee-2088537327.poshakepejhvak.ir/gateway.php

And the user is then redirected to the facebook terms of service page.

If the victim has Zscaler running, the user is protected, via IPS signature, before they have the chance to enter their credentials.

We classify this URL:

detasee-2088537327.poshakepejhvak.ir/sign_in.html?statusid=7f32d959248fbf726aed8897ca690f52

As phishing, specifically HTML.Phish.Facebook:
image


Now, let’s see it in action.

Without Zscaler:

With Zscaler:


Let me know if you have any questions.

Note: The value of statusid is dynamic and will change each time the URL is hit. The URL appears to be dead at this point.

3 Likes