This faked email using a one-time address I made, came to me in an attempt to steal my login id and password.
IP Address 34.13.253.167 belongs to Google, indicating the the person who obtained this address is sending the emails by relaying off Google email servers.
The fake delivery failure message has a hyperlink going to :
cabinet.trk.net.ua
Cabinet.trk.net.ua is registered to:
registrar: co.webcraft
organization: WebCraft Ltd
organization-loc: ТОВ "ВЕБКРАФТ”
url: http://webcraft.ua
city: Kyiv
country: UA
abuse-email:
@webcraft.ua abuse-phone: +380.443625825 abuse-postal: Ukraine, 02206, Kyiv, PO BOX 67 abuse-postal-loc: Україна, 02206, Київ, а/с 67 source: EUNIC
in Ukraine. It creates a fake login screen:
It then uses:
https://api.ipify.org to try to get your IP address
https://api.telegram.org to send data to Telegram with retry mechanism
https://submit-form.com to record and send the data typed in
https://dev-fghhtfthh.pantheonsite.io to send to the hackers own php script
Ultimately harvesting your email address, and your login id/password.
This is obviously something the hacker downloaded and modified for their own use. They then used a fake Gmail login to use a Google server to send this email.
WHY THIS IS SINISTER
What makes this scam effective, is the way this script is written. It background loads the @domain site so that it appears behind the faked login screen.
Imagine that the compromised account is stuartwise@gmail.com so it back-loads the gmail.com page and then dims the page and places the fake login failure on top of it, making it appear legitimate.
It harvests people’s email address and their password. Although it only seems to compromise the email account, it is worse than that. 65% of people reuse passwords across sites. This means that if one account gets breached, everything else becomes vulnerable.
Imagine if the hacker finds your bank. Uses the same email address and password to login to your bank!