You are an infosec geek when you receive a call that you know is a scam but you pick it up anyway to hear the recording. You then do some internet recon on the domain they tell you to go to and find that it was registered very recently. Next you pull up your sandbox system, load up BurpSuite and proceed to visit the very obvious phishing site to see what happens.
Fake AT&T Phishing Site |
So random pre-recorded call from a bogus 800 number.
"You just won the AT&T Mega Discount for $555 dollars off your next AT&T bill. You just need to visit att555.com to claim your discount."
So you go to this site and say "Hey this looks legit, all the logos are there and such. Let me just log in and get my reward!"
Real AT&T Account Site |
With BurpSuite running in intercept mode, you can watch the activity as you throw in the fake information in the site. It took whatever I submitted with no validation (another sign it is a bogus site). When I hit "log in", a ton of stuff happens in the background. It sends the data you entered to an web address in Germany:
hxxp:[85.25.17.164]kingpin/deduct2.php.
This happens in clear text as well, with no SSL anywhere to be seen. This is just one more thing to add to the list of suspicious activity. If they phisher was more creative, they would have at least used a bogus SSL Cert to add more realism to the ruse.So moral of the story, think before you click! Be aware of your surroundings. If something is too good to be true... it probably is.