Phishing email from "DHL"
*** DON'T TRY THIS AT HOME/WORK**** Today I got a wonderful Phisihng email, the attacker sent me a DHL bill for an account I don't have so that's the first red flag, then the attachment was an HTML instead of a PDF as stated in the email So I decided to take a look... I downloaded the attachment and took a pick form my WSL Linux console Very interesting: The HAKWELOTANIYDEK variable contains my email address The Stivenkalvin variable has a base64 value that decoded becomes hXXp://ocbpremium.org/app/loi1hn.php so this website has been probably hacked and now host this PHP creds collector. BTW, I try putting HAKWELOTANIYDEK in Google translate and the best match was a romanization of Arab When trying that URL we get redirected to office.com, probably because we don't have the right parameters to give the PHP, making people think this is a legit website. With curl -L we can follow any redirects, HTTP code 302 indicates a redirection and the Location where are we goi...
