Checking my e-mail today, I saw that I had a message claiming to be from Santander, regarding my Internet banking account. Now, I don't bank with Santander, so I knew instantly that it was a phishing e-mail.
Here it is (click the image to see larger version):
 |
| Phishing e-mail sent to me |
I hovered the cursor over the link and saw that the website linked was on the Georgian government's domain! Expecting the issue to have been resolved already (that is, the authorities removed the malicious content), I clicked the link. Instead, it took me to a page which then redirected me to a phishing page resembling Santander's website.
The page is on Google's blacklist, but Internet Explorer still opens it without any warnings. The address of the part on the Tbilisi website is as follows.
 |
| URL of malicious file on tbilisi.gov.ge |
The source code of the malicious website comprises of just four lines, and redirects the victim to another website (click for larger image).
 |
| Source code of file on the infected site |
The website that actually hosts the phishing page, finca-agroturisme.com, is a Catalan website that also appears to have fallen victim to the hackers. Literally, just now (as I was typing), the infected page was removed from the finca-agroturisme website. Hopefully, this means that the admins discovered the hackers' attack and removed the malicious content. Unfortunately, the material on the Tbilisi website is still there., so I will try to contact the webmaster to notify him or her of the problem.
Compromising a government website is a cunning strategy, indeed. People trust the government in general, at least not to steal too much of their money, so phishing using a government domain would probably induce the victims to let their guard down. Government websites get hacked all the time, but this is the first time I've seen one being compromised by phishers, as opposed to groups like Anonymous.
No comments:
Post a Comment