Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


amanzi

Amanzi
1176 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

#295894 2-May-2022 22:53
Send private message

I received my monthly invoice from Voyager today (this was a legitimate email) and then a few hours later I received another invoice from Voyager which looked like a genuine email with my correct name, but an incorrect account number and the monthly fee was too high. The invoice attachment with the email was an HTML file, so I downloaded it, opened in VS Code, and found a bunch of encoded HTML inside a JavaScript script tag. After decoding the HTML, I could clearly see the scam contents which appeared to present an Office 365 logon screen but POSTs the credentials to a PHP script hosted on a Digital Ocean IP address. The logon screen looks and feels like a genuine Office 365 logon prompt, pasted below for your reference. 

 

Thought I'd report it here in case other Voyager customers see this and get tricked into trying to open the attachment. Here's a copy of the scam email, I've blanked out the account number because I assume it's a real account number that belongs to another customer. If you're a Voyager customer, you'll recognise this email instantly - looks pretty legit. This is one of the most convincing email scams I've received, and it wasn't picked up by any of the M365 email protections. In fact, on further digging I can see that the SPF checks in the email headers all passed because the email was sent by another M365 customer, whose email must have been hacked.

 

 

 

 

The logon screen that's presented - this appears after the animation you see when opening Outlook.

 

 

 


Create new topic
danfaulknor
877 posts

Ultimate Geek

Trusted
Prodigi

  #2909528 2-May-2022 23:40
Send private message

Quite well done, unfortunately.

 

It's up on their status page too - https://status.voyager.nz/





they/them

 

Prodigi - Optimised IT Solutions
WebOps/DevOps, Managed IT, Hosting and Internet/WAN.


 
 
 

Backblaze Unlimited Backup. World’s easiest cloud backup. Get peace of mind knowing your files are backed up securely in the cloud (affiliate link).
richms
26749 posts

Uber Geek

Trusted
Subscriber

  #2909529 2-May-2022 23:44
Send private message

Aww I missed out on this one. Perhaps they skipped over gmail addresses since that would be weird to get microsoft login fakes.





Richard rich.ms

amanzi

Amanzi
1176 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2909530 2-May-2022 23:46
Send private message

danfaulknor:

 

It's up on their status page too - https://status.voyager.nz/

 

 

Thanks for pointing that out. I reported it to them around 10pm, so it looks like they had already received some reports by then.




amanzi

Amanzi
1176 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2909532 2-May-2022 23:50
Send private message

richms:

 

Aww I missed out on this one.

 

 

This has been a fun one to dig in to. I've since found two other IP addresses embedded in the code, one of which was also BASE64 encoded. All 3 IP addresses belong to Digital Ocean which I've reported to them, and all of them host some kind of PHP file which only responds to POST requests. This is actually a fairly sophisticated phishing attack and would be really easy to be fooled by.


xpd

xpd
aka Fast Raccoon !
13227 posts

Uber Geek

Retired Mod
ID Verified
Trusted
Lifetime subscriber

  #2909551 3-May-2022 08:14
Send private message

We've had this hit work as well....  and we have nothing held by Vocus/Voyager etc

 

 





       Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

 

                      LinkTree -   kiwiblast.co.nz - Lego and more

 

       Support Kiwi music!   The People   Black Smoke Trigger   Like A Storm   Devilskin

 

                                            NZ GEEKS Discord______________________________

 

 


01EG
588 posts

Ultimate Geek


  #2909677 3-May-2022 15:13
Send private message

amanzi:

 

I received my monthly invoice from Voyager today.....

 

 

And what is a "from email"?

 

Original one comes from "billing@voyager.nz", hard to miss.


amanzi

Amanzi
1176 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2909691 3-May-2022 15:45
Send private message

01EG:

 

amanzi:

 

I received my monthly invoice from Voyager today.....

 

 

And what is a "from email"?

 

Original one comes from "billing@voyager.nz", hard to miss.

 

 

From address was spoofed too: "From: Voyager Accounts <billing@voyager.nz>"

 

 


Create new topic





News and reviews »

One New Zealand Extends 3G Switch-off Date
Posted 11-Apr-2024 08:56


Amazon Echo Hub Review
Posted 10-Apr-2024 18:57


Epson Launches New Versatile A4 Desktop Scanners
Posted 10-Apr-2024 15:31


Motorola Mobility Launches New Android Phones in New Zealand
Posted 10-Apr-2024 14:59


Logitech G Unveils the PRO X 60 Gaming Keyboard
Posted 9-Apr-2024 19:01


Logitech Unveils Signature Slim Keyboard and Combo
Posted 9-Apr-2024 13:33


ExpressVPN Launches Aircove Go Portable Router With Built-in VPN
Posted 26-Mar-2024 21:25


Shure MoveMic Review
Posted 25-Mar-2024 12:47


reMarkable 2 Launches at JB Hi-Fi New Zealand
Posted 20-Mar-2024 08:36


Samsung Galaxy S24 Ultra review
Posted 19-Mar-2024 11:37


Google Nest Wifi Pro Review
Posted 16-Mar-2024 11:28


Samsung Galaxy A55 5G and Galaxy A35 5G
Posted 12-Mar-2024 12:41


Cricut EasyPress Mini Zen Blue launches at Spotlight New Zealand
Posted 12-Mar-2024 12:32


Logitech Introduces MX Brio Webcam
Posted 12-Mar-2024 12:24


HP Unveils Broadest Consumer Portfolio of AI-Enhanced Laptops
Posted 3-Mar-2024 18:09









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







Backblaze unlimited backup