TARGETED Phishing - Fake Outlook Password Harvester 

Great video 0:00 intro 4:30 file inspection 6:00 code inspection 17:35 looking at the phishing attempt 19:27 curling 23:15 checking out domain info 32:35 reporting the scam 45:35 golly gee, an outro

You already know John went and snooped around with that RDP right after this video lmao

Wait... The Registrant City is listed as Los Angeles, but the Registrant State is listed as NY.

I enjoy how your videos are always uncut (aside from the long pauses). This gives us a legitimate feel of your work and inspires us to follow these steps. As usual, thanks for the content.

Found this channel through youtube recommendation and by far one of the best recommendations I've gotten to date. I recently got into IT work and I'm looking to branch into cybersecurity as I make my way back to college. These videos have really shown me how cool and fun this stuff can be to analyze. Can't wait to start learning more about this field.

I love how he just showed us how to spam these guys using bash, but then said “But we don’t do it”

The absolute shock in your face when you ran into that RDP info was priceless. I know sometimes you do alot of the legwork off cam and then kinda roll through the thought process and show us a live step by step for the videos. That's what I think you were doing until that RDP moment and the sudden conflict your face showed when you seemed to think "can I/should I chase this down right now?" Truly an awesome video man.

Amazing video! It's a pretty simple but pretty well-done hashing attack. What I really loved was your call to action on reporting this kind of stuff.

Great video, John, it was super cool to see something I deal with at work every day featured on your channel. You clearly went above and beyond with your explanations, breaking it down into all the small components to make it really easy to understand every step of the way. Thanks so much for this one in particular! 🤓

I've been hoarding phishing links for months... I think it's time to pay it forward to those guys, thanks for the inspiration 🙏

He doesn't "advocate" hacking forward then shows the code ( 28:45 ) for an infinite while loop to spam "F-You" to the server for anyone to copy. Smooth 😎

The 1 dislike on this video is the guy that sent the phishing email XD

"You could start the Holy Wars with ViM and Emacs" Favorite John quote ever

That was a fun one. I uncovered this exact one a couple years ago. Pretty clever, if you're not paying close attention I can see this one catching unsuspecting folks.

My guess is that they try the credentials automatically in the background, that's why it took 20 seconds draw a box in gimp: 1. use box select 2. select region 3. right click 4. edit > stroke selection 5. ??? 6. profit

Best defense is a great offense! My Python bot is thirsty for these phising attacks!

You forgot to report them where they host their vm. Only one disadvantage is that they don’t give the owners information of the vm if you can show that they attack you. But at least they bring it down.

Totally awesome... Really enjoyed it. Thank you very much for showcasing it.

During the video I was hoping that you showed us how and where to report... and 10 sec later, you just started showing it. Great work and great video as always ! Thanks John !

This felt like a 5minute vid. It s fun watching and learning from you so thanks 🙏🏼

This might be the best RU-vid channel I've come across

Very 2000's kinda phishing attack. Funny to see it again in the open. since most of the servers don't allow these types of pages/scripts, it died soon after few years, but it spawned huge amount of email addresses back in the day! And, in the present, after soooo many years, surprisingly none of those AVs caught that. Lol.

It's for stuff like this that I LOVE this channel! Incredible work!

i loved that you included the documentation and reporting part!

Hey John, just a heads-up. First of all, awesome video, again! Thanks for sharing this. Secondly, You may want to mask the VT file hash as well. Someone silly enough, like me, for example, might type it over and see more than you wanted to share ;) Edit: I see that you masked it out later in the video, but you missed something.

That was holy fucking awesome informational video... definitely deserves comment, share , like and subscribe and what not.... the way you broke down each part and explained ... gold man!!! thanks a ton!!

this was awesome! i like how you showed how to report as well, hope to see more real world examples like this 😊

Very creative phishing attack. great video man!!

I can't believe this content is free. Thanks a lot man, your the best

Watched two of your videos and definitely subscribing. Keep making great content : )

Thank you John. This video legitimately helped me do my job better!

OMG, time flies when you are having fun! Didn't feel that this was a 47 min video.

Thanks for going over this email, I have to deal with stuff like this all too often and thank you for showing people on how to report this stuff.

As someone working in infosec, I take down a few of those each day, they are almost all the same as the one displayed by John.

"...nor would I want to do that on RU-vid."

Honestly, i REALLY enjoyed that one

This was trivial but also extremely awesome

Really good stuff and great use of OSINT. However, the registrar could be a victim of the phishing scam and just had their server hijacked. I know the probability of this is low as the server was setup to return fake 404 on the files present and didn’t have anything else but if this is a major operation they might be swapping servers at a certain interval 🤷‍♂️ Great advice too: MFA rullz and the IT department is there for a reason!

thanks! John. Thanks to this video, I was able to stop the malware, when an employee got a similar phishing email. Keep up the great work!

Thanks John! Great explanation how a phishing attack works under the hood! Hope Namecheap take the necessary steps to shut down this domain and the related server and services! To catch and arrest the real "bad guys" is the bigger task in the story and depends on official entities and the will to pursue them. Waiting for you next vid .. 👍

The probable reason that the virus scanners aren't detecting it is because the organisation name is embedded in the payload... and will be different for every target.

I've seen a few similar emails in my organisation in the last few months where they even replicated the look of the specific organisation's login page (the image background matches the custom one set by the organisation rather than the basic regular one). Thankfully our users have been shown to signal us suspicious emails.

Real followers gonna skip the updated videos and see the 3 - 5 years old videos from john

reporting stuff takes more time than reverse engineering it!!

The target would be outlook's login, it's literally targeting the Microsoft office login, since that's where it /redirects/ to.

The irony is not lost me. Using a Microsoft service to harvest Microsoft user data. That is "flipping the bird" to Microsoft big time.

I don't regret spending my 47 minutes on this!!

Wow great content! Very informative! I would love to see more videos like this!

Honestly, I really dig this video. Really puts into perspective the defensive and investigative side of things.

great video John, you are a cybersec inspiration!

A few small notes; There's a very good chance the credential harvesting page is on a legitimate website that was compromised by the attacker. I don't know that this is what happened here, but just be aware of that before going after the domain owner quite so hard. Second, it is generally far more useful to make the abuse report to the hosting provider that is hosting the malicious content, rather than the domain name registrar. Reporting to both is also fine of course, and frequently the two are the same entity but not in this case. Lastly, this sort of thing is pretty common. Any reasonably sized organization will see these sort of phishing campaigns regularly.

This is all fascinating to me and makes me wish i had stuck with it back in the day. I haven't even used Linux in years.

Don't forget to add this to the malware analysis playlist

2FA is needed indeed. But it should be noted, if you use a OTP style password fill, that too can be phished. Highly recommend using MS Authenticator (or others) which prompt on your phone, rather than prompting for a OTP.

Hi - good stuff. I would have been tempted to put *Microsoft* as one target - it is them that is being impersonated. I look forward to hearing whether or not your reporting was successful to any degree.

This was awesome! Please do some more of these, Great video

Liked the video. The whois lookup shows City of Los Angeles state New York. Surprised you missed that. Also Google maps shows that’s a Bank of America about a block from my house

I really love your videos, just the detail paired with great Explantation :-) Keep going!!!

This video is INSANE! I love this very much

Los Angeles, New York with a CA zip code nice lol

Great video. I've seen this phishing attempt. Cool to see the deep dive.

26:40 Engineer Man has entered the chat...

This video makes me glad that i never ever open links from emails. And second - i never ever remember my password first try and i always use 2 factor

Awsome work you did there john, But i cant remember the last time i opened outlook 😂😂✌

i see 30 minutes of video, because is the best video i ever seen

I know nothing about CyberSec, but I know Los Angeles New York isn’t a thing…I would have IMMEDIATELY called that out (which I did while watching). That shit is shady as fuck

With target they meant who the phishing attack was trying to impersonate john

I got this recently, and I had alot of fun messing around with it and changing the post request address I also reported the domain

I've seen phishing attempts in this style quite a few times. Some of them even do some sort of automated login + 2FA harvesting. Also, the webmaster contact location of Los Angeles, New York definitely sounds like fake info, somehow.

Dammmm, I can't be alive, hopefully next time, your content is amassing!!!

Damn man you gave me a heart attack because last night I got an email from MS and changed my password on their site through my own doing and not a link

Awesome stuff John, always enjoy your videos

I deal with these files every frickin day lol love it

Thanks for the content John. Always love these videos.

Well done John!

Nice work John!

is that you ? ...... john Hammond ? ...... from the 2013 movie " Jurassic Park " ? ........ nice ...... so you are a pets ( dinosaurs ) lover and infosec pro ....... that's what l call " THE REAL SUCCESSFUL GUY " ....... btw ........ thnx for the great efforts ...... keep it up!

I've seen hurley auctions for a long time now. Awesome video

i really love these password harvesting sites cuz jokes on you I never get my password right on the first try

VSauce be like It's returning a 404... Or is it ?

maybe it took 20 seconds due to Azure cold boot? Cloud Functions typically scale down when there's no traffic.

I am always jealous of u broo.. 😂😂 I have been struggling a lot to become like u. I hope I'll meet u someday. Thank u so much for constant motivation and inspiration. 💖

Eog command was a good thing for me. Thanks

For anyone who is wondering, this is very similar to something I would do any given day of the week as a cybersecurity analyst at a large organization. Another great video John!

sooo happy to see a new vid from you after school :)

31:50 To be fair, this is undetectable. How is antimalware supposed to know that a 404 status code is actually a malicious endpoint?

Love it John!

i can watch john sec 101 all day . thank you for engulfing us your knowledge .

amazing video...great presentation! appreciate the content and time you took to post this.

I would just like to point out the registered address is for Los Angles, New York. A non-existent city, verifying that the details are bogus.

Could be less than targeted, though. They could run a script on their own malicious script where they replace the identity with a different email from a db for that specific org. Am I going wrong about this?

Is nice to see electronics videos for Jürgen Klopp.

John On YT: Breaking Into Someone Else's Device Is Illegal 😇 John At Night: Let's Play In Mother F@@@er 😈

Hi John, what kind of programming languages do you recommend to learn in 2021/2022 to be successful in malware analysis?

Me googling "Where is Los Angeles, NY"

...nice work, smart than me...

Great break down and explanation as always.

The city and state don't match on the domain. Los Angeles isn't in NY. Prob completely fake creds leading to a burner account.

31:00 Should have used that email for the curl.

Amazing job