Phishing email leading to ridersrepublic.in

Someone notified me that she had received an email from a business contact a couple of days ago informing her that he had shared a document using Dropbox. But when she later contacted his company, she was informed that someone else was sending out email using his email address. She forwarded the message to me, which is shown below with the actual sender's address changed, though:

Subject: Blaine Watkins has shared a file with you using Dropbox
From: Blaine Watkins <blainewatkins@example.com>
Date: Tue, April 18, 2017 6:09 pm
To:

Hi, I just uploaded a Document for you to see using Dropbox. View|Download files and let me know what you think.

Thanks

Blaine

She was concerned that her system might have been infected by malware when she viewed the message. I scanned her system with SUPERAntiSpyware Free Edition, but SUPERAntiSpyware didn't find any malware recently placed on her system. McAfee Total Protection is the real-time antivirus software on her system, but I've found that using additional tools, such as SUPERAntiSpyware, can sometimes detect malware missed by a user's antivirus software. I performed a full scan of the system using McAfee Total Protection after running the SUPERAntiSpyware scan, but it didn't find anything, either. I also checkd the system with Malwarebytes Anti-Malware Home (Free), but it didn't find any malware, either, except for a zip file I created containing files associated with malware I found on the system quite some time ago.

When I checked the email message, I found that the link for View|Download pointed to http://devson.ae/home.php. I downloaded the HTML code on that page using the cURL tool on a Linux system (the tool comes with OS X/macOS and is also available for Microsoft Windows systems). 

$ curl -o devson_ae.txt http://devson.ae/home.php
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   283    0   283    0     0    177      0 --:--:--  0:00:01 --:--:--   182
$

The -o option to cURL allows you to specify an output file to be used to store the webpage downloaded. When I examined the file, devson_ae.txt, I saw that it simply redirected browsers to a web page on another site.

Udemy Generic Category (English)120x600 
<html><head>
<meta http-equiv="refresh" content="0; URL=http://ridersrepublic.in/limitless/dbdrives/index.htm">
<script language="JavaScript" type="text/javascript">
<!--
function redirect() {
setTimeout("window.location.replace('index.html')", 0); }
-->
</script>
</head>

Browsers would be redirected to http://ridersrepublic.in/limitless/dbdrives/index.htm, so I used cURL to download the code for that page as well.

$ curl -o ridersrepublic_in.txt http://ridersrepublic.in/limitless/dbdrives/index.htm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   629  100   629    0     0   1619      0 --:--:-- --:--:-- --:--:--  1686
$

I found it redirected browsers to another page on the same site.

<!DOCTYPE HTML>
<html lang="en-US">
    <head>
        <meta charset="UTF-8">
        <meta http-equiv="refresh" content="1;href=../dbdrives/Microsoft OneDrive_files/emailhrd.html">
        <script type="text/javascript">
            window.location.href = "../dbdrives/Microsoft OneDrive_files/emailhrd.html"
        </script>
        <title>Page Redirection</title>
    </head>
    <body>
        <!-- Note: don't tell people to `click` the link, just tell them that it is a link. -->
        If you are not redirected automatically, follow the <a href='http://example.com'>link to example</a>
    </body>
</html>

So I downloaded the code for that page as well.

$ curl -o ridersrepublic_in2.txt http://ridersrepublic.in/limitless/dbdrives/Microsoft%20OneDrive_files/emailhrd.html
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 10654  100 10654    0     0  26583      0 --:--:-- --:--:-- --:--:-- 26701
$

From a cursory examination of that code, it appeared the page was created to trick visitors to it into revealing their login credentials to common email providers. I saw "Select your email provider" followed by "Select and Sign in to to view document." Beneath that statement were image files: owa.png, Yahoo.png, aol.png, and other1.png. Each was linked to a specific webpage on the site. I assume that "owa.png" was for Outlook Web App from Microsoft, "aol.png" for those who might have an AOL account, and "yahoo.png" for those with a Yahoo account, and that "other1.png" was for those using some other email service. The code was as follows:

<a href="../365i/index.html"><img src="owa.png" width="250" height="82"></a>
<a href="../begin_file/yahoologi.html" target="_parent"><img src="Yahoo.png" width="154" height="57"></a><br>
<br>
<a href="../begin_file/google.html" target="_parent"><img src="gmail.png" width="210" height="62"></a>
<a href="../begin_file/aollogi.html" target="_parent"><img src="aol.png" width="160" height="60"></a>
<br>
<a href="../365i/index.html" target="_parent"><img src="office-365.png" width="204" height="54"></a>
<a href="../begin_file/webmail.html" target="_parent"><img src="other1.png" width="190" height="75"></a>

Since I didn't find any malware infecting the system when I scanned it with SUPERAntiSpyware, McAfee Total Protection, and Malwarebytes Anti-Malware, I don't think the phishing email led to any malware being installed on her system. It seemed the phishing email was designed to trick recipients into revealing login credentials rather than install malware, though there could have been malware deposited on someone's system, if they provided login credentials and then were taken to a page where some file or files would then be available for them to open, if they opened the files thinking they were files from someone they knew.

It is possible that a system belonging to the person whose email address appeared in the "from" was infected with malware that sent the phishing email to his contacts. But what can sometimes happen is that someone's system will become infected with malware that will scan that system looking for email contacts. It may then pick one of those email addresses to use as a "from" address and then send email to all of the other email addresses it finds on the system it has infected. Since many of the contacts are likely to know one another, the malware is more likely to thus trick recipients into opening the message, but if their antivirus software flags the message or any attachments that come with the message as suspicious or malware, or if the recipient visits a site linked in the message and has his or her system infected and then tries to contact the person in the "from" address, they aren't contacting the person associated with the infected system, but merely someone who was a contact of the person whose system is actually infected. So they may contact John Doe, because his email address was in the "from" field of the email message, whereas the message actually came from Joe Smith's system. If the malware makes it more difficult to find the true origination point, it is more likey to be able to stay on the infected system longer.

I checked the ridersrepublic.in site using the Sucuri site check page - Sucuri check of ridersrepublic.in (PDF) It reported "Website Defaced (hacked)". When I checked what it had found, the result was "Site got defaced (hacked with the web page modified). Generally done for fun, political reasons and by script kiddies." I also checked the ridersrepublic.in/limitless/dbdrives/index.htm page with Web Inspector, but it did not report any malware associated with the site - see Report for ‘ http://ridersrepublic.in/limitless/dbdri ... stating "No malicious activity or malware detected."