Massive Ransomware campaign of compromised Joomla based sites targeting to Endesa customers

Endesa is the largest electric utility company in Spain. Recently it has been discovered a ransomware campaign using a fake invoice of a huge amount to pay, in order to trick users to verify it. A clever social engineering move.

More details and the full list of domains involved can be checked in the CSIRT-CV alert.

The interesting part of this new Ransomware campaign is that most of the domains hosting the malicious scripts are based on the popular Joomla CMS.

hxxp://endesa-clientes .com / not available

hxxp://yamg.endesa-clientes .com / not available

hxxp://www.endesa-clientes. net /not available

hxxp://ojj.endesa-clientes .com / not available

hxxp://wtde.endesa-clientes. com / not available

hxxp://y2l6.endesa-clientes. com / not available

hxxp://rogaska-crystal. com / desenmascara.me report

hxxp://itlearning. ma / not available

hxxp://nrmac. org / not available

hxxp://craferscottages. com. au / desenmascara.me report

hxxp://sigortaci .net / desenmascara.me report

hxxp://quality-managers. org / desenmascara.me report

hxxp://tendearteplast. com / desenmascara.me report

hxxp://gettingmarried .ie / desenmascara.me report

hxxp://reigjofre.com / desenmascara.me report

hxxp://tl6q.procura-italia. net / not available

hxxp://qln.myenel24. net / not available

hxxp://qln.myenel24. org / not available

hxxp://swisshalley-sale. ru / desenmascara.me report (the only old Wordpress based)

hxxp://heroes-of-the-middle-ages. ru / desenmascara.me report

hxxp://y2l6.endesa-clientes. com / not available

hxxp://securitysolutionshow. it / not available

hxxp://gov.endesa-clientes.com / not available

hxxp://asge .ru / desenmascara.me report

hxxp://ensarkarot. com / desenmascara.me report

hxxp://faam. com / desenmascara.me report

hxxp://houseofcolours.co. uk / desenmascara.me report
hxxp://ipecho. net / desenmascara.me report
hxxp://ultimchem. com desenmascara.me report

Based on the compromises sites, it seems this campaign is leveraging the critical vulnerability CVE-2015-8562.

 

How to spot a FAKE website

There are several tips about how to check whether a website is FAKE or not, but all of them require 8 different manual checks or even more.

Do not wast your time: just use http://desenmascara.me to know with just 1 click whether a website is FAKE or not.

Let's take for example this website:

which was automatically flagged as FAKE by desenmascara.me

but as long as the FAKE website is online has been able to lure to dozens of unsuspected users, and counting, as you can check it out in the below blog post created by some victim to raise awareness about the aforementioned FAKE site.

https://estafadosxantionosotombt.blogspot.com.es/

"If any of the victims would have check it out previously the website address in desenmascara.me, they would have discovered that website is not safe to do business with."

" If you do not trust on a website, desenmsacaralo (unmask it) to see what is behind it "