New attempt of stealing information from Liverpool's customers

UNAM-CERT was notified about this alleged email, sent from the account ventasd that seems to belong to Liverpool, with the subject: “URGENT – Liverpool and Fábricas de Francia Update”.

When we examined the source code of the email, we verified that all the links directed to a site that was completely different to Liverpool; however, the images and references inside the email were obtained from the original site.

By clicking any of the links, we were redirected to a fake Liverpool website, where we were asked for an email and a password to log in.

When we analyzed the source code of the website, we could see that the information was being processed by a file called login.php.

Subsequently, when evaluating the captured traffic, we were able to confirm that the data acquired was sent in plain text.

Regardless of the information entered, the fake site returned to the home screen, requesting email and password again because of an error. Normally, programmers of fake websites make this kind of tricks to verify the information of the user.

Once the information has been validated, the fake website displays an “Information Updated” message, where it requests the account number of the Liverpool card and the NIP. After this, information about the card and its owner is inquired.

As in previous cases, we entered bogus data to identify the website where the stolen information was stored. We discovered that the same site hosting the phishing was saving the data using a file called lregistroDilisa.php. All the information was transferred in plain text.

After “updating” the user’s information, the website sends a message of gratitude, whose translation in English would be something like: “Information updated correctly. Now you can continue enjoying our website. Thank you”. The message was displayed for a few seconds, after which we were redirected to the legitimate Liverpool site.