We just discovered that UNICAMP (Universidade Estadual de Campinas), a renowned Brazilian University, has had their infrastructure compromised and it is being used to host phishing link which are then being used email spear phishing campaigns.

In this specific campaign they appear to be targeting a visitors credit card information. We came across the issue while working on an infected site. The attacker had modified the site’s .htaccess to redirect incoming traffic to the Phishing files:

hxxp://www.cpa.unicamp.br/alcscens/as/public.php (The URL was slightly modified to avoid accidental clicks)

This link was leading to the following URL which is still live. The content looks to have been cleared up:

hxxp://www0.comprapremiadacielo.web-maker.kz/

This was a phishing page pretending to be from Cielo, one of the biggest electronic payments operators in Brazil. It was pretending to offer promotions and discounts that requested the visitors credit card information.

Here’s an image of the phishing page:

We also found a file containing an email message and script to send emails to potential victims. Here’s the content of the email file:

httx://www. cpa.unicamp.br/alcscens/as/public.phpios%20autenticado&pbx=1&oq=&aq=&aqi=&aql=&gs_sm=&gs_upl=&bav=on.2%2cor.r_gc.r_pw.%2ccf.osb&fp=aa151a29d476e27c&pf=p&pdl=500
Caso não esteja vendo as imagens desse e-mail, click aqui: http://www.cpa.unicamp.br/alcscens/as/public.php

While there does not appear to be any evidence of other nefarious activities on the site, it is still best practice to avoid the site until the University has an opportunity to clean themselves up.

Written by Magno Logan and Fio.