Catch of the Day: Undelivered Mail Phish
Examples of clever phish that made it past my spam filters and into my inbox. Some are sent by clients or readers like you, and other reliable sources on the Internet.
You can send phishing samples to me at firstname.lastname@example.org.
My intention is to provide a warning and show current examples of phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your inbox. If the pictures are too small or extend off the page, double clicking the image will display them in a photo viewer app.
Undelivered Mail Phish
Not sure what this phishing email was trying to accomplish. But there are a lot of interesting parts, starting with the sender email address <MAILER-DAEMON@mx2.arielplast.ru, which is a Russian mail domain.
The mail was supposedly returned to
<email@example.com>: host mx1.emailsrvr.com[184.108.40.206] said: 550 5.1.1 <firstname.lastname@example.org>: Email address could not be found, or was misspelled (G8) (in reply to RCPT TO command)
There were two attachments, a TXT file and an EML email document, that I was itching to take a look at
The mail headers confirmed the source was in Russia.
I opened the email in Firefox in my Kali Linux virtual machine. The EML attachment had no content
And the TXT file gave me this warning from Firefox
I downloaded the ZIP file
And I uploaded it to Virustotal.
Then I unzipped the ZIP file and uploaded both of these files to VIrustotal.
Unfortunately, these documents did not generate a malicious report. So disappointing. And so I am left wondering what this was all about. It could be a trial run testing a new exploit kit, and perhaps I will see more phishing emails like this one. Return Email messages are not generally blocked by spam filters, so this might be an attempt at proving the ability to bypass spam filtering. We shall see.
I checked out the two email domains arielplast.ru and jhilburnpartner.com, and found the following web site home pages. This did nothing to alleviate the mystery. Clearly a Russian web site
After a little work by Google Translate
And just how a haberdashery fits in here is anyone’s guess. If you have ideas about this one, please share then with me by leaving a comment below.