Catch of the Day: Voice Mail Phish
Chef’s Special: Held Message Phish
Examples of clever phish that made it past my spam filters and into my inbox. Some are sent by clients or readers like you, and other reliable sources on the Internet.
You can send phishing samples to me at email@example.com.
My intention is to provide a warning and show current examples of phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your inbox. If the pictures are too small or extend off the page, double clicking the image will display them in a photo viewer app.
Voice Mail Phish
This email arrived on June 7. Initially, it looked quite similar to genuine Google Voice email alerts. But the HTML attachment is a popular delivery method for phishers.
I took a look at the email headers, and it seemed to be something I sent myself, but the server address at 18.104.22.168 is not my email server address. Checking the IP location showed this was a Microsoft server in the Netherlands. At this point I was sure the email was a phish.
Opening t he attachment in Kali took me to a Russian URL
I checked the Cloudflare CAPTCHA. Cloudflare is a nice touch lending some realism to the scam
The next page showed a standard Microsoft365 login screen, so this turned out to be a credential stealing exploit.
A quick trip to Virustotal confirmed that the attachment was used in phishing exploits
This phish email is a simple but most likely effective approach that many email users would accept as legitimate. Make sure you re not one of them. “Whenever there is any doubt, there is no doubt.” – Ronin, Robert de Niro.
Held Message Phish
I am betting on credential theft, but decide for yourself. Here is another email that I am certain is bogus. First, the return email address is from 10NOS, who is my web and email host. Can you spot the use on the numbers one and zero (10) in steady of the correct spelling of IONOS?
The Review Messages and Fix Issue Now link resolves to https://login.wireless.radio/user/logout?gotoUrl=https://firstname.lastname@example.org and this is redirected to https://email@example.com.
The cookie agreement is in German, which is odd.
As is some of the other content.
Virustotal has not flagged this URL yet, but this email only just arrived in my inbox 2 hours ago. Maybe I’ll check later to see how soon this gets taken down.
I was right about this phishing email is for stealing the logon credentials of IONOS customers. There were early clues that an attentive reader would catch. Not the best work by this phishing crew.