Phishing Email Alerts
Catch of the Day: Roundcube Version Upgrade Phish
Chef’s Special: IONOS Blocked Email Phish
Examples of clever phish that made it past my spam filters and into my Inbox, or from clients, or reliable sources on the Internet.
I would be delighted to accept suspicious phishing examples from you. Please forward your email to firstname.lastname@example.org.
My intention is to provide a warning, examples of current phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your own inbox. If the pictures are too small or extend off the page, double-clicking on them will open them up in a photo viewer app.
IONOS Blocked Email Phish
There is another fake IONOS credential stealing phish. The Review button resolves to a Firebase site at https://firebasestorage.googleapis.com/v0/b/ions98487378893492.appspot.com/o/ions%2Findex.html?alt=media&token=822d77eb-cc93-4916-85a1-1388ece1c9f3#Ym9iQHd5emd1eXMuY29t. When followed, this link resolved to https://email@example.com. VirusTotal has not flagged either link.
IONOS Reactivate Account Phish
And here’s a similar exploit, only this time I am warned that I need to “reactivate my account.” The Update Now link resolves to https://firstname.lastname@example.org. VirusTotal through Google Safe Browsing identifies this as a phishing link.
This is another credential stealing exploit. So many of my examples are for IONOS. IONOS is a big web host based in Europe, and the hosting company I use for my websites and domain-based email addresses.
My assumption is that the attackers would like to hijack my email accounts for impersonation purposes, and perhaps to use in the password resetting process. Then they could hijack my website, and use it to host landing pages like the ones you have seen here.
Roundcube Version Upgrade Phish
Here’s a new email credential stealer that looks like a request to upgrade to Roundcube, a new email interface. The upgrade link resolves to http://url7662.pakshooo.com/ls/click?upn=hnIvvA1bWXOF-2BBqaWyWt0j8oH0wZhGq2gViNrcGNPmkfJsV9A3KVKE5XO-2Fn9-2BXEuO77UMiUjxM64gzlEG3i6nQKI51bGmvc-2Fa4UJFS2zTzo-3DLJLf_-2BHB8d5C343hfLp7ljYtulew-2BBgyKlgvIf4J4S4Nm3VdQ09MBwYjNLVWssvahzv7BBxI31lwKtRTeOnU-2FqGoX2NqEsc-2Bh1o5QbF-2FHKAuhJgr9a7hFlhLL2aHtEjnFuBir9RzjHiawt-2B9bQw-2BAaZHLBW3DmVyRfubDDopwOCBs-2FKugNGCZE1RaVfT0PABsdulpn-2B4hZbxilpnL04lCiFkWyt45JPh-2BZhXfn-2FRWR-2FRAiek-3D. Virustotal reports this is a phishing link.
This link redirects to a landing page at http://uaic.utmachala.edu.ec/wpuaic/wp-content/10112018/roundcube/roundcube/8b40b0f00b82b301466a803b1e4eab21/roundcube.php?https://cpsess1530024440/webmail/paper_lantern/index.html?mailclient=roundcube%2Fmail&service=mail&flowName=GlifWebSignIn&flowEntry=AddSession This link is reported as malicious.
The email starts with an unusual source email address from pakshooo.com, which was my first clue that this was a phishing exploit.
A credible looking and fake IRS email is hitting tens of thousands of inboxes across the U.S. Did you get one of these emails? Or perhaps something similar that seems like it probably did not come from the Internal Revenue Service? We’ll look at how to tell if emails you get from the IRS are really from hackers and how to report it. However, we’ll start with a recent example of an IRS cybercrime scam… Read more
Research paper: Rick Wash, “How Experts Detect Phishing Scam Emails“: