Friday Phish Fry

Phishing Email Alerts

Catch of the Day: Roundcube Version Upgrade Phish

Chef’s Special: IONOS Blocked Email Phish

Examples of clever phish that made it past my spam filters and into my Inbox, or from clients, or reliable sources on the Internet.

I would be delighted to accept suspicious phishing examples from you.  Please forward your email to phish@wyzguys.com.

My intention is to provide a warning, examples of current phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your own inbox.  If the pictures are too small or extend off the page, double-clicking on them will open them up in a photo viewer app.


IONOS Blocked Email Phish

There is another fake IONOS credential stealing phish.  The Review button resolves to a Firebase site at https://firebasestorage.googleapis.com/v0/b/ions98487378893492.appspot.com/o/ions%2Findex.html?alt=media&token=822d77eb-cc93-4916-85a1-1388ece1c9f3#Ym9iQHd5emd1eXMuY29t.   When followed, this link resolved to https://ions98487378893492.web.app/#bob@wyzguys.com.  VirusTotal has not flagged either link.

 


IONOS Reactivate Account Phish

And here’s a similar exploit, only this time I am warned that I need to “reactivate my account.”  The Update Now link resolves to https://data-customer-update.web.app/?5574763236?bob@wyzguys.com.  VirusTotal through Google Safe Browsing identifies this as a phishing link.

This is another credential stealing exploit.  So many of my examples are for IONOS.  IONOS is a big web host based in Europe, and the hosting company I use for my websites and domain-based email addresses.

My assumption is that the attackers would like to hijack my email accounts for impersonation purposes, and perhaps to use in the password resetting process.  Then they could hijack my website, and use it to host landing pages like the ones you have seen here.

 


Roundcube Version Upgrade Phish

Here’s a new email credential stealer that looks like a request to upgrade to Roundcube, a new email interface.  The upgrade link resolves to http://url7662.pakshooo.com/ls/click?upn=hnIvvA1bWXOF-2BBqaWyWt0j8oH0wZhGq2gViNrcGNPmkfJsV9A3KVKE5XO-2Fn9-2BXEuO77UMiUjxM64gzlEG3i6nQKI51bGmvc-2Fa4UJFS2zTzo-3DLJLf_-2BHB8d5C343hfLp7ljYtulew-2BBgyKlgvIf4J4S4Nm3VdQ09MBwYjNLVWssvahzv7BBxI31lwKtRTeOnU-2FqGoX2NqEsc-2Bh1o5QbF-2FHKAuhJgr9a7hFlhLL2aHtEjnFuBir9RzjHiawt-2B9bQw-2BAaZHLBW3DmVyRfubDDopwOCBs-2FKugNGCZE1RaVfT0PABsdulpn-2B4hZbxilpnL04lCiFkWyt45JPh-2BZhXfn-2FRWR-2FRAiek-3D.  Virustotal reports this is a phishing link.

This link redirects to a landing page at http://uaic.utmachala.edu.ec/wpuaic/wp-content/10112018/roundcube/roundcube/8b40b0f00b82b301466a803b1e4eab21/roundcube.php?https://cpsess1530024440/webmail/paper_lantern/index.html?mailclient=roundcube%2Fmail&service=mail&flowName=GlifWebSignIn&flowEntry=AddSession  This link is reported as malicious.

The email starts with an unusual source email address from pakshooo.com, which was my first clue that this was a phishing exploit.

 


Phishing Campaign Sending Fake IRS Emails in Latest Scam Attempt

A credible looking and fake IRS email is hitting tens of thousands of inboxes across the U.S. Did you get one of these emails? Or perhaps something similar that seems like it probably did not come from the Internal Revenue Service? We’ll look at how to tell if emails you get from the IRS are really from hackers and how to report it. However, we’ll start with a recent example of an IRS cybercrime scam… Read more


Detecting Phishing Emails

Research paper: Rick Wash, “How Experts Detect Phishing Scam Emails“:


 

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.