Phishing Email Alerts
Catch of the Day: OneDrive Phishing
Chef’s Special: SanLam Finance Spam
Examples of clever phish that made it past my spam filters and into my Inbox, or from clients, or reliable sources on the Internet.
I would be delighted to accept suspicious phishing examples from you. Please forward your email to email@example.com.
My intention is to provide a warning, examples of current phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your own inbox. If the pictures are too small or extend off the page, double-clicking on them will open them up in a photo viewer app.
Either my email filtering services have improved (possible) or the professional phishers have removed me from their email list (possible), but I am not getting the quantity of phishing emails that I used to get in my inbox. This one I dragged out of the SPAM filter provided by my host. Links were all disabled by the spam filter, so I have to look at the source code to get what I show here. This still gives you a good idea of how this exploit looks, with an eye to avoiding it yourself.
This is the source code including the mail header.
Received: from [22.214.171.124] ([126.96.36.199]) by mx.perfora.net (mxeueus003
[188.8.131.52]) with ESMTP (Nemesis) id 1N9cwj-1m1PVM2nLh-015db3 for
<firstname.lastname@example.org>; Fri, 29 Jan 2021 00:47:46 +0100
Received: from campfireak.org ([184.108.40.206]) by mx.perfora.net (mxeueus003
[220.127.116.11]) with ESMTP (Nemesis) id 1M9F4F-1l1A9O2ktT-006Lxn for
<email@example.com>; Fri, 29 Jan 2021 00:47:45 +0100
From: Microsoft OneDrive<firstname.lastname@example.org>
Subject: You’ve received encrypted files from OneDrive
Date: 29 Jan 2021 07:47:45 +0800
<span dir=3D”ltr”>This documen=
t requires your signature urgently. You've received an encrypted FAX d=
ocument containing 5 pages message from Microsoft OneDrive. It has been sec=
urely upload for your safety on OneDrive Cloud. To sign your document onlin=
e please follow the command below.</span></td>
Microsoft respects your privacy. To learn more, please read our=
<a data-auth=3D”NotApplicable” href=3D”https://centralusr-notifyp.svc.ms:4=
The links did not work for me, so I moved on to the HMTL attachment. This is what I found.
Basically, this looks like a OneDrive credential harvesting exploit. The import consideration is that this exploit captures your Microsoft ID, which may be used for your Office365 subscription, Outlook.com and Exchange Online based email account, and even your computer login, so this would be a significant lost of security.
Sanlam Finance – Phish or Spam
This email looked phishy, but turned out too be spammy.
I tested the PDF attachment at VirusTotal, and it was not flagged as malicious. Not proof of safety, but a good indication that this is simply a money lending scheme, undoubtedly at ridiculously high interest rates. No links to dodgy web pages. So this is more likely a Spam exploit than a Phish.
And here is the PDF document,
Domain Renewal Scam Form Phish
This exploit sends the phishing email by using the contact form from the victim’s own website. The email claims that your domain name registration is about to expire. The links resolve to a landing page where you can “renew” your domain name registration. Unfortunately your domain will NOT be renewed, and you will be out-of-pocket for the amount of the plan you select.
The link domain ga is the top-level-domain assigned to the African country of Gabon, Your domain name registrar is unlikely to be headquartered there. https://yourdomainregistration.ga/?n=yourfoundation.org&r=a&t=1612163956&p=v1
Virustotal reported this site.
The infamous botnet has been disrupted thanks to an international effort across the US, Canada, and several European nations.
Emotet typically found its way to computers through infected files sent via email. In these cases, the email messages came with malicious Microsoft Word documents either attached to the message or available for download via a link. After opening such a document, the recipient is asked to enable macros so that the malicious code in the file could activate and install Emotet on the computer.