Phishing Email Alerts
Catch of the Day: DHL Shipping Phish with a side of Trojan Horse
Chef’s Special: Exchange Phish
Examples of clever phish that made it past my spam filters and into my Inbox, or from clients, or reliable sources on the Internet.
I would be delighted to accept suspicious phishing examples from you. Please forward your email to firstname.lastname@example.org.
My intention is to provide a warning, examples of current phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your own inbox. If the pictures are too small or extend off the page, double-clicking on them will open them up in a photo viewer app.
DHL Shipping Phish with Trojan
This phishing email gets low marks for artistic ability. DHL colors but no logo to provide authenticity. The DHL Mexico email address appears to be authentic, not spoofed, according to the email headers. But the .GZ (.zip) file attachment lit up the board at Virustotal. The attachment was a zipped up version of a remote access Trojan horse.
With the Chinese APT Exchange exploit currently on the loose, I wonder if this little phishy is a part of that exploit. I was teaching this week, and by the time I got around to analyzing it, the exploit appears to have been taken down.
The link in the email resolved to https://storage.googleapis.com/logonprocessor7y9snbs8bs8hs8js8bs/index.html.
But the site was down when I got there.
Virustotal declared the link to be malicious.
IONOS Email Blocked Phish
I got this forwarded from a client who wanted to know if this is a scam, and it is. The senders email address is on the wrong domain keyleaning.com. Instead of a link to a fake login page on a hijacked website, this exploit carries it’s own web page as an HTML attachment. The web page is built inside your computer browser. Clever but weird. But in the end, just another credential stealer.
And the HTML page. Notice the address in the browser address bar – from my own computer.
Account Activation Phish
Another credential stealer. The button link resolved to https://email@example.com.
My first attempt to click through was blocked by Malwarebytes. Not a good sign.
After I turned off Malwarebytes, I was directed to the usual login page. A close look at the address bar reveals the destination
I tried to get to the hijacked web site’s home page but ended up with another warning.
AppRiver Renewal Phish
Again I got around to looking at this exploit too late, and the mechanism was disassembled already. Proof that phish exploits are like mushrooms after a rain, popping up for a day or too, and then gone. The link https://account.appriver.com/identity/login?signin=9112259c17b7d892136 resolves to https://avantconsultingsolutions.com/lt5133, but the landing page site is down.
Another credential-stealer. The Mailjet link resolved to a Sendgrid location https://u14833240.ct.sendgrid.net/ls/click?<redacted>. Too new to be detected by VirusTotal yet. Email and landing page follows.
Yet another credential stealer – this time for your all important Microsoft account. This has the potential for a Business Email Compromise (email account hijacking.) The OneDrive link resolved to https://uniroma2-my.sharepoint.com/personal/martina_urbini_alumni_uniroma2_eu/_layouts/15/guestaccess.aspx?<redacted>. The email and landing page follows. No alerts on Virustotal yet.