Examples of clever phish that made it past my spam filters and into my Inbox, or from clients, or reliable sources on the Internet.
I would be delighted to accept suspicious phishing examples from you. Please forward your email to email@example.com.
My intention is to provide a warning, examples of current phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your own inbox.
Fake Hosting Account Support Phish
This is a longer look at a phishing email, with a look at the fake login landing page, and the home page of the compromised site hosting the landing page. First, the email. Notice the webtrade<dot>ie sender address. The link resolves to http://resten<dot>net/1and1/
Running this destination through Virustotal shows this site is malicious.
Opening Kali Linux in a virtual machine, we click through to the landing page, which is a reasonable facsimile of an IONOS login page. When I attempted to enter fake credentials, this warning box popped up.
After entering the “credentials” I was transported to a genuine IONOS page, as you can see from the address bar.
And this is the home page of the unfortunate victim of a web site hijacking that is being used by the attacker in this scam. As we can see, this is an outdoor furniture company website running on WordPress.
This is how a credential stealing phishing scam works. Had I given the attacker my real login credentials, they would be able to take over my website, too.
A new attack discovered by Abnormal Security aims to steal account credentials from people who use the online document signing platform. Follow link to read full story on Tech Republic
An Update to the Good Old Nigerian Prince Scam
This phish does not have much in the way of tricks, just a straight up advance-fee scam.
How Bad Guys Deceive High-Rank Executives to Give Them Access to Your Office 365 accounts: PerSwaysion
Researchers at Group-IB have discovered a sophisticated spearphishing campaign that’s targeted executives at more than 150 companies around the world since mid-2019. The researchers have named the campaign “PerSwaysion” because the attackers abused the Microsoft Sway presentation program. The attackers seem particularly adept at using social engineering against multiple employees as part of the same attack.
From Sophos Naked Security Blog.
Incoming Package Notification!
This it to notify you that you have an incoming shipment registered in your email [REDACTED]. Please follow the URL below to track your shipment.
And that’s all there is to the email.
OK, so the exclamation point after the word “Notification” probably wouldn’t be there in a genuine notification – it’s a notification, after all, not a warning or an alert.
More importantly, however, hovering over the link wouldn’t show you a website name you’ve never heard of (this scam used a hacked webserver belonging to a construction company in Bahrain, as it happens).
If you click through just to see what this is all about, you’ll see a similarly simple web page:
As unexpectionable and as unscammy as the page itself looks, the address bar is a fortunate giveaway that this is a scam.
The URL (which we’ve masked out here) wasn’t on a lookalike or soundalike domain name, so it looked completely different to any website you might expect for a DHL server.
Also, there’s no padlock, because the URL started with
http:// (insecure) rather than
https:// (session encrypted).