Friday Phish Fry

Phishing Email Alerts

Catch of the Day:  Fake IT Support Phish

Chef’s Special:  Inactive Email Account Phish

Examples of clever phish that made it past my spam filters and into my Inbox, or from clients, or reliable sources on the Internet.

I would be delighted to accept suspicious phishing examples from you.  Please forward your email to phish@wyzguys.com.

My intention is to provide a warning, examples of current phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your own inbox.


FTC Alert: Smishing Schemes Ramping up as Contact Tracing Rolls Out

Praised by public health officials, contact tracing is rolling out as areas reopen. And according to the U.S. Federal Trade Commission, it’s also the latest opportunity for cybercriminals. The FTC warns that a contract tracing smishing scheme is ramping up at the same time contact tracing is expanding. This format is particularly useful to scammers, as text messages are a component to legitimate contact

According to the FTC, you can spot a fake contact tracing message because it contains a link. Here is one example the agency shared. See the message below.

“Someone who came in contact with you tested positive or has shown symptoms for COVID-19,” the message reads. That part alone may be similar to the message you receive.

However, if your message contains a link, do not click it.

In this case, clicking the link will take you to a page where you are asked for personal information that cybercriminals want to capture.

The FTC says legitimate contact tracing messages should not contain a link.Read more


Phishing Attacks Are Becoming More Evolved – How to Eradicate Them

[Web Conference] Thursday, June 11 — 1:00 p.m. EDT / 10:00 a.m. PDT

Every day, we’re getting deceptive communications—and it’s only getting worse. 68% of phishing emails blocked by Gmail every day are new variations that have never been seen before and last only 12 minutes. By focusing your defenses on approaches that don’t rely on historical data, outdated technology, or internal training, you can protect your… Register here


Fake IT Support Phish

This is a typical IT support phishing email.  The email domain of the sender does not match the email domain of the target, which is the first clue.  This would not be unusual at a company that uses third party IT support.  A better phish might  craft the logo and trade dress to match those of the IT support vendor.

The “Confirm Now” button link resolves https://perfect-beautiful<dot>com/wp-content/plugins/ubh/q/?email=bob@wyzguys.com, which appears to be another unfortunately hijacked WordPress site.  A quick trip to the site in our Linux virtual machine reveals this landing page.

This looks suspicious because it is in Japanese.  The text translates to:  The page you are looking for could not be found. Search for articles from the categories below or search by keyword. So this exploit is incomplete or broken, or has already been detected and the landing page cleared.

The home page of this site follows, and reveals this to be a brand new WordPress site, or at least an unmodified default installation.  The “Hello World” post is the clue.  Brand new WordPress site with default credentials are often identified and hijacked in the first 20 minutes of their life.


IONOS Email Account Inactive Phish

I received this one on Tuesday.  It has the usual indications of a phish, but check the signature block at the bottom for Robert Howard, City of Birmingham Symphony Orchestra.  It is possible that we have a hijacked email account being used to send this fake support phish.  Investigation of the email header seems to indicate this is from a hijacked Outlook.com account.

The “Confirm your account is active” link resolves to https://gecsolution<DOT>com/DBNM/WYH/source/?email=support@wyzmail<DOT>com.  The landing page is below.  It looks like an authebtic IONOS email login screen, complete with a cookie disclaimer.  Very nice, but still fake.  An attempt at “logging in” produced am error message.  This is another email credential stealing exploit.

And here is the home page of the web development company whose website was hijacked to host the landing page.


Microsoft Warns To Look Out For This Massive Covid-19 Excel Phishing Attack

From KnowBe4:  Microsoft this week warned about a massive phishing attack that started on May 12. The campaign sends emails that look like they are from the “Johns Hopkins Center”, and they have an Excel attachment that claims to be US deaths caused by the Coronavirus.

If your user opens that infected “Excel doc”, the file downloads a macro and runs the NetSupport Manager Remote Admin Tool. This is actually a legit remote support product, but it can also be used for criminal purposes, specifically to download malware on a targeted device. When installed, it allows the bad guys to gain complete control over the infected machine and execute commands on it remotely.  Read more…


Coronavirus-themed phishing templates used to capture personal information

Spoofing government and health organizations, these templates help attackers create and customize their own phishing pages to exploit the COVID-19 pandemic, says Proofpoint.  Read more…

Examples below:

 


 

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.