Phishing Email Alerts
Catch of the Day: Bitcoin Phish
Chef’s Special: Password Expiration Phish
Examples of clever phish that made it past my spam filters and into my Inbox, or from clients, or reliable sources on the Internet.
I would be delighted to accept suspicious phishing examples from you. Please forward your email to email@example.com.
My intention is to provide a warning, examples of current phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your own inbox. If the pictures are too small or extend off the page, double-clicking on them will open them up in a photo viewer app.
Is this a phish or just good old SPAM?
The email account is from The Loughton Surgery email account that evidently was hijacked. The offer appears to be about some sort of Bitcoin trading system.
The link https://telegra.ph/Autopilot-Bitcoin-Systems-11-05?pej resolves to a webpage with a video. Unfortunately, the audio was not working.
The second link resolved to https://mega.nz/file/ZkNVka4L#4XdsboNBedVGYcz6b4DX77hyGQW2qUO5n3dYqjWjRuw and was identified as dangerous by Firefox
This looks like a bit of everything here. A marketing scam (SPAM) involving “making money with Bitcoin”. Potentially malicious downloads that alter your web browser and change search settings, but is probably designed to earn the attacker pay-per-click or traffic based revenues.
With inflation on the rise, there is a lot of interest in cryptocurrencies as a hedge against inflation with the possibility of huge growth earnings as well. Exploits like these are designed to trick the inexperienced speculator, and separate you from your cash. Best idea is to steer clear.
Held Email Phish
I saw something similar a week or two ago. This exploited had come apart after less than two hours. I received the email at 4:07 am and by the time I opened it at 6:10 am, the link no longer worked. The Click Here link resolved to https://email-lonos–firstname.lastname@example.org&TZOvtRtOUtSPATGRFHNmMkUEd5s7B1DI2YV4AULw5btBwB6GTTJiJIQ2oSULXfZ7eq4XUCXnfw9ePpp and was redirected to https://galaxywater.com.vn/activation-lonos/pki-validation/lonos/
Galaxywater is a Vietnamese website that was evidently hijacked to host the landing pages, but all I got was a 404 not found error. IONOS is misspelled with an L replacing the I. The mind sees what it expects to see, not always what is really there.
Here is the email
Here is the hijacked website’s home page.
IONOS Password Expiration Phish
This one was actually caught in my Spamdrain email filter, but I dug it out for analysis because the format is one I hadn’t seen before. There are three links that resolve to two different web addresses.
The To Webmail button resolved to https://email@example.com and was redirected first to https://firstname.lastname@example.org and redirected a second time to https://saskfari.com/www/d/webmail/?client_id=Aio3OUfcBSPtMrZNglX72s&redirect_uri=https%3A%2F%2Fwww.wyzguys.com%2F&protectedtoken=false&id=&Country=&x=Ym9iQHd5emd1eXMuY29t
The IONOS link and the Further information link resolved to https://msater.app.link/W8hoWc6gJkbemail@example.com
Here’s the phish. Nicely done, a good quality replication of what could be a legitimate email
The landing page of the button link had a remarkably personalize login screen with my picture on it! Nice touch! Who can you trust? How about yourself!
The second link was no longer functional and the URL was flagged by Firefox as dangerous.
Of course I clicked through to see what was there, and found a 404 Not Found page of a web service company Branch.io
Have you ever had an angry customer bellow the dreaded words, “Just you wait, I’m going to report you to your manager”, or something along those lines?
We’re willing to bet that you have, and word on the street in the UK is that customer complaints, supposedly intensified by coronavirus-related frustrations, are at worryingly high levels right now.
And when someone does say, “I’m going to escalate this”, which is a confrontational, war-like expression at the best of times, it immediately becomes an uncertain, and often unpleasant, waiting game.
Will the blustery behaviour of ranting at you over the phone (or via IM, or on the support forum, or in a webchat session) provide the cathartic release the customer wanted, and bring their frustration to an end?
Or will you wake up tomorrow to a flurry of emails from your manager, or from HR, or from both, telling you about a formal complaint that’s just come in?
Well, over the past 24 hours, we, and many of our colleagues, have been on the receiving end of an email scam that preys on exactly these fears. More…