Green Fish Being Baited By a Phishing Scam

Since we’re nearing the end of the year, I thought it’d be a good idea to remind the world to change their passwords.

Also I want to provide some tips on phish attack prevention. Beyond having a good inbound email filter and a good web browsing filter, it’s good for users to be educated on how to detect a phishing email from a real one.

First rule to remember: DON’T JUST CLICK ON THINGS! DON’T CLICK ON IT! DON’T CLICK ON IT! DO NOT CLICK!

Now repeat what I say: DON’T CLICK ON IT!

Here is an item that got through my email filter and popped into my inbox recently:

I use Thunderbird for my email client, and to be fair, it did recognize it was junk:

So that was the first clue. The second clue was the message header which, upon a closer look, didn’t really look like it was from FedEx:

Note that the creator of this message could have done a better job here forging the from address. The “FROM” address can be forged very easily, so it’s always a good idea to check the “Return-Path” of a message, which is more difficult – but not impossible to forge. The way you do this is by looking at the original message source content. This is done in different ways depending on the mail client. With Thunderbird, you use CTRL-U (or, on a Mac, COMMAND-U).

Once you bring up the message source, check the “Return-Path”. In the case of this message, it was:

Return-Path: noman@vmi16337.localdomain

This looks phishy too. “vmi16337.localdomain” is obviously not a real domain.

The next thing to do is to check for links in the mail. In this case there was one which was displayed by Thunderbird like this:

To find where this link points to, you have two options:

  1. Hover over the link with your mouse pointer (IMPORTANT: JUST HOVER, DO NOT CLICK ON IT). As you hover over the link, the link destination will appear in on the Thunderbird “Status Bar” at the bottom of the window.
  2. Display the original message source content (again, CTRL-U on windows/COMMAND-U on Mac), then search for “http”.

Here is the link destination for the “Get Shipment Label” button: http://free-software-drivers.com/css.php?fd=Rjp6K1nyyRfoWWq4/oTi5bJ5bEpUmgOpw9FthKIUkYE=”. This link obviously has nothing to do with Fedex, and is very likely a phishing attempt. You can now report this to your IT department or email provider and of course, DO NOT CLICK ON THE LINK.

© Copyright 2020 Rex Consulting, Inc. – All rights reserved