Something Phishy is going on
I remember my first time encountering snow like it was yesterday. During that fall season, I had put every warm thing I had on, down jackets, scarfs, beanies, you name it, I had it on. Never mind the "you're not from around here" attire I had on most of the fall season, but what bothered me the most was that people around me still had t-shirts and shorts on. When winter finally came around, the only adequate word to summarize my experience that winter was...traumatic!
Sometime during that winter, I had seen enough. I needed to commute around town frequently and I decided to use everything I had to get a car. I downloaded multiple apps on my phone that sold used cars within the city and around neighboring cities.
After a few weeks, I had narrowed down the perfect car for me at the price range that I thought was fair and I had been in communication with the owner. Finally things were looking up and winter was about to get a whole lot better. After a few back and forth, we agreed on a price and he wanted it paid with gift cards, he was going to drop off the car the next day.
I took a ride-sharing app down to the nearest store, excited that I would finally get a car. The lady at the checkout thought it was strange that I needed so many gift cards, with so much excitement I told her that I was going to buy a car. She took my details and gave me my cards with all the skepticism she could muster. On my way out the door, I saw a neighbor of mine and after a few pleasantries I mentioned that I came to get some cards for a used car I was about to purchase (I had mentioned to him earlier that I was in the market for a used car).
He told me to me careful that it might be a scam, I didn't regard the statement because I was desperate to get a car. I thanked him and went on my way. On my way home, I thought about the interactions I just had at the stores, and genuinely thought to myself, why is everyone being weird.
I got home and got an email from the owner of the car, he wanted to drop off the car earlier, but needed the number on the cards so that he could deliver the car that evening. That worked for me, I just wanted the whole thing to be done with. I typed in the details of the card and did a quick scan of the email to make that sure all the details were correct before sending. Suddenly, the room grew smaller as I noticed strange characters on the senders's address I had been communicating with. The lady at the till and my neighbor were right all along, I was the one being weird the whole time.
Here I was sitting in my room, laptop on the table, gift cards next to me, staring out the window as snowflakes gracefully maade their way down to the ground, with drops of water trickling down the window (it might also have been tears) and all that could come out my mouth was ...merde - and I don't speak french.
Today, I would be a bit more patient and take heed to advice :)
Phishing and spam emails are things we all experience daily, and we should be aware of such attacks used by malicious actors. According to the Verizon data breach report of 2024, the median time it takes an individual to fall for phishing (the act of deceiving someone into revealing sensitive information or installing malicious software on a system) emails is less than 60 seconds. These emails are usually paired with some sort of psychological manipulation (social engineering) in an attempt to entice the users to click.
Below was an email sent to me that at first glance seemed benign, but upon closer inspection had the telltale signs of a malicious mail.
Let's take a closer look at the image below.
Box 1: The email sender noreply@edp.pt seems suspicious, it should have an amazon domain name and not edp.
Box 2, 3 and 4: Whenever I place my mouse over the links in the email, a strange link appears at the bottom of the screen. The goal of such links are to either redirect you to a malicious website or to download malware on your system. Some adversaries could also utilize onMouseOver links ( that is, if you moved your mouse over a link, it redirects you without you having to click on it) See image below.
The example above should help us identify easy giveaways that attackers might use when it comes to a phishing campaign. The next few paragraphs might be a bit more technical, but I will try to explain it as best as I can for anyone trying to follow along.
To investigate the email further, I would inspect the header of the email. Every email has a header which has information about the email's transit. To access the header of an email in;
Google: Open the email message in Gmail, then select the More menu to display additional options. Select Show original from the menu i.e.
Microsoft Outlook (Hotmail): Open the email, click on the three dots in the upper right corner of the email. Click view, then select view message source i.e.
I will then copy and paste the header information into a website that analyzes headers. I will use https://toolbox.googleapps.com/apps/messageheader/analyzeheader to analyze my headers. Some key terms I will use going forward are;
DKIM - DomainKeys Identified Mail: This cryptographic method ensures that an email hasn't been altered
DMARC - Domain-based Message Authentication, Reporting and Conformance: The DMARC gives email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing or phishing attacks
Return-Path: This is the designated email address where bounced emails and other email feedback are sent to. This way, the sender is always in the know and gets information about email delivery errors and the reasons behind them.
From the image above, we see that the email hasn't been altered, but i need a second opinion just to be sure. I will use another website to analyze the contents of my the email header - https://mxtoolbox.com/EmailHeaders.aspx. The DMARC failed on mxtoolbox, which tells me that the email address might have been spoofed.
Next, I will inspect the Return-Path of the email against a Blacklists on mxtoolbox. The email was listed twice against 86 known Blacklists. I also resolved the IP address to a website called boveran which has been flagged by a security vendor on Virus Total as a Phishing website.
The link that popped up at the bottom of our email earlier was also flagged by Virus Total as a Phishing website.
The next values I would look into would be the X-Sender-IP and the X-SID-PRA. The X-Sender-IP tells me the IP Address or the specific computer ID (again, this could be spoofed) the sender was using at the time the email was. So, the email noreply@edp.pt resolves to the IP 23.94.5.184
A quick look at the WHOIS record takes us to a website that cannot be reached.
For the sake of brevity, I will end here. I have all I need to show that this email is malicious. Some remediations (not exhaustive) that I would suggest would be to remove the phishing IPs and their domains from the host machine, blacklist the malicious email and consider using intrusion detection/prevention systems.
Thank you for stoping by and look out for Phishing emails as you build your cyber.