Over the last few days we’ve noticed a substantial and high-volume new Phishing attack that is tricking many users into providing their confidential email account login information to spammers at an alarming rate.
What is unique about this new Phishing scam is that it uses enough personalization and randomization to confuse the recipient into believing it might be a legitimate message from the user’s own email administrator.
For example:
Settings File Phishing
While the above example contains an example of such a message sent to our OnlyMyEmail.com domain, it’s important to note that the user’s address and domain are unique to each email sent in this new Phishing campaign.
So far, the Subject lines for the campaign are all consistent in that they contain a reference to the recipient’s own email address, and also some mention of a “Settings file” or “Mailbox” or “Email Account” – common examples include:
- For the owner of the user@canale.com e-mail account
- A new settings file for the user@onlymyemail.com mailbox
- A new settings file for the user@canale.com has just been released
- The settings for the user@the-competitive-edge.com were changed
Sending addresses are spoofed to look like they are coming from the recipient’s own domain, typically using one of the following variations:
- no-reply@
- operator@
- automailer@
- support@
- info@
- system@
In reality these emails are sent by existing infected zombie PCs scattered throughout the globe.
Addition randomization included to confuse spam filtering systems is attempted by adding a bogus “Message ID” at the end of each email and the spammer goes so far as to not only randomize the “ID” number but also the the formatting as well, varying the separators and also the lengths. Examples include:
- Message_ID#6LU5C6V2ZQKVSIJFU7VG6M
- Message-ID#KX2NTY1RKHUFF39NS1
- Message ID#3EQT00S01ZVMF
- Message ID#RAMU9HVLG38FX1FGOFFN9810QV
So far, the only consistent part of the phishing email is the main body, though that also will include a customized reference to the recipient’s own email address:
We are informing you that because of the security upgrade of the mailing service your mailbox (user@onlymyemail.com) settings were changed. In order to apply the new set of settings click on the following link:
The link provided will also include the user’s domain and also their address which is a nice finishing touch that sells the fraud.
http://onlymyemail.com/owa/service_directory/settings.php?email=user@onlymyemail.com&from=onlymyemail.com&fromname=user
Despite what is displayed the actual link will not be to the recipient’s domain as displayed in the email, but instead to a server controlled by the fraud artist.
We are currently seeing a high volume of these fraud emails to all of the domains that we protect at the MX level through our Corporate MX-Defender anti-spam system, to our own domain and also to bogus honeypot domains we maintain which have no legitimate users. Combined, this profile indicates a very high rate and width of distribution.
We are also monitoring a substantial number of end users that will “Resend” these emails, releasing them form spam quarantine folders, even when they are specifically designated as being Spam and/or Fraudulent messages.
No comments:
Post a Comment