Phishing
Here’s a real-world example of a slightly-harder-to-spot-than-normal phishing attempt and two levels of how you might spot the red flags
We know with all the obfuscation it looks a bit like a response from the NSA to a FOI request, but we're trying to protect the innocent 🤣
Level 1 - Normal user/Recipient
1. This is a genuine company (USA) and its website indicates it is aligned with the products offered by the recipient company. For the sake of this exercise let’s call it Widget Engineering and its website is widget-eng[.]com. All good so far, but now the red flags start to appear
2 🚩The email is actually from “widgetengineeringltd[.]com”. 🚩RF1: while an email not lining up with a domain is entirely possible, it’s very unusual. 🚩RF2: ltd (limited) at the end? Limited isn’t a company structure in the US, as far as we know it’s only UK/Ireland where that’s applicable (AFAIK 🤣). We're sure there are many more but the US “company” structures we're familiar with are LP, LLP, LLC
That’s where the carpet doesn’t match the curtains, but there’s more. Come Dr Watson, let us proceed with our investigation!
3 🚩These supposed items of interest are most definitely supplied by the recipient company, but they are just about EVERYTHING they supply. Bit unusual for an established company with, one would presume, established supply chains to express such a broad interest in products from a new supplier?
4 🚩Hmmm, not quite perfect English. Maybe just an error or are all these little points starting to add up now?
The above should be concerning enough to just ignore/delete this email, but there’s more!
Level 2 - Advanced User/Security Person
1 - The domain in the email footer is valid and was registered in 1998 from the US 👍👍 and has a website.
2 - 🚩 The domain that the email is from was registered in Nov 2022 👎👎 from Iceland. Nothing against you Iceland, but companies tend to register domains in the same country via their hosting provider
3 - 🚩 The domain that the email relates to has no website.
4 - The domain in the email footer has correctly-formatted and valid SPF and Dmarc (DNS) records.
5 - 🚩 The domain that the email is from has neither.
So what’s the end game here? Honestly, we have no idea! 🤣🤣 but here are two possibilities (more possibilities are, probably, available):
A bit like an Advanced Fee scam but an Advance Goods scam (also known as a Nett-30 or Nett-60 scam), where the actor tries to gain credit terms, gets the goods, and disappears.
Open a line of communication (get the recipient to drop their guard) and then send a nice Request For Quotation (RFQ) Word document that contains malware.
Stay Alert!!
Comments