Fake e-mail scanner

[harlan4096]

A detailed look at a phishing site masquerading as an e-mail scanner and its attempts to snag victims.

In recent years, news about e-mail-based infections of corporate networks has been fairly regular (and generally connected with ransomware).

So, it’s no surprise that scammers periodically use the topic to try to extract credentials for corporate mail accounts by persuading company employees to run a scan of their mailbox.

The ploy is aimed at people who know about the potential threat of malware in e-mail but have insufficient understanding of how to deal with it. Infosec personnel would do well to explain the tricks to employees and use such examples to illustrate what employees should look for to avoid falling victim to cybercriminals.

Phishing e-mail

This scam message employs the time-honored trick of victim intimidation. You can see it right in the header, which reads “Virus Alert” followed by three exclamation points. However trifling punctuation may seem, it’s the first thing that should tip off the recipient that something may be wrong. Unnecessary punctuation in a work e-mail is a sign of drama or unprofessionalism. Either way, it’s inappropriate in a notification supposedly intended to convey information about a threat.

The number one question the recipient should ask is: Who sent the message? The e-mail states that failure to act will result in the recipient’s account being blocked. It might be logical to assume that it was sent either by the IT service that supports the corporate mail server, or by employees of the mail service provider.

But it’s important to understand that no provider or internal service would require user action to scan the contents of the mailbox. Scanning takes place automatically on the mail server. Besides, “virus activity” rarely occurs inside an account. Even if someone did send a virus, the recipient would have to download and run it. Infection happens on the computer, not in the mail account.

Coming back to that first question, a look at the sender raises two immediate red flags. First, the e-mail was sent from a Hotmail account, whereas a legitimate notification would display the domain of the company or provider. Second, the message is said to come from the “Email Security Team.” If the recipient’s company uses a third-party mail service provider, its name is bound to appear in the signature. And if the mail server is in the corporate infrastructure, the notification will come from in-house IT or the infosec service — and the chances of an entire team being responsible solely for e-mail security are minimal.

Next is the link. Most modern e-mail clients show the URL hidden behind the hyperlink. If the recipient is urged to click through to an e-mail scanner hosted on a domain that belongs to neither your company nor the mail provider, it is almost certainly phishing.
...

Continue Reading