Pretty Good Phishing Email Sample - Stay Alert

  • SpinRite v6.1 Release #3
    Guest:
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

rfrazier

Well-known member
Sep 30, 2020
566
194
Hi All,

Hope you are all well the day after Data Privacy Day, which was Jan 28, 2021.

I have a contact at a big company. They received this phishing email and I thought I'd share a sanitized version with you all. I looked at it and I said, this is pretty good. Fortunately, between the periodic training my contact gets plus me talking about these issues, their screens were up, and they didn't fall for it. They reported it to their security office.

I think we that are security aware tend to get cocky. Well, don't. Read this and honestly think whether you'd be tempted, even for a second, to click it. Even if not, think about someone you know who's more average and ask if they'd be tempted to click it. The email was addressed to my contact BY NAME. The blacked out part had some numbers that may have been unique. The perpetrators obviously had their address. And it got through the firewall. I googled the domain name of the link and it's been floating around the ether. This may have been a test. But, don't fixate on that. Just imagine what you'd think if you or someone you care about read it. Later I may post an annotated version with the red flags highlighted. It's never a bad thing to remember what the enemies are up to. I found some sample phishing emails here:


There are many such pages on the net. DON'T click on any links in any sample messages. On the one I just cited, there is a sample smishing (SMS) text message attack which also might entice people to click.

If you didn't ask for it, as @Steve says, be suspicious. If it threatens you or scares you, be VERY suspicious.

Hope this is helpful. Y'all stay safe out there. See image below.

May your bits be stable and your interfaces be fast. :cool: Ron

Ron

GOOD Phishing Email 2021.01.29.png
 
  • Sad
Reactions: danlock
Well said, Ron!

Being as security aware as I am, I would never be tempted to click on a link like that. I would, however, be "tempted" to Google the domain part of the URL, which I did. Whoa, Nellie! The Google results make it glaringly obvious that the URL link is bogus! And, yes, there are other red flags in the email too.
 
  • Like
Reactions: rfrazier
What's funny is that at my job, they sent out a security training email that just threw up all the red flags. Because of changes thanks to covid (I might have the timing wrong), all emails sent from outside has an external tag applied. So this email had that tag, and an internal from address, and it was a domain I don't think anyone of us knew about.

Ironically, it was an email about training us for this type of stuff...

I have seen cases where someone report a phishing e-mail causes that email to just disappear from everyone's mailbox, so at some point while I was reading Teams to see if I just missed a message that this might be legit, the message had just disappeared from my inbox, meaning someone reported it as phishing, and the people on the other side of the email we forward phishing stuff to thought it might be phishing as well hit whatever magical button they have to mass delete the email that was sent.
 
I have seen cases where someone report a phishing e-mail causes that email to just disappear from everyone's mailbox, so at some point while I was reading Teams to see if I just missed a message that this might be legit, the message had just disappeared from my inbox, meaning someone reported it as phishing, and the people on the other side of the email we forward phishing stuff to thought it might be phishing as well hit whatever magical button they have to mass delete the email that was sent.
In some cases, the security team didn’t even click that big blue Phishing button. Some providers use indicators from their customers mailboxes to remove the messages automatically, if there are enough reports.
As a mail service administrator for a company, among the other hats I wear, we have some control on this behaviour and we can get notifications when such situations occur. But in many occasions, the message is pulled before we have time to take action. Of course, in most cases, this is reversible.
 
Last edited:
I guess the perpetrators of this email follow the less is more philosophy, so there's not a lot to go on. But, I thought I'd mention the red flags I saw.

1) I didn't post the header, but there was no mention of the company name or any logo. Just donotreply at the same domain name.
2) My contact did not "previously receive notice"
3) My contact did not connect to an unsecured wireless network - the pc is always in the same spot. But, other users might connect when on the road, for example. And, the computer is wired, but I don't know if my contact would think of that.
4) "Access" should have "ed" on it.
5) The link does not point to a company domain name. With all the outsourcing of IT, this is less likely to catch people's attention.
6) It wants your details, quickly.
7) There is an implied threat.
8) There is no company contact info.
9) There's no long company signature with lots of job titles.

None of these are slam dunks. But, if you're watching, there's good reason to pause before clicking.

May your bits be stable and your interfaces be fast. :cool: Ron

Ron
 
Okay, let's see which of those red flags applies to my Phish training emails (remember, in this case, the IT staff were the people who got the emails at the time):

1) I never got a chance to look at the headers
2) Same
3) I remote in to my work computer (some tools for my job are only there), so I'm not sure if this matter
4) Don't think there were any misspellings
5) Either the page linked had a sign-in button that redirected to our SSO page, or the link would redirect to our SSO. So yes, at least there was something valid about the link, but nature of the email, you wouldn't think about clicking the link in the first place.
6-7) I think it only said it was required, but nothing more than that
8-9) Same, though in this case with the signature, if the email was generated internally, it would be a bit short with one line telling us our last four digits of our employee code
 
That's a phishing test from PhishMe (Cofense). I use them to send test phishing campaigns and I recognize the domain. I just signed into the PhishMe console and found the message. Hopefully your friend hit the reporter button. ;)

That message has a 3-6% susceptibility rate. It's good for catching cocky IT people. They have a similar one about "firewall" activity that's also really good for catching IT people.
 
Hopefully your friend hit the reporter button.
@Harry They were working remotely at the time. They were already suspicious of the message. I got permission to get that image I posted to help others and advised them to report it, which they did. They later received a notice that it was a test and thanks for the report. They told me that these things are annoying. I said, yes, but having a data breach and spending $ Millions is annoying to. Also, the only way to know if the people pass the test is to test them.

What's the old technician's diagnostic acronym?

PEBKAC - Problem Exists Between Keyboard And Chair

May your bits be stable and your interfaces be fast. :cool: Ron