Identifying Phishing Emails: Using Source Code to Identify Phishing

So let’s take a look at another one. Reminder, you had missed something important. Final notice, this message was sent from a trusted sender. We remind you for a third time you must answer us to avoid receiving this message several times. Do you want to unsubscribe? So this is a fun one because we have up here, you know, the scary looking yellow triangle, the exclamation mark, big bold letters, reminder. You have missed something important. It’s our final notice. So this works on a scarcity type level because it’s our final notice. You know, I’m missing something important. What could it be?

And you know, I could trust this because this message was sent from a trusted sender, so of course you could send it. The email’s telling me this is a trusted sender. Well, again, pretty suspicious. I have no idea who this is here. This is a really bizarre email address I’ve never seen. I don’t recognise the name there. It doesn’t tell me what important notice I’m missing. It doesn’t specifically address it to me. So again, that’s another suspicious thing about this email. And final notice, this is going to be the last time that they’re telling me, and I have to click on this in order to avoid missing out on something. So it’s a scarcity tactic.

Now, let’s break this down a little bit more. So again, I don’t know who this user is, and this is kind of funny because I can’t hover over the link, and link hovering is a really great tactic because instead of clicking the link and see where it goes and potentially compromise my computer, we could generally hover over these links to see where it’s going to go. But on this particular email, I wasn’t able to. Now, if we do View Original Email, we could take a look at the email in greater depth, which is pretty fun. We could do things like we could see the MX record. We could see the IP address of where it’s coming from.

We could see if the email’s being spoofed. And in this case, again, we could see the email addresses here. We can see the IP address here. We can see the routing through here. We could potentially trace it back to the actual location where it was coming from.

Now, looking at the original email, the HTML form it was pretty fun because if you keep scrolling down in there, you can see the HTML code in that email. So the email was actually HTML email. And if we scroll down in here, you can see the HTML they put in there for, this message was sent from a trusted sender, and that’s the part that made it try to make it look legit that it was from a trusted sender. But again, looking at the original email, we can kind of dig through there and actually see that information.

Now, this was kind of unexpected, so continuing looking at the original source email, because it was HTML, we could see the rest of it that was embedded in the email. You know, if you remember, that email was pretty short. This was our email, but you look at the actual HTML in the email, I actually found an entire message in here. Hi, DHG. My name is Dylan Basile and I work at Event Temple. Nice to meet you and thanks for requesting a demo. Join me for a quick demo, blah, blah, blah. Here’s the date and time. Did you have any times on your website to work with? And so on and so on.

And it has its user name and ID on here to log into. So it’s an interesting email, how they set it up, and again, it’s kind of funny because when you look at the email, they put this nice green bar, which might throw some people off that this message was sent from a trusted sender. So it’s trying to gain your confidence here, and it’s again, final notice, so it’s forcing people to take action, and you can’t link hover over that. So pretty interesting phishing email. Nice attempt, though, but interesting. Now, this is a common one I get a lot too. Amazon Service Reminder, a message from Customer Service, and it has a bogus number on there.

Now, this one we were able to link hover over. You know, if we look at the email, it’s a pretty decent email for the most part. We have the Amazon logo here. We have the usual Amazon typeset. It looks like an actual Amazon email, which they probably took a real Amazon email and kind of created a template and modified it a little bit. We have the Verify button that looks like Amazon, even the little gold bar here, the copyright for Amazon, the little blurb from Amazon typically has. Now, this is supposedly a service reminder, and this text file probably has some sort of payload in here, and also we’re able to link hover over this.

So hovering over the link, you know, help us unlock your account by logging into your account and follow the on-screen instructions. Well, I never clicked this for a couple of reasons. One, I never use Amazon with this particular email account they sent it to, so that was the first red flag. Second, if we look up here, Customer Service, it’s lclv blah blah blah @mmxdater.com. Well, that’s not a Amazon address, obviously. To user blah, blah, blah mailorder6@amazon.com. Well, that’s not my email address either. So those two things are a big red flag, including not going to my proper email address. And also, I always like to hover over the link.

So hovering over the link we see, it’s actually going to akukapn.info blah blah blah.

So again, that’s not an Amazon site, so that’s a highly suspect link, so don’t click on it. Again, if you get a link, always hover over it if you can and see where it’s going to verify if it’s something you should be clicking on or not.