This is one of the most convincing #phishing messages I've seen in a long time.
The email is clean and professional, the web site it links to doesn't get flagged by either #Firefox or #Chrome (I've reported it), and the web site (https:// apple-coin.io/, screenshot included below in case it gets taken down) is REALLY smooth.
Please give any #iPhone+#crypto users in your life a heads-up about this, because it's likely to fool a lot of people.
Please boost for visibility. #infosec#cybersecurity
but sent from an indian investment firm (with valid SPF, DKIM and DMARC, so probably a vulnerable/misconfigured SMTP server on their end);
call-to-action links to the canadian "bikers against pedophiles"' (‽) staging website (a page under wp-includes, so probably leveraging a WordPress vulnerability)
that redirects to a page on the czech Pandora website
that mimics the UAE bank, asking for credit card details (phishing page has already been removed and I forgot taking a screenshot a few hours ago)
Fun reading about how even @pluralistic falls for phishing sometimes thanks to all the enshittification of getting in touch with necessary services making us less likely to catch the red flags.
I've clicked on a few of my office's "phishing tests" which at least gets me more "watch this social engineering info video" even if the videos are so bad that you can't help zone out.
I don't know my own work phone number. I don't share it. I just got a phone call from someone presenting as wanting to send me a publication. They had my phone number, name, and title. Who the hell is leaking my data!?
Phishing scammers now helpfully include the steps you need to take to click on their risky link in their texts. I’m sure ‘tuanosali1981@mailbox.org’ has my best interests in mind and is definitely from “the US Postal team.” I definitely shouldn’t question where they got my phone number from and why USPS wouldn’t just return a package to its sender. #scam#phishing#TrustNoOne
My employer lets a private company send fake phishing mails to all staff in order to train them. Now that company, which most personnel do not know, sends an e-mail in its own name to all our staff, asking them to click on a link to follow an anti-phishing training. So it looks like the message they are giving to all our staff is: it's OK to click on links from unknown companies, as long as they tell you that it's anti-phishing training. 🤦♂️ #phishing#infosec
Achtung, #Phishing: Aktuell sind E-Mails mit falscher #BNetzA-Mailadresse und Grußformel des #BZSt im Umlauf. Die E-Mails sind nicht echt. Öffnen Sie keine Links und geben Sie bitte keine persönlichen Daten wie beispielsweise Ihre IBAN preis.
Reading about #scammers always depresses me. I know there are far greater problems in the world, but I wish the people who put so much effort into scamming others would redirect those efforts into doing something positive for society.
More specifically, I was tricked by a phone-phisher pretending to be from my bank, and he convinced me to hand over my credit-card number, then did $8,000+ worth of fraud with it before I figured out what happened. And then he tried to do it again, a week later!
--
If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
@pluralistic “There's a leak somewhere in the CU systems' supply chain”
I absolutely believe it.
I received a plausible #phishing mail, sent to an address I use only for one specific CU, with my correct name, purporting to be from the CU's president.
The payload link used in the phish contained the email address of the CTO of a different CU; I think the scammer just re-used a link without fine-tuning it for my CU.
The scammers clearly have access to CU client DBs & are targeting many CUs.
A few of the MFA lookalike domains we've detected recently. These target a large bank in the Czech Republic (csob[.]sk):
csob-sso-sk[.]net, online-csob-sso-sk-moja[.]com, csob-sso-sk[.]com
The PDF file attached to this email is malicious. You don’t even have to open it to know it should be deleted immediately. Outlook shows the “from” information, and this email didn’t come from Intuit.
The criminal who sent this email is an amateur. Be aware that the “from” information can be much more deceptive than we see in this email example. Sometimes you have to know how to examine the email header to see where the email is really from.
There are a lot of malicious emails that are of poor quality and easy to identify, like this one. By being informed and on guard, you can save yourself from a lot of trouble.