Phishing Example

Standard

Last week, I attended an industry conference and spoke on a security panel.  More on that in a post over the next couple of days.  One of the consistent themes around cyber security was how effective phishing email and social engineering are.  It has become the number one vehicle that hackers are using to gain access to secure networks.  This morning, I received a well crafted phishing email that I want to share, as it has several elements that are good to be aware of, in order to not fall victim.

Let’s take a look at the email that arrive this morning with the subject “Shipment Tracking Number” from “notification@fedex.com.”  Both the subject and From address seem legitimate.  Here is the actual message:

FedEx Phish.png

This message looks fairly legitimate and if you were to simply quickly glance at the message, many people would likely click on the link, so let’s look deeper.

If you hover over the link instead of just clicking it, which is ALWAYS recommended, here is what you see:
FedEx Phish Hover

When you look at the image above, when hovering over the link, the URL does not match the URL that was in the email.  This should be a clear warning that could be a phishing message.

Now let’s look a little more closely at the message text itself:

FedEx Phish Markup.png

The sentence that begins at the #1 is not properly capitalized.  The dollar representation at #2 is not in proper currency format and the USD should be capitalized.  The comma following usd is also misplaced and follows a random space.  There is no punctuation at #3 or #4.  #5 lacks proper capitalization and punctuation.  #6 is not the real FedEx logo.  Notice how it is standard text and not the bold logo where the d and E are actually connected.

So, taken all together, do you think the real FedEx would ever allow a message like this to be sent?  No, not at all.  This is definitely a phishing email, designed to get you to click on the link, which will instantly infect your computer and allow a hacker access to your computer or worse, to capture everything you type on your keyboard, which will give them access to far more.

For the more technically inclined, if you also look at the email header, you will find several other identifying details that confirm this is not really from FedEx and a phishing email:

X-Country-Path Denmark->
X-Note-Sending-IP 212.237.47.12
X-Note-Reverse-DNS host12-47-237-212.serverdedicati.aruba.it

These three lines of the header really confirm this.  The IP address resolves to the domain aruba.it.  A WhoIs lookup of that domain shows it being registerd to an organization called Aruba Spa, surely a fake organization.  The country is reported as Denmark, but if you know your world geography, Denmark is in Europe and Aruba is in the Carribbean.  Further, the .it domain suffix is actually the top level domain for the country of Italy.  So, did this email come from Denmark, Aruba or Italy?  Probably none.  It’s likely all an elaborate path to mask the real sender, who, if you were not convinced to this point, you should now know without a shadow of a doubt, is not FedEx.

I hope all this information helps you protect yourself from these types of socially engineered phishing scams.

One thought on “Phishing Example

Leave a Reply