Author Archives: rborglund

Attackers make your phone your enemy

We all love our phones – If you consider them a part of your technological interface to the world you can say that they actively make us smarter – you can access the total of human knowledge from the palm of your hand almost anywhere.

However, when attackers craft Phishing emails trying to steal your account information, your phone is often not your friend.

I encountered this message this morning – here is a screenshot from my phone

OK – this is dangerous – there are almost no clues that this isn’t valid.

From a technical standpoint – emails aren’t “returned” they are “bounced” or “rejected” but that wording could be a “non technical friendly” choice.¬† If emails are “rejected” you can’t “recover” them, you would have to ask the sender to resend them. Also, the receipt of emails at the mail server doesn’t have anything to do with “syncing” – mail at the mail server side is “received” not “sync’d”.

However, that’s all technical – I bring it up because I believe at first glance a lot of technical people would be fooled by this email as well. So, don’t feel bad if you think that email looks legit! I had to re-read it a couple of times to understand why I thought it wasn’t right. (Well, that and I knew my account was up to date and there were no technical problems with my Office 365 account).

What can a non-technical user look at for clues?

First off, don’t answer or click these messages on your phone, they can wait until you are in front of a computer.

If you must consider dealing with something like this on your phone, find a way to view the entire sender address – this is usually the primary giveaway you can look for and these messages are especially dangerous for phone users because phones only display the friendly names, not the longer “name@company.com” address.

Repeating that – find a way to view the actual sender address.

This particular message has nothing else that stands out in the way of grammar or mis-spellings. I expect this to continue, grammar and spell check services will start being used by the people that try to scam you too, so grammar and spelling errors are going to be less prevalent.

If we look at this message on the computer – the sender address is obviously garbage.

 

Good luck and be careful out there.

 

Phishing with OneDrive

I noted another phishing email that I wanted to highlight. These scams to get your account information are relatively sophisticated and you want to watch for the subtle clues that tell you they aren’t real.

The top give-away, as usual, is the sending email address.

IMPORTANT TO NOTE – on your phone, like where I first saw this particular email, you often don’t see the full sender address but you get the short form. In this case the short form was very clever “OFFICE-noreply” – which sounds an awful lot like a lot of legit automated notifications.

Once you see the real email sender though, you have a clue that “Georges@libanet-kai.com” is not an authorized email account for MS products.

There are a number of grammatical errors but they look a lot like the sort of tense problem that would be common in automated emails. If you spend time thinking about whether that tense issue makes sense within the context of the automated email you can occasionally spot the fake that way.

For example:

You have 3 doc file associated with your “account name”

Anyone crafting an automated email probably would have left out the “your” entirely, but if it was there would have written ‘your <account name> account’ – you are looking for things that don’t complete common patterns, but you have to be familiar with common patterns to do that.

As well, you need to hover your mouse over the “Open in OneDrive” link (which seems very well done).

http://empleo.donamencia.es/theme/v3/index.php?ub=roy.borglund@elementalcomputing.ca

Obviously empleo.donamencia.es is not a MS Website. It’s probably a hacked website, that has a hacked page that steals your account information.

 

New Office 365 Phishing email

I received a new O365 Phishing email. Take a quick look and see if you can spot all the problems in this mail:

Can you spot the clues?

Here’s some highlighting.

OK:

  1. not from Microsoft..
  2. Bad grammar – “we’ve prevent”,¬† “from been deleted”
  3. Misspellings¬† – “interuption”,”valiate”, “Acitivity”

The clickable link also uses a url shortener to hide that it’s not from MS.

The actual link goes to a page that has been identified as malware, but it could just as easily have been a site that looked like a valid Office 365 login – check the top url (helpwarrior.com is NOT Microsoft).

 

I received a phishing email that was relatively convincing. I thought that I would post it to show people what to look for when they are looking at an email. This email contains a few interesting elements. The statement that you are missing mail (meant to alarm you) and the use of the blue colour for the button, which is consistent with the colours that Microsoft actually uses to brand their business, and then the link to portal.office.com, which at first glance looks like a valid MS link.

If you look at the sender address – it clearly isn’t from Microsoft.

Then when you hover your mouse over the button or, more importantly, over that “portal.office.com” link that’s supposed to make you think this email is legitimate, you notice that the link doesn’t go to ‘portal.office.com’ but goes somewhere else entirely.

If you follow the link – you end up at a page that is a clone of the MS Office 365 sign in page – but is *NOT MICROSOFT*.

Look at the link in the URL bar – this is not a MS site. This is the social engineering process these individuals are using to steal your email login. Once they have your email login, they can reset the passwords to your bank accounts and other important items and go on to steal your identity.

Stay safe out there and protect your account information!

Hacked!

Hi All,

Elemental Computing’s website was recently hacked and replaced with spam. This website was on a long list of things that needed attention anyways, so I have deleted the old site and instead of just reloading from backup, I have replaced it with a wordpress installation and will be moving forward from here on the wordpress platform.