Indicators of a Phishing/Social Engineering Email #1

Neemobeer

Cloud Security Engineer
Staff member
I thought it might be fun and informative to start a series on real phishing emails and calling out the indicators of why they are suspicious. One of my old email addresses has been in a lot of data breaches so it tends to receive a lot of spam and phishing emails.

Without further ado here is the email.

(1) The first sign of a suspicious email is a weird subject line that is vague and does not reference something specific
(2) The sender, Prime (maybe trying to pretend to be Amazon Prime), but the actual email is @gmail.com. No business save for mom/pop shops will send from a gmail email
(3) Weird random characters, definitely does not look professional (looks like base64 encoding, but does not translate to anything readable)
(4) The hook, hey I won a prize all I have to do is click the link... Never blindly click links. Hover over them and see if they look legitimate
(5) Another hook, get a prize if I click on the link.

1669416223207.png



There are three links in this email. "Christmas Tree", the "Get Started" button and "uns" at the bottom.
All three point to the same thing

(Green) Probably an auto generated domain name, definitely suspect
(Orange) This could be some kind of tracking to my email as a victim. There is also another legit domain accounts.cragslist.org. Might even try something clever like generating a post with something I end up entering from this link such as credentials.
1669416623299.png


Domain is not very reputable
1669416911341.png

Safely Analyzing the URL
Looks like there are further redirects to buildwork.club domain (This could be intentional or an anti forensic effort)
Hard to see the screenshot but the link appears to be broken
1669417053347.png
 

bochane

Excellent Member
Checking a sites reputation, how is it done, is it accessable for everyone?
 
Last edited:

Neemobeer

Cloud Security Engineer
Staff member
There are many sites that can be used to analyze urls. The first web reputation image is bright cloud by Webroot, the second is urlscan.io
 
Top