My Crusade Against Phishing Emails Part One: Identify and Analyze
Gmail is usually pretty good at stopping phishing/spam emails before they reach my inbox. Recently, a few slipped through. A few years ago, I would have flagged these emails to Gmail and then moved on with my life.
That old version of myself is dead.
Now, I have the means to investigate a little deeper. I deduced that these phishing emails began to arrive after I submitted my information while applying to a job on a website. I have reached out to the company that hosts the website, but I have gotten no word back from them.
Considering that I’ve had no response from them, please avoid using StartWire to apply for any jobs. I don’t know if they are aware of what’s happening on their website, but it appears that right now it is just serving as a conduit for data harvesting.
As a result, my best practice from now on is to always apply to a job directly on that company’s website.
Analyzing a Phishing Email
There are a few things that initially jump out at me. This sender has no photo. Not everyone has a photo attached to their email account, but nowadays I find it typical for someone acting as a recruiter or representing a company to at least have a logo as a profile picture. The style and grammar of the message are odd. There’s no signature at the end, and there should be some line breaks to separate the body from the rest of the email.
Let’s take a look at the attached PDF.
“According to our security policy, this information should not be disclosed to third parties.”
I guess I just ruined my chances at getting this job by sharing this with you. Oh well.
“If you are interested in this job offer, please provide your contact details, such as phone number and e-mail.”
Uh. Don’t they already have my email? How else would they have been able to send this to me?
So far, it seems like our scammer has done a pretty sloppy job.
I’d like to take this point to state that I do not want to give the impression that someone should feel unintelligent or less-than for being tricked by a phishing email — even a low-brow one such as this. This email in particular involves a job scam. A lot of people are job searching in this economy, and some people may be feeling a tight financial squeeze that might influence them to be excited by this email and want to act quickly. Even people who identify and respond to threats for a living sometimes fall victim to phishing.
These additional details stand out. The reply-to address is an entirely different domain. There seems to be some kind of email spoofing happening here. It’s possible that the real Madison has had her email hijacked, and the scammers are using a different reply-to email address in order to keep Madison from being alerted.
Notice the header: “firstname.lastname@example.org via email@example.com”.
I’m not one to be xenophobic, but a .ru domain screams suspicious when it comes to mysterious emails.
The attachment was similar, but for a different bogus job.
What’s interesting here is that although this email originated from a different domain, a similar reply-to address with the same domain was used as in the previous email.
In this case, it appears that this phisher could be using a compromised personal email address to receive responses to this email. The address in the reply-to field looks like firstname.lastname@example.org.
Gmail does not recognize periods in email addresses. It is possible to send an email to email@example.com that will be received by firstname.lastname@example.org.
My theory is that the attacker had control in the past or actively controls this person’s Gmail account. They’ve configured this compromised account to automatically filter emails being sent to the address separated by the periods and forward those emails to the attacker’s database and then delete them. In this way, the owner of the account may have no idea that their email is being used in this manner.
Note: You may have noticed that I haven’t shared the data from the original message. In this case, there were ample clues to identify these emails as phishing from how they were presented by Gmail in my inbox, so I haven’t included the originals in this analysis.
Blowing the Whistle
I am reporting these emails to Google of course, but I am also going to attempt to contact some of the parties who own these domains that are being abused.
- Email #1 originates from the domain of a Dutch tech company.
- Email #2 originates from the domain of a Russian automobile company.
- Email #3 is from an American media company.
- The reply-to address from emails #1 and #2 is from the domain of a small business in the United States.
- The reply-to address from email #3 appears to be someone’s personal email address.
I won’t be contacting the Russian company for a few reasons. First, I sadly do not speak Russian (thankfully, Anna Karenina has been beautifully translated). Second, my instinct is telling me that it won’t get me anywhere.
I will also not be contacting the personal Gmail address. I have no way of verifying that this a real person’s account (sadly, my intuition tells me that it is indeed a real person’s account), and I don’t really want to raise any alarms with the phishers that would make them want to target me individually.
I carefully used information on LinkedIn and Facebook combined with some old-fashioned Googling to confirm that the other three parties are legitimate businesses.
I’m choosing to contact them out of courtesy. I figure that Google will not go the trouble of alerting these companies. That isn’t their responsibility (and not mine either, but here we are anyway).
Also, phishing particularly annoys me, and I don’t feel like letting this go.
My hope is that these companies will improve their security practices as a result of these incidents, and hopefully be able to purge their systems of any potential nefarious activity or at least elevate the issue to a party who can do that for them.
Do I expect to be ignored? Yes, but I’m giving it a shot anyway.
Stay tuned for part two (now published here).