Search
  • Dan Weis

Free Voucher!

I received this Phishing email today. Vouchers and gift card scams are really popular for scammers to harvest sensitive information like validation of email addresses, physical addresses, phone numbers and other information that can be used for identity theft. This phishing email contains a lot of classic indicators of a phishing email. I'll give you a second to review it and see if you can spot them all!

So here are the set of indicators.

Firstly the domain is unexpected, I've never heard if it before and it doesn't reference any brand or store. There is also a spelling mistake in the Display name. it should be 'Confirm' not 'Comfirm'.

Next you can see that either something has gone wrong when they sent out the phish or got lazy, and it has a generic greeting. Next the phishing email is asking me to confirm my address for a competition that I never entered. The domain it takes me to is a completely different domain ending in .xyz. From experience, I have seen a large number of Phishing and data harvesting attacks leveraging these .xyz domains. The URL also has 3 sets of numbers to identify your address and details that the attackers can use in other attacks.

Next the attack is trying to create a sense of urgency. Common themes include 'your account is disabled', 'action now', 'unauthorised transaction', 'account limited' etc.


If you were to click on the remove list at the bottom you can see it has a unique identifier to tag your details in their database.

I detonated the link in any.app. Firstly, we can see that it executes 7 web requests, most to various tracking services. Sites with a reputation status of malicious are flagged with an exclamation mark or flame.


It also makes 33 connections to a bunch of malicious hosts, geo tagged as Ireland.

any.app also identifies the traffic as potentially malicious.

Lastly after it verified and grabs whatever it wants to grab, it redirects you to a random gadget deals page, which tries to entice you to buy something.

As you have seen there are lots of easy identifiers when it comes to competition scams. Stay #HackProof!

12 views

© 2020 HackProofYouself.com

  • Twitter - White Circle
  • White LinkedIn Icon