Phishing mail samples and inspection
Phishing email are usually easy to identify, most of them are not really carefully crafted, like followings:
The subject “IT- hotmail.com” with domain sender email “bma.biglobe.ne.jp” simply don’t align, and with Hotmail, I am expecting beautiful HTML email with graphics and better layout (and capitalize “Hotmail”)
Similarly, how would Google (which Google Photos Hosting does not even imply it’s the famous Google company we know) send email from domain “wegibson.com”? And Google normally have specific subject and better footer design and disclaimer
A valid Google email footer I used to see:
This email is a common delivery phishing context email, the first thing is the To in email content is using my email alias (not my name), so they don’t know my name at all, which is weird. And also SF Express is a local company here in Hong Kong, and I am expecting a Chinese email instead, the email text is not commerical writing (too short and simple and too direct).
Again, the key is the email domain does not align with sf express.
See my other mail on ipqualityscore.com (again, respect to ipqualityscore.com which does reply promptly and took action on inspection for their service being abused, while the other service providers in the article does not even reply)
Short conclusion before a more complicated cases
Domain name of the email sender is very important information, when a email sender is from unknown domain or domain name that’s different from their company name (sometimes they are clever to register something very similar, like using a “1” to fake a “l” or using a “l” to fake an “I” (capital letter “i”).
For all email like that, it’s much easier to spot in PC than on mobile device which the screen is smaller and the app design might decide to hide some not so important information or make them look small.
This one look more “valid”, as the email content looks more “real” (the HTML email body, image, layout).
We can see several things that doesn’t align, still. First we have an attachments with 0 bytes, this is super suspicious. And the footer we have the company name “hongkongpost” (which is not capitalized and properly spaced , the real name is “Hongkong Post”). Last by not least, again it’s the domain.
This actually caught by the junk mail detector, but it took me some time to confirm.
First of all, the email look legitimate, the footer look very real. And the domain name is real, as well I did go check on the service provider, their customer service email is actually “firstname.lastname@example.org”.
Then I would suspect if the email might fake their email “FROM” and does actually send from another email, so I go ahead to read the email source
Email header show some interesting lines:
First, the spf is not pass, and the lookup of netvigator.com failed on DNS Timeout, which before I dig deeper, I though it’s just because the DNS having issue at the time the mail being checked.
Then I take the IP address 126.96.36.199, that’s from Latvia, and viola, it must be a spam (if it’s from US, I would probably puzzle a bit more)
While I write this article, I realize a weird thing in email content, which is the “real-ish” footer, having a Simplified Chinese “click here” within the content of Traditional Chinese wordings:
Also, the font size does not really look right now (when I inspect carefully)
Even spam mail detector are doing pretty well, it’s still our own responsibility to be careful about those spam/phishing email.