I’ve been doing this security thing for many years now. In a list of current Internet patrons, I would include myself in the category of “those on high alert” for fraudulent and nefarious activity. I’ve seen many general phishing emails as well as targeted spear phishing emails, and I often wonder why these things are still so prevalent today. The answer, of course, is this: they still work! People still open those attachments and click on those links. If you are an attacker, why would you stop using a phishing attack vector that totally still works??
I was perusing my inbox the other day and found an interesting email that made me pause for a second. It was a PayPal receipt for an air compressor from Sears. I would have normally deleted this one right away, but this time was different. You see, my birthday was coming up soon, and my wife said she got me a present but, of course, wouldn’t tell me what it was. When I got this email from PayPal, I thought I had inadvertently stumbled upon my birthday surprise. I still wondered if this receipt was legit because I never really expressed interest in an air compressor, but who knows, maybe she thought outside the box and wanted to get me this thing. So, I just left it there and figured I would act surprised when I opened an air compressor on my birthday.
Fast forward a couple of weeks…my birthday came and went, and guess what I got for my birthday?? Not an air compressor. Of course, this made me even more suspicious about the PayPal email. I went back and looked at it a little closer and found several tell-tale signs of a pretty good spear phishing email. As with any good spear phishing email, many aspects of it looked extremely legitimate, but some things were out of place.
Here’s the email sitting in my inbox:
It looked decent enough at first glance, and I didn’t have a compelling reason to question this purchase given the situation I described above. However, after looking a little closer, I noticed several things wrong with this email. The first is that is was sent from a “PayPal” account, but the email address had nothing to do with PayPal. Instead it was “email@example.com”. Check out the screenshot below:
Next, I noticed that it was sent from a Sears store in Crawfordsville, Indiana based on the details of the shipping info. A quick Google Maps search of that address showed me this street view:
It’s a store that sells home improvement items, but it’s definitely not Sears! At this point I’m seriously questioning the validity of this email. I noticed a few other things as well…the date stamp on the e-receipt is in YY/MM/DD format and I doubt it would be that way coming from a store in Indiana. Also, I noticed that the dollar sign on the item price is shown after the number…it should have been shown in front of the number.
Finally, though, I noticed at the top of the email that it offered a chance to “request a cancellation” of my payment if I didn’t recognize it. How wonderfully considerate of them!! I didn’t click on the link, but I was curious to see where the link would have sent me. Who wants to bet that it wasn’t a PayPal site for payment cancellation? I hovered over the link, and I noticed that it sends you to: www.redcross.gm/images/remember/html/us2.htm.
Of course, the entire purpose of this spear phishing email was to get me to click on that link. I suspect the site found at that link has some not-so-nice malware that would have loaded on my machine automatically. These spear phishers had no idea that it was my birthday and that my wife was getting me a surprise gift…they just got lucky that everything lined up and I gave this particular email a little more attention than I normally would have.
Spear phishing is still a very viable form of malware distribution, so be careful before you open those attachments and click on those links!
Last thing…my actual birthday present was a surprise skydiving trip. I’ve always wanted to skydive, and now I can say I’ve done it! Here’s a little video proof that I went flying through the air...it was WAY better than a portable air compressor from Sears: