Email Phishing

Analysis and Takeapart of a UPS Parcel Shipping Problem Spoof

Member for

1 year 4 months
Submitted by AlReaud on Tue, 02/28/2017 - 19:26

At least once a week I get attachments from a “reputable” organization saying my account (that I don't have) has been locked due to suspicious activity being detected, a bank account (that I don't have) needs verification, or there is a problem with the shipment of a parcel (I didn't order). This week I got an interesting one from "Jordan Mccabe, UPS Station Manager". Sadly the sending individual doesn't know enough about the target to realize that "UPS" and "Post Office", well, kind of mismatch. But this one got me interested in doing some reverse engineering of the suspicious attachment because of it's small size, only 817 bytes.

The text of the email is as follows:
Date: 02/26/2017 01:35 AM
From: virtual-user <>
Subject: Parcel #001210497 shipment problem, please review
To: Me

Dear Customer,
Your item has arrived at the UPS Post Office at February 25, but the courier was unable to deliver parcel to you.
Postal label is enclosed to this e-mail. Please check the attachment!
Yours sincerely,
Jordan Mccabe,
UPS Station Manager.

Attachment Checksum (MD5): 3e01923b9fd179c864bf40caffb21786

Screen capture of UPS Trojan Attachment Email showing highlights.

The highlighted areas indicate areas that commonly give away the fact that it is a spoof. Usually the sender address is strange or wrong, the grammar is wrong, and the context of the message is wrong.

Unzipping the attachments creates a second zip file with a

Disecting a Spoof Craigs List Email

Member for

1 year 4 months
Submitted by AlReaud on Tue, 12/27/2011 - 09:29

NOTE: Updated 11/15/2016

Today's blog entry will cover a little live action. This is a continuation of the attacks from French domains. Contrary to popular belief, all online attacks DO NO ORIGINATE FROM CHINA!

Following the receipt of the below email, I examined the email in detail (clicking on the image opens a full size image in another tab or window).

Craigs List phishing email attempting to get your login.

The most important above is that when you hover over the link, you can see in the status bar

SunTrust Spoof: Additional ways of protecting your SunTrust access

Member for

1 year 4 months
Submitted by AlReaud on Tue, 09/27/2011 - 19:50

Updated: 11/6/2016

This is a recent phish wherein you get the following email (allegedly) from SunTrust Bank:

Subject: Additional ways of protecting your SunTrust access
From: "Suntrust"<>

SunTrust Online Banking Alert:

Banking with SunTrust Online is about to become even more secure!
As a valued SunTrust online customer, the security of your identity and personal account information is extremely important. We are installing Enhanced Online Security as an additional

How to prevent yourself from getting phished...

Member for

1 year 4 months
Submitted by AlReaud on Mon, 05/30/2011 - 17:50

So you get this email, what's the key in not getting hacked?

YouTube help center | e-mail options | report spam

YouTube Service has sent you a message:

You can reply to this message by visiting your inbox.

© 2011 YouTube, LLC
901 Cherry Ave, San Bruno, CA 94066

The key is to pay attention to the links in the status bar. Every link in the above is bogus. But if you watch the status bar in your browser, you won't ever get bit. If your status bar is not turned on, make sure to turn it on. Clicking on bogus links is the easiest way to get phished, and also the easiest scam to prevent!