A slightly different phishing attempt this morning. It was sent to a webmaster address on a small charity that I run the website for, so luckily hasn’t got through to the overworked staff who are less than technically aware and could unwittingly fall for this sort of phish. There are no links to click and the phishers expect the recipient to reply to the email. Quite by coincidence we have been updating the email system or rather Outlook.com has upgraded to the new version, where this charity has it’s emails handled and that has caused a bit of confusion with the different layout & settings.
An unwary user would only read the Help Desk & not see the wateroflifecc.org bit or just ignore it.
From: Help Desk <email@example.com>
Date: Thu 29/09/2016 05:35
Subject: Scheduled Maintenance & Upgrade
Scheduled Maintenance & Upgrade
Your account is in the process of being upgraded to a newest
Windows-based servers and an enhanced online email interface inline with internet infrastructure Maintenance. The new servers will provide better anti-spam and anti-virus functions, along with IMAP Support for mobile devices to enhance your usage.
To ensure that your account is not disrupted but active during and after this upgrade, you are required to kindly confirm your account by stating the details below:
* Domain\user name:
This will prompt the upgrade of your account.
Failure to acknowledge the receipt of this notification, might result to a temporary deactivation of your account from our database. Your account shall remain active upon your confirmation of your login details.
During this maintenance window, there may be periods of interruption to email services. This will include sending and receiving email in Outlook, on webmail, and on mobile devices. Also, if you leave your Mailbox open during the maintenance period, you may be prompted to close and reopen.
We appreciate your patience as this maintenance is performed and we do apologize for any inconveniences caused.
Customer Care Team
***This message is intended for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
These emails are actually coming from wateroflifecc.org 220.127.116.11 mail3.wateroflifecc.org which means either they have been hacked /compromised or somebody there has fallen victim to a previous phishing attack and given out the user name & password.
The email appears to have started from 18.104.22.168 75-144-39-253-Minnesota.hfc.comcastbusiness.net but that part of a header is trivially easy to spoof, so cannot be relied upon to be accurate or true.
Now lets look at the reply to address in the email which is firstname.lastname@example.org
Looking up tech-center.com we get an IP address of 22.214.171.124 and a holding website with adverts. The domain is an old domain registered in April 1996.
the bit to look at is the MX record which shows mail.com is handling all their mail. Mail.com is a free email provider owned and run by 1&1, so there is very little chance of getting anywhere there or finding these phishers. Free email providers generally tend to be web based and don’t need any confirmable or trackable details from anyone signing up.
My feeling is that the tech-center.com has been long abandoned by it’s owner ( the last listed update to IP or DNS was in 2008) who has been lax and some sort of compromise on the dns system to take over the email service & redirect to the phisher
Looking at mail.com I see tech-center.com is a listed email address that ANYBODY can signup to use, with any address before the @ . I cannot see how or any sign of 1&1 actually owning tech-center.com which appears to be registered to World Media Group, LLC who are a subsidiary of Verizon in USA. 1&1 do not appear to be part of the Verizon chain of companies that I can see.
Update: after a little bit more digging it looks like ALL the domains ( or at least the 10 or so that I have checked) that mail.com offer, are also owned / registered by World Media Group, LLC . It does look like 1&1 must be associated with or part of the Verizon group of companies