We see lots of phishing attempts for email credentials. This one asking you to UPGRADE YOUR EMAIL ACCOUNT is hosted by a free form building and hosting service ( www.emailmeform.com ), who are doing everything they can to stop phishing and criminals abusing their services by having an interstitial warning page appear if it detects sensitive information like passwords, user names or credit cards being asked for.
Unfortunately all free and cheap services are more open to abuse from these criminals, which means that the genuine and innocent users of these services suffer. The only way to stop abuse is to charge such high prices that it becomes economically unviable for the criminals to use the service, but that also stops genuine users who can’t or won’t pay high fees.
They use email addresses and subjects that will entice, persuade, scare or shock a user to read the email and follow the links or open the attachment.
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
It looks like this email was sent from a compromised email account.
The email looks like:
From: Email Spam Threat Management. <email@example.com>
Date: Mon 16/10/2017 19:36
Subject: UPGRADE YOUR EMAIL ACCOUNT
Dear,Email Account User,
We are closing down some Email Accounts due to recent spamming activities and no upgrade/no update on the Accounts kindly confirm your
Email Account Active to avoid closing your Email Account.
Please kindly click on the link http://www.emailmeform.com/builder/form/f0u9cs37GH6Z20/ and complete the information requested to confirm your Email Account Active.
NOTICE: Failure to confirm your Email Account Active may lead to De-activation and all your email data will be lost permanently.
Secured by Email Spam Threat Management.
© 2017 . All rights reserved.
Email Account Help Desk Call 800-605-1962.
After you input your email address and password, you get a warning page from the emailmeform service, alerting you to the possibility of this being a page that asks for sensitive information like passwords or credit card numbers.
If you ignore the warning & press continue, then you get a success page and your log in credentials have been stolen by the phisher.
We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.
|18.104.22.168||mail.soorneogi.com||IN||AS18229 CtrlS Datacenters Ltd.|
|22.214.171.124||Manassas||Virginia||US||AS30633 Leaseweb USA, Inc.|
Received: from mail.soorneogi.com ([126.96.36.199]:56533)
by knight.knighthosting.co.uk with esmtp (Exim 4.89)
for firstname.lastname@example.org; Mon, 16 Oct 2017 23:10:23 +0100
Received: from ([188.8.131.52]) by soorneogi.com with MailEnable WebMail; Tue, 17 Oct 2017 00:05:48 +0530
From: “Email Spam Threat Management.” <email@example.com>
Subject: UPGRADE YOUR EMAIL ACCOUNT
Date: Mon, 16 Oct 2017 22:35:46 +0400
X-Mailer: MailEnable WebMail.NET
X-MimeOLE: Produced By MailEnable WebMail.NET V184.108.40.206