Kids, today I will tell you the story of a legitimate message that wanted to be a spam.
Once upon a time, a legitimate Dell email was being sent to customers. For years he was treated as a boring legit. But one day he decided he wanted to be someone: he wanted to look like a SPAM, or no – even better – a PHISH!
After checking out a few phishing emails he got in the past, he spotted everything he needed to look like a phish! Heres what he found.
First, mail should come from a separate, unknown mail server not related to him. The result:
Received: from smtp.prismnet.com (unverified [209.198.128.91]) by xxxxxxx.xxxxx.xxx (xxxxxxx xxxxxx) with [!]07 -0400
Received: from [209.198.171.66] (server4.shoehorndesign.com [209.198.171.66]) (authenticated bits=0) by smtp.prismnet.com (8.14.4/8.14.4) with [!] 1.0
From: <xxxxxxxxxxxx@dell.com>
Second, he had to make sure that the mail server he used was NOT published in Dells SPF record:
‘v=spf1 ip4:143.166.85.192/26 ip4:143.166.148.192/26 ip4:211.130.110.88 ip4:143.166.82.0/24 ip4:143.166.224.0/24 ip4:202.188.162.48/26 ip4:74.52.181.211 ip4:74.52.181.149 ~all
Next, he decided to put You are invited by Dell! in the subject so the recipient would think he’s a pure inbound advertisement, not a reply or an important email. Hmm, that’s not phishy enough, he said. Oh, lets add a random fake message ID number! (951). The result:
Subject: You are invited by Dell! (951)
Cranked with adrenaline because his metamorphosis was going so well, he then attacked the big chunk.
‘I’ll put the full name in UPPERCASE and add classic stuff like, “You have been selected, and a “Click Here” link with a hidden URL (which doesn’t point to dell.com, of course), and a PIN in big bold text to make the reader feel important and that this offer is reserved especially for him.
OH OHHHHH, he cried, as he thought of the greatest idea ever. Let’s do the rest of the text in an IMAGE so they will think I want to trick the spam scanners! And OHHH, lets host the image on a THIRD website!! Sweating from headers to final dot, he quickly pasted the text into Photoshop and uploaded the final part onto a third website.
Finally, his hard work paid off:
And this is how a legitimate email is turned into a Phish. Yes, this is an actual email and all the URLs are legit.
By the way, I also did a subscribe/unsubscribe test. When you want to unsubscribe, you get a notice that it can take up to 10 business days to process the request. I can do banking in realtime on my phone, access a live traffic cam, get live transit alerts, but a simple unsubscribe seems to be a very delicate procedure. It took 9 business days to stop my French subscription; my English subscription-stop is still coming in after more than 15 business days.
Leave a Comment