Anatomy of a phishing message

Nowadays bad guys have improved their tactics and methodologies to extract information from people. The most used methodology is called phishing. Today we will dissect a phishing message we got.

Since we use Zimbra as our corporate email, attackers send custom messages that include “Zimbra” all over the place. But there are many other things that indicate it is a phising message.

(Be aware that this is the message source, it may be display differently on your screen)

Date: Wed, 4 Jun 2014 14:06:47 +0700 (WIT)
From: Zimbra Webmail <hrdriau@ptudm.com>
Reply-To: dont-reply@zimbra.com
Message-ID: <15707389.1448151401865607422.JavaMail.root@mail>
Subject: ZIMBRA FINAL OFFICIAL UPDATE!!!
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Mailer: Zimbra 5.0.20_GA_3127.UBUNTU8
          (zclient/5.0.20_GA_3127.UBUNTU8)
To: undisclosed-recipients:;

Zimbra Email Users,

It is of uttermost disrespect and considered negligence to your 
non-compliance on the warning note issued to you informing you of 
our SSL servers indicating that your account has not been updated 
as a part of our regular account maintenance. Sequel to this 
adamant gesture, your account shall be blocked within 24hours 
failure to update your account as instructed.

The SSL servers email checker still indicate that your account 
has not been verified, so you are advised to proceed on the 
account verification procedures by clicking on the link below to 
update your account as soon as you receive this final warning mail.
Please click on the link below to update your email account.

http://zimbrupdates.tk/

Note that Failure to update your account information genuinely 
may result in account termination within the 24hours.

Thank you very much for your cooperation!

Sincerely,
Zimbra Mail Account Team

The From: address: The message comes from an external email address, maybe some other poor soul that gave their password out and now the Spammers are using it to spread the attack. Do not bother to reply wishing Merry Christmas or happy new year beacause the original holder of that email address may have no idea that his/her account is sending those emails.

Reply-To: Yes, sure, as they want you to reply to their email saying you are wrong and so on. this prevents the original sender to know they are using their account to send nasty emails.

Subject: field: They put everything in capital and with emphasis at the end so it looks more commanding and official.

The To: field: “Undisclosed-recipients” means that they do not want you to see who else got this message, they used the BCC field to conceal the recipients.

The message body: Read it carefully and it sound wrong, aggressive and they are trying to make you feel bad and fear for your job. They add a bunch of geek terminology to make you feel stupid and realize that you have no idea what they are talking about and just say YES. It sounds as they are threatening you. We are mean but we won’t do that, we will just close your email account, no threats.

The link: The provided “update” link points to a domain that does not belong to us. Moreover the .tk domain is a free one anybody can get. That makes it even more suspicious.

The last two paragraphs: A threat and a thanks do not mix! First they say: Do not give us wrong information because you will pay for it and later they say: “Thanks for your cooperation”. Really?

The Signature: Last but not least, you know who runs your IT shop. They do not sign messages as “Anonymous” or “The Team”. They take it more personal. Also emails are not good if you have an email problem, they will call you or know at your door.

So if after all this pretty obvious indicators you still bite the bait, I am sorry to tell you we have no fix for you. Call us immediately and we will send somebody to get you.

This entry was posted in Uncategorized. Bookmark the permalink.