For more phishing samples, see my phishy email collection.
Fake Amazon documents may be one of the most common phishing attacks. Timing is everything. Maybe you ordered something big from Amazon a couple days ago and you’re expecting a shipping confirmation. And then this shows up in your inbox.
It’s a pretty good forgery. The embedded link even points to where it claims to point. But the attachment is an Excel macro, not a spreadsheet. And upon further review, why would any shipper send a spreadsheet instead of a PDF? Which would still be suspicious. I’ll give this a B+.
Just because we can, let’s see what the email header looks like below the screenshot.
Relevant Portion of the Email Header and Whois Info
. . . Received: from [149.62.202.230] (149.62.202.230) by mail2016.infrasupport.local (10.10.10.14) with Microsoft SMTP Server id 15.1.1531.3 via Frontend Transport; Wed, 28 Oct 2020 05:34:42 -0500 Received: from [223.27.35.36] (helo=GOCAHEWI.o1.e.notification.intuit.com) by with ESMTPA id 8NfRH-Pqc05F-gH for gregscott@infrasupport.com; Wed, 28 Oct 2020 12:34:41 +0200 . . .
So, somebody impersonating Intuit at IP Address 223.27.35.36 relayed this through 149.62.202.230 on its way to me. Let’s use a whois lookup to find out more.
A whois lookup shows IP Address 223.27.35.36 is in Taiwan. And another whois lookup for IP Address 149.62.202.230 shows it’s in Bulgaria. Which means, a phisher in Taiwan composed a fake Amazon email and relayed it through Bulgaria to me, in Minnesota, USA. And probably a zillion other people.
This is what we mean when we say the internet is global.
Recent Comments