Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Phishing e-mail to custom e-mail addresses InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Phishing e-mail to custom e-mail addresses

Published: 2011-08-31
Last Updated: 2011-08-31 15:20:46 UTC
by Johannes Ullrich (Version: 1)
11 comment(s)

Geoff wrote in with an interesting phishing sample. The part that it interesting is less  the content of the phish, but the e-mail address it was sent to. The content is a standard "ACH Payment Canceled" phish. There are probably a dozen or so that my spam filter dutifully removes each day.

The interesting part: The particular email was send to an address, Geoff only uses for one particular credit rating agency. The "user" part of the e-mail address is the credit rating agencies name.

I assume others here are doing similar tricks to cut down on spam, or at least track where spam is coming from. Many times I see addresses like "user+sans@example.com" in our database. However, in Geoff's case, this would be "sans@example.com", and it is possible that spammers do us company names like that as part of their username dictionary.

Has anybody else seen companyname@example.com addresses used as "To:" addresses in spam? In particular if the company name is a financial institution?

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: phishing spam
11 comment(s)
Diary Archives