A couple of weeks ago, I came across a fascinating blog post about spotting phishing attempts via email: An Annotated Field Guide to Identifying Phish. For me, it’s one of those topics I come back to every now and then, especially when I receive dodgy looking emails with “simple” HTML links that purport to be legit.
I read this particular post just after getting five (yes, five!) variants of the following email:
(USPS Tax Letter is out for delivery from IRS On January 31, 2023, 2:35:55 AM)
Tax Revenue Letter from IRS.GOV
Message received on January 31, 2023, 2:35:49 AM
Message Transcript "Hello I am calling in regards to your Irs Letter delivery....."
And the included HTML file link (called IRS-TAX-LETTER.HTM to reinforce its legitimacy)? Here you go:
<!DOCTYPE html> <html lang="en"> <head> <title>Redirecting ....</title> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css"> </head> <body> <div class="container"> <script> window.location.replace("https://xhnktldlk363c5d9139e8fa.rihann.ru/Mjulianb@devexpress.com"); </script> </div> </body> </html>
Yep, indeed. If I’d opened that HTML file to see what it showed, I’d have been transported to some GUID-altered URL in Russia. No thanks.
The very next day I got another scam email; this time with the interesting bit being the use of a URL with a non-ASCII character. Ready?
I’m pretty sure that, like me, you’d spotted the “curly” lower-case ƒ – it’s even used in the word “feedback”. Well, it’s also used in the “more info” URL to differentiate it from the real mcafee.com domain. Tsk tsk.