The bad people trying to make the world worse never take a day off, so why should I? – Bob Marley.
Email Phishing Scam Alert
Scammers never stop. Constantly tweaking, wheedling, and trying to entice you to click their links. Whilst you don’t have to work all day against the scammers, you should always be vigilant, looking out for odd or suspicious email content.
Here is another variant on the theme that has been cropping up recently.
It might look legitimate at first glance, for instance, they’ve even stolen our logo image from our website.
In the second column ‘Recipient’, they have thoughtfully added a genuine “mail-to” link. When clicked it will open a new email in your application, addressed to you (or in this case me).
EVERY OTHER LINK IN THE EMAIL WILL INFECT YOUR MACHINE.
The easiest way to check if an email is genuine is to look at the email headers. Below are the headers from this email:
To: Stewart Anderson firstname.lastname@example.org>
X-Get-Message-Sender-Via: ns1.omnis.com: authenticated_id: email@example.com
X-Spam-Status: No, score=2.6 required=6.5 tests=BAYES_50,HTML_MESSAGE, MIME_8BIT_HEADER,MIME_HTML_ONLY,RDNS_NONE,TO_NO_BRKTS_NORDNS, TO_NO_BRKTS_NORDNS_HTML shortcircuit=no autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on sandman.opqnet.net
X-Antiabuse: This header was added to track abuse, please include it with any abuse report
X-Antiabuse: Primary Hostname – ns1.omnis.com
X-Antiabuse: Original Domain – opq.co.bw
X-Antiabuse: Originator/Caller UID/GID – [47 12] / [47 12]
X-Antiabuse: Sender Address Domain – opq.co.bw
X-Authenticated-Sender: ns1.omnis.com: firstname.lastname@example.org
X-Spam-Pyzor: Reported 0 times.
Received: (qmail 14186 invoked from network); 12 Aug 2021 11:13:47 +0200
Received: from mx2.opqnet.net (184.108.40.206) by mail.opqnet.net with AES256-GCM-SHA384 encrypted SMTP; 12 Aug 2021 11:13:47 +0200
Received: (qmail 20819 invoked from network); 12 Aug 2021 11:13:47 +0200
Received: by simscan 1.4.0 ppid: 20800, pid: 20813, t: 1.1411s scanners: attach: 1.4.0 clamav: m:59/d:26231 spam: 3.3.1
Received: from unknown (HELO ns1.omnis.com) (220.127.116.11) by mx2.opqnet.net with AES256-GCM-SHA384 encrypted SMTP; 12 Aug 2021 11:13:46 +0200
Received: from [18.104.22.168] (port=50495 helo=ip-22.214.171.124.servernap.net) by ns1.omnis.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from id 1mE6mQ-000F8U-1s for email@example.com; Thu, 12 Aug 2021 05:13:37 -0400
Received-Spf: softfail (mx2.opqnet.net: transitioning SPF record at opq.co.bw does not designate 126.96.36.199 as permitted sender)
The first thing to notice is who the real sender is, line 5 – X-Get-Message-Sender-Via: ns1.omnis.com: authenticated_id: firstname.lastname@example.org. UH OH! This is supposed to be from opq.co.bw – warning!
That is as far as you need to go before adding the email to your Junk folder – or simply deleting it.
By the way, I have deliberately left the ‘mailto’ link for quarantine@opq..co.bw in the headers above because the address doesn’t actually exist. Good luck scraping and using that address scammers!
For the more technically curious there are more signs that the sender is not in fact who they say they are. The last line shows an SPF fail – omnis.com pretending to be opq.co.bw.
If you would like to discuss this article further or submit an email for analysis, please chat with an agent or contact us.
As always be vigilant, keep well, and stay safe.