Attach a Phish

Mauricio Tavares (Main Phish)
Mauricio Tavares (Main Phish)
2 min read

Categories

  • blog

Tags

  • content
  • image
  • phish

One of the classical types of phish is the one which sends an invoice you are not sure why you received. The idea is to make it vague enough that even though you are not sure why you received the invoice, it looks familiar enough to entice you to click on its links or attachments to find more, and refresh your memory. And once you do it, you have been phished.

Case in point is the one in today’s entry. It claims to be the “corrected closing statement” for some leasing property, and includes what it claims to be a DocuSign PDF document.

This phishing email has an attachment

These are most effective when targeted to people who deal with documents attached to emails they need to open all the time, so their natural reaction is to automatically click on the document.

How to know it is a phishing email

Well, this phisher was particularly lazy:

  1. The phisher hopes you will not stop and think before clicking, so the first thing to do is, well, stop and think. Be mean to the phisher!
  2. The email in question was sent to a mailing list in the domain kernel.org. I am a subscriber to a few mailing lists there and can tell you all of them are rather hardcore technical, as in look-underneath-the-operating-system technical. Knowing that, it would not make sense to have an email about some real state property being sent there; this phisher clearly did not do his homework.
  3. I may be wrong, but DocuSign are electronic documents you are supposed to sign. i.e. you click on it and it goes to a page where you read and electronically sign it. I do not remember seeing it as a PDF, so that would make me stop and think. If I am wrong, please let me know!
  4. A lot of time these so-called PDF attachements are very small. The reason is they are generated by your garden-variety malware generator, which makes it just big enough to carry its evil payload. Better phishers create a proper document and then attach the malware into it, perhaps as a macro. But this phisher was very lazy.
  5. Usually proper business letters, be them legitimate or crafted by phishers who actually care about their work, have a signature. This one just ends with a “Thank You”

I am sorry but if the phisher can’t be bothered to put an effort, I can’t be bothered to even consider clicking on the email’s attachment.

LinkedIn Reddit