…I’ve been seeing quite a few scrawny, toothless piranha mailed from email addresses that are often spoofed but invariably dubious like google.phishing.team@a_latvian_mail_provider.com…
Well, yes, that title is from a song by John D. Loudermilk, written with some (possibly accidental) prescience way back in 1962. Given the aggravation that 21st century phishing causes Google users, perhaps it’s time for a new song dedicated to that particular pastime. In the meantime, I thought I’d mention a shoal of the wretched things that keep turning up in my own keepnets. Er, mailboxes.
I’ve been seeing quite a few scrawny, toothless piranha phish mailed from email addresses that are often spoofed but invariably dubious like google.phishing.team@a_latvian_mail_provider.com and sent to what looks vaguely like an official account like firstname.lastname@example.org, and blind-copied to a whole load of gmail.com users. These tend to ask a single clueful question like “When was the last time you login into your account” or “Is your account used for dating sites?” rather than “What is your password?” Hopefully, there aren’t a lot of gmail.com users naive enough to answer that last question, but I have a feeling that if you start answering those other questions, you’d soon be swimming down channels where the water isn’t too healthy.
However, this one is a slightly different kettle of phish.
This one also seems to originate in Latvia, and also uses addresses the mail to what looks like a reassuring Google sysadmin address, perhaps in the hope that you’ll think it originates from such an address. However, the social engineering is a bit more conventional.
Like many phishing emails, it tries to scare you into responding by telling you that if you don’t reply in 24 hours, you’ll lose access to your account. In this case, permanently. Wow: that’s harsh. However, if you happen to be in the jungle 2,000 miles from the nearest phishing village–sorry, fishing village–and don’t spot it in your mailbox until next November, I guess you can assume you’ve dodged the bullet.
The list of account details it asks for to “confirm if this account is upto [sic] date” is, you might think, a little greedy, and a bit of a giveaway. After all, it’s unlikely that you’ve changed your full name and date of birth since you registered an account. But of course, what the phisher is after is enough information to do a little creative identity theft, not just your password.
And what is “New Google Mail-SeCure”, I wonder? Has Google gone in for one of those fake AV programs we keep telling you about? Probably not… And what about “This message is NEVER sent without Google email autheticator [sic]”? All very reassuring in tone and utterly meaningless in content.
Actually, unless you’re a sad individual like me who actually trawls through his spam folders from time to time to see what’s new in spams and scams, you may never see this particular mail, since Google’s spam filtering is very efficient.
However, if you’re in the habit of checking mail on your smartphone, you may still see stuff like this, even in Gmail: I first noticed this one on my Blackberry, but by the time I checked that account on my laptop this morning, the filtering had kicked in and I had to retrieve it from my junkbox in order to get a screenshot. Nevertheless, it’s a classic scam of a type that’s well worth knowing about, and you’re likely to come across very similar mails on platforms that aren’t so well scamproofed.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow