{"id":268,"date":"2019-05-02T20:18:18","date_gmt":"2019-05-02T19:18:18","guid":{"rendered":"http:\/\/www.jgt.me.uk\/?p=268"},"modified":"2019-05-02T20:18:19","modified_gmt":"2019-05-02T19:18:19","slug":"more-on-spotting-the-spear-phishers","status":"publish","type":"post","link":"https:\/\/www.jgt.me.uk\/?p=268","title":{"rendered":"More on spotting the spear-phishers"},"content":{"rendered":"\n

As many of you are probably aware, there’s lots of people out to try to defraud you on the ‘net. Its not personal, just a way for them to increase the money they get. I received a spam mail today allegedly from 1&1 IONOS:<\/p>\n\n\n\n

\"\"
A spear-phishing attack…<\/figcaption><\/figure>\n\n\n\n

Because Gmail blocked it as spam, I paid it no real attention but I figured I’d take a look as its even got the avatar.co.uk domain there.<\/p>\n\n\n\n

\"\"
oh look, this is definately NOT from 1&1!<\/figcaption><\/figure>\n\n\n\n

So, hovering over the links it pointed to a domain. I checked the domain against whois and surprise! Nothing there.<\/p>\n\n\n\n

In the body of the e-mail I see:<\/p>\n\n\n\n
If the problem does not resolved within 5 days, the domain has to be set on ‘hold’, which means it will not be usable regularly.
Note<\/strong>: If your data is correct, you will not have to do anything. If your contact data needs to be updated, you can change it in the 1&1 Domain Center<\/a>. Please follow the instructions in this 1&1 Help Center article<\/a>.<\/td><\/tr><\/tbody><\/table>\n\n\n\n

This is the classic, “you’ve gotta do something within the time limit, or bad things happen!”. Although in this case, it appears that they’re not too sure what you should do (Both doing nothing AND placing domain on hold within 5 days). Also the grammar of the first paragraph is terrible; the things sent out from a company as big as 1&1 is very unlikely to have these sort of mistakes.<\/p>\n\n\n\n

Next for the fun of it, I went to the domain in the “Check Contract Details” (after removing any tracking junk):<\/p>\n\n\n\n

\"\"
No sir please believe me! I’m a valid domain!<\/figcaption><\/figure>\n\n\n\n

So, if by this point, you continue, you probably deserve any malware that’s on that site. <\/p>\n\n\n\n

Also note that they’ve tried to be clever by using https, but couldn’t get the certificate to verify correctly. This is why you need to use the latest version of a browser – its got mechanisms in place to detect this.<\/p>\n\n\n\n

For me, this was interesting as I’m guessing they were trying to get me to log onto their copy of the 1&1 account page with my details so they could steal my account. From WHOIS they could tell that 1&1 hosted the site and they sent it to an e-mail contact address from the webpage (which is NOT the one used for my 1&1 login).<\/p>\n\n\n\n

Its certainly a better attempt than the ones that show an image email and say “you’ve been hacked pay me bitcoin, please”. <\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

For me, this was interesting as I’m guessing they were trying to get me to log onto their copy of the 1&1 account page with my details so they could steal my account. From WHOIS they could tell that 1&1 hosted the site and they sent it to an e-mail contact address from the webpage Continue reading More on spotting the spear-phishers<\/span>→<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[5,1],"tags":[37],"class_list":["post-268","post","type-post","status-publish","format-standard","hentry","category-nothing-in-particular","category-uncategorized","tag-phishing"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.jgt.me.uk\/index.php?rest_route=\/wp\/v2\/posts\/268","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jgt.me.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jgt.me.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jgt.me.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jgt.me.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=268"}],"version-history":[{"count":4,"href":"https:\/\/www.jgt.me.uk\/index.php?rest_route=\/wp\/v2\/posts\/268\/revisions"}],"predecessor-version":[{"id":275,"href":"https:\/\/www.jgt.me.uk\/index.php?rest_route=\/wp\/v2\/posts\/268\/revisions\/275"}],"wp:attachment":[{"href":"https:\/\/www.jgt.me.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=268"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jgt.me.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=268"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jgt.me.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=268"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}