Recently I got the following email from alertsATmy_domain.
Dear user of the cookandkaye.co.uk mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (my_email_address) settings were changed. In order to apply the new set of settings click on the following link:
Best regards, cookandkaye.co.uk Technical Support.
I knew that this email could not be genuine, but it was very believable.
This phishing attack works on a number of assumptions that people make about email messages and URL’s, assumptions that you must challenge to stop other people assuming your online identity. These are:
- That the From email address is genuine. In fact it is very easy to set the ‘from’ email address in a message, so email messages are in practice annonymous (you cannot be sure where any message comes from).
- That a link goes where it says it does the only way you can check this is by looking at the raw code of the message (or web page). On doing this it was apparent that the link was not quite what it appeared – the correct domain was there, but configured as a sub-domain of a site somewhere in the co.kr TLD. Where ‘technical support’ would presumably have taken my email access details.
Configuring the link in this way makes it quite difficult to check by eye in the raw form, and I guess most people don’t do that! – We’re not a big (or particularly prestigious) company, so I don’t think we are high on anyone’s hit list, if we are getting these phishing attacks, the implication is that it is rife…
We hope you don’t get caught out – if you do you should speak to your technical support as soon as you can, perhaps in person…