[TriLUG] Semi OT - phishing emails and spoofed domain links

Dewey Hylton via TriLUG trilug at trilug.org
Wed Jul 19 18:12:48 EDT 2017 

you really need to look at the source; a hover link can
be spoofed in HTML/javascript/CSS/whatever. if you post
the source somewhere (eg. http://paste.pound-python.org/)
i'm sure a few of us wouldn't mind taking a look at it.


----- On Jul 19, 2017, at 4:37 PM, Triangle Linux Users Group General Discussion trilug at trilug.org wrote:

> Yesterday I received a phishing email, one of a pattern where someone
> is trying to gain credentials and possibly other information by trying
> to get you to click on a link and enter your account information.
> Typically, if you hover over it, the links direct you to a page on
> some hosted system somewhere.  I have been engaging in a practice of
> trying to make it more difficult for these "jokers" by reporting them
> to the hosting provider as a TOS violation.  I have gotten a couple of
> these sites taken down and the users banned.
> 
> It appears that they've gotten a little more creative and are somehow
> spoofing the links.  For example, I got one yesterday that when you
> hover over it shows the link "upgradeaccount.sitey.me", further digging
> shows this resolves to the IP address of 107.178.211.45, which it turns
> out is NOT a server that belongs to sitey.me / sitey.com.  Performing a
> reverse DNS on this shows it potentially belonging to "google domains".
> 
> I have heard about ways of using 'codes' to spoof the addresses that
> are shown in websites and I assume that something similar is going on
> here.  Unfortunately, I seem to have hit a potential dead end in
> looking this one up.  Looking at the email headers shows that it may
> have originated from swosu.edu (SW Oklahoma State Univ) but then it
> stayed in the "outlook.office365" system with valid SPF and everything,
> which could mean that some idiot was dumb enough to actually be phished
> and their account is now originating spam.
> 
> Does anyone have a suggestion on how to get at the real domain that
> they seem to be trying to redirect to so that I could hopefully report
> them and cause them more angst?
> 
> 
> --
> This message was sent to: Dewey Hylton <plug at hyltown.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web	:
> https://www.trilug.org/mailman/options/trilug/plug%40hyltown.com
> Welcome to TriLUG: http://trilug.org/welcome

More information about the TriLUG mailing list