Thursday, November 15, 2012

Clever phish, I got away

I saw an email supposedly from LinkedIn today, but it seemed just the tiniest bit odd.  Too odd for me to click through the included link, yet so close to an actual LinkedIn communication.  A very clever forgery.

The first clue was the sender, showing "confirm @ depost.be".  That didn't seem right.  I had to look at where they normally originate, which was "messages-noreply @ linkedin.com".  Then, besides the "click here" baited trap, there was the unusual grammar.

... You have more than one email address, and you need choose one to be your primary email address.

 They left out the "to", for one thing.  The trailer looked different too.  On closer inspection:



The first one is the fake, and just contains my email address.  The second is from LinkedIn, and has my name, most recent title, company, and no obvious email.

Digging into basic debunking tools, I looked at the message headers carefully.  Here's a few fields from the junk mail:

X-Forefront-Antispam-Report: CIP:72.29.86.223;KIP:(null);UIP:(null);IPV:NLI;H:server.sampafotoclube.com.br;RD:server.sampafotoclube.com.br;EFVD:NLI
X-SpamScore: 21
Received: from server.sampafotoclube.com.br (72.29.86.223)
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit

And fields from a legitimate email from LinkedIn:

DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws;
    s=prod; d=linkedin.com;
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_Part_4797115_600833603.1350649326567"
X-LinkedIn-Template: tickle_yphanj
X-LinkedIn-Class: TIK

An email purportedly from an address in Belgium (".be"), transferred through another server in Brazil (".br").  Um, not thanks, not today.

The links in the email didn't go to the right place either.

Later, phish.