You may be sitting at work early in the morning, enjoying your coffee and the peace and quiet that comes along with being the first one in the office. Like most, the first thing you do is check some emails (not all of it, just some, because there’s a lot of email!). You’ve become pretty good at spotting phishing emails, even earned a few t-shirts and beer koozies along the way from the corporate security awareness training program. One of the first emails you spot is claiming to be from American Express, a company you hold a credit card with. The subject reads “Irregular Activity” and for a brief moment you panic and think someone has stolen your credit card. At first glance the email was somewhat believable as you have a couple of corporate Amex cards, you’ve had fraudulent charges in the past, and the cards are stored in several online accounts for automatic payment (leaving you vulnerable to fraud and irregular activity).Then, a voice speaks in a giant echoing tone: “Remember your training”. You snap out of panic mode, remembering your preparation, and begin to investigate the following email: (insert photo titled blog1.png)
As you sip your coffee and inspect the details of the email, you notice a few things that are suspicious:
The sender “American Express <[email protected]>” is strange, as the domain does not contain a reference to American Express in any way.
The email’s grammar is a hot mess
The sender is asking you download an HTML file to reach the page that will activate your account (even though Sir Tim Berners-Lee invented the World Wide Web in 1989).
Based on these facts, you decide to warn your local security team of a potential phishing/scam email.
Basic Forensics
“Whew, thank goodness for end user awareness training” I thought to myself sarcastically when I received this email. The sarcasm originates from years of experience, knowing that for every 10 users that report a phishing scam, there may be at least one that falls for it and causes a security incident that, likely on a Friday, in the late afternoon. In any case, I decided to look into this email as I am a security nerd and intrigued by the HTML attachment as it is an indication that this phishing scam may not be all that sophisticated.