How phishing e-mail works

DADoES · Jan 19, 2017

This post probably should be in ATTT section but I wanted more people to have access to see it.

This is how phishing/malware e-mails work:

I received a message this morning from J.J. Douglas Services, claiming that payment on an invoice is due.
1) I don't know J.J. Douglas Services.
2) Checking the source code of the e-mail, it came from an IP registered to Bright Light Radiology in Elk Grove, IL via Comcast Business Services (ARIN.net has a WhoIs search for IPs).
3) Google search finds that J.J. Douglas Services apparently is a legitimate HVAC service in Deland, FL.
4) Google search also finds a BBB report that the name "J.J. Douglas Services" is being used in phishing e-mails.
5) A link in the message to view the invoice is coded for 6pm[dot]com[dot]pk with a php function ... which .pk domain name extension is Pakistan.

So, a message claiming to be from J.J. Douglas Services of Deland, FL, routed from Bright Light Radiology in Elk Grove, IL, with a link to view an invoice that goes to a server in Pakistan = NO. I sent the e-mail to Comcast's abuse contact for investigation.

mayken4now · Jan 19, 2017

Thanks for the info Glenn. Good for you!

frigilux · Jan 19, 2017

Wow! Thanks for the heads-up.

vintage1963 · Jan 19, 2017

That happened to me a couple weeks back regarding my PayPal account. I knew it looked suspicious and sent the email to them to take care of. They notified me that the email in question was in fact a phishing scam.

ea56 · Jan 19, 2017

Whenever I receive an email from a company that I do business with requesting info of any kind, I never click on the link. I delete the email and then go directly to the company website and take care of anything that needs my attention. If the email address contains anything that appears suspious I send it directly to the companies spam site for them to deal with it. The info that Glenn provided is very helpful and we all need to be very aware of the emails we open. If it looks suspious (ie. no subject line entry) to me I delete it immediately, and don't open it at all. Also, be careful about clicking on any junk email link to take your email address off of their email list. I've read that this is another way that dishonest individuals get your info.
Eddie

kb0nes · Jan 19, 2017

Nice investigation Glenn! I seldom take the time to look it up, usually delete and carry on.

Bottom line is if you ever get an unknown email, asking you to click a link or open an attachment don't do it. Especially if the email looks fishy (Phishy??).

Many times it looks legit, a message from UPS etc. look at the email address it was sent from, that usually is a clue. Also if you ever get an email from a provider of yours saying a password should be changes DON'T click the link. Go to that service and log in as usual, odds are they aren't prompting for a new password...

Final suggestion is to enable two-step authentication wherever you can. When I log into gmail I get a code texted to my phone needed to log in. Nearly impossible for your email to get compromised using the 2nd step.

turquoisedude · Jan 19, 2017

look at the email address it was sent from

As Phil pointed out, '.suckah' is usually not a valid email address....

toploader55 · Jan 19, 2017

Paypal

@ vintage...

I have been going through a on going thing with PayPal too.

I just received another. It looks like legit PayPal,same Logo but the PP rep told me they never address their customers as "Dear Customer", or "Dear Member" , or any other greeting other that "Dear"...members full name.

If any of you are receiving e-mails from PayPal unless you know or are expecting emails from them...please forward the email to [email protected].

They always want to know about them as there have been endless scams lately.

I rarely if ever use PP anymore but just wanted to pass this info along to all.

DADoES · Jan 19, 2017

A phishing or malware e-mail may not be apparent from the sender address at first look. This one displayed as from J.J Douglas Services [email protected].

The invoice link displays as JJ Invoice #8587028. The .pk angle isn't apparent unless 1) one looks at the status bar on it in the mail program when hovering the mouse over it (and not all email programs show this info) or 2) after clicking the link to open it in a browser or 3) by copying/pasting it into a browser or 4) examining the source code of the email.

alr2903 · Jan 19, 2017

Thanks Glen for the heads up! I usually delete and open the site (if I do business with them), from my favorites bar. I am not freaked out but being vigilant is good and can save you a world of grief. A

tomturbomatic · Jan 20, 2017

Thank you, Glenn, for sharing your expertise.

Have a great day,

Tom

dartman · Jan 20, 2017

I've been getting the your PayPal account will be limited, click link to reply off and on. I just go to my PayPal account as if they have sent me anything it will be in my mail folder. Nothing is ever there so it's a scam. They aren't going to be limiting a account unless something is really up as how do they make their money. If you can't spend it they don't make anything.
I get all kinds of junk, plus outright scams but my isp filters out most of them and sends me a update every day or so so I can double check for false positives.
I still get the occasional Nigerian prince type scam too.

How phishing e-mail works

Help Support :

DADoES

Well-known member

mayken4now

Well-known member

frigilux

Well-known member

vintage1963

Well-known member

ea56

Well-known member

kb0nes

Well-known member

turquoisedude

Well-known member

toploader55

Well-known member

DADoES

Well-known member

alr2903

Well-known member

tomturbomatic

Well-known member

dartman

Well-known member

Latest posts