It Seems That An Email Credential Phishing #Scam Is Targeting Me Again…. And It’s Far More Dangerous This Time Around

Not too long ago, I was the target of an email credential scam which was hilarious to me as I control my own email server, and the scam was purporting to be the email administrator. Well, it’s seem that it’s happened again and I’d like to take you down the rabbit hole of this scam. Starting with the email that appeared in my inbox.

There’s a fair amount to unpack here. Let’s start with the fact that the email claims that the server will forcibly log you out of your email and generate a new password in 24 hours. But you have the option to keep your existing password. I’m here to tell you that no email server on this planet would do that. In fact they would do one of two things:

  • You set a password when you set up your account and you keep it forever. Not very secure I admit, but it’s a common practise.
  • You set a password when you set up your account and you are forced to change it on a set interval. That’s way more secure.

This ability to continue to use your current password, and having a sever auto generate a password for you isn’t a thing. So right off the top, this alone should make you delete this email or one like it if it hits your inbox. But let’s keep going down the rabbit hole.

While I have redacted the domain name of my personal email server, I can say that this email address isn’t associated with it. Another reason why this message should be deleted the second that you get it.

To create a sense of urgency, you’ve got 24 hours to click on “Keep Current Password”. So for giggles, let’s do that. Which by the way, you should never, ever do.

There’s a lot to unpack here as there’s a level of sophistication that I am not used to seeing in these scams. First of all, the scammers have created a fake Plesk control panel to fool you into thinking that this is legitimate. And the thing is that many hosting companies use Plesk for this sort of thing. So I can see how this would fool someone. But here’s how they did it, the email that I got had my personal email address embedded in the button to “Keep Current Password” so that when it hit this page, it will fill in all the required details to make this website look convincing. As in the details that I have redacted to protect my privacy such as my domain name and email address. It also brings up a troubling thought. Which is that this is a lot of effort to try and get me to fall for this scam. Have I been targeted in some way, or have I simply been caught up an a larger scam? I can’t say either way. Another thing that gets my attention is the fact that this page is Google translated. That implies non-English speakers are behind this scam. Which is confirmed when I take a second look at the “Keep Current Password” button via Safari’s ability to do link previews:

The site that is being Google translated is a .ru site which implies that the scammers are Russian. That’s bad news.

I didn’t go any further in terms of unpacking this scam as do not want to give the scammers any reason to attack my email server. But I think it’s clear just from what I have shown you that they are clearly a dangerous bunch. And the fact that it hit my inbox makes me quite uneasy. Thus I will stop here and report this to my hosting company so that they are aware of this and take whatever action is required on their end to protect their users.

So why would someone want me to hand over my email credentials? Simple, the scam is meant to be a gateway to allow the scammer to perpetrate identity theft or take over my mailbox to use it for some other fraudulent activity.

Your best advice is to never, ever click the links that are in an email like this. And if you have already trusted such an email and attempted to log-in with your account details via a third party site, you are strongly advised to immediately change the password within your email service. Then scan your computer for malware.

I’ll be keeping my eye out for follow up attempts to attack me in order to see if this was a one time occurrence or an actual targeted attack.

Leave a Reply

%d bloggers like this: