A New And Very Dangerous Canada Revenue Agency Email Phishing #Scam Has Appeared
I came across a new phishing scam that uses the name of Canada Revenue Agency to steal your Microsoft 365 credentials. And this one is very dangerous. Let me start with the email that you get:
What caught my attention is that the form that is displayed here looks very much like a Canada Revenue Agency form. And it’s a very good replication. This I can see a scenario where someone might be fooled by this. But in the case of this phishing attempt, here’s where it falls apart.
For starters the email refers to the “Canadian Revenue Service” which doesn’t exist. It’s the Canada Revenue Agency that is the actual name of the part of the Canadian government that collects your taxes. A minor point, but an important one as info like this can help you figure out if something that hits your inbox is real or fake. The next thing that I should point out is that this email is not addressed directly to anyone. It simply says “Dear taxpayer”. That should be an immediate red flag as you would expect that communication from a national government would have your name on it.
The next thing that I usually suggest that people do is to check the email address. Here is what I saw when I did that:
Well that’s interesting. It comes from a Canada.ca address. People might be fooled by that as the webpage for the Canadian government is http://www.canada.ca. Which makes this email appear to be legitimate. But this is a classic attempt to “Spoof” an email address. Meaning that they are pretending to be someone that they are not to fool you. To confirm that, I did some extra digging to show the email headers. This is all the technical information that you normally never need to see. But someone like me can use to determine if an email is a phishing attempt. Now if you ever wanted to see the header of an email that you get, here’s how to do it on Outlook and Mac.
In my case, it showed some very interesting information (click to enlarge):
Now I am only showing you the relevant parts of the header. Specifically the circled area which is where the email came from. And that source is clearly not the Government of Canada based on the fact that it is “Canada-mailer.com”. When I traced that server back to its source, I got this:
That’s very curious. Who is Gophish? Well, here’s what I found out:
So this is an open source platform that companies that companies can use to assess their exposure to phishing. But I suspect a threat actor is using this platform to launch attacks on people. Seeing as the platform is free, that’s totally plausible.
What is the end goal here by the threat actor? Well, if you click on the “Sign In With Microsoft Outlook” button, you get this:
This is an extremely convincing Microsoft 365 sign in page. I say that because here’s the real one:
It’s pretty much an exact replication except for one thing. If you look at the address bar you’ll note this:
That’s clearly not Microsoft. I say that because here’s what you see from the real Microsoft 365 login screen:
You see, it pays to pay attention to the little details to help you to avoid being pwned by a threat actor. Who in this case is clearly trying to harvest credentials.
Since this is an open source platform software I went to the GitHub site as their webpage directed me there, but I didn’t find any contact info to let them know about this. And I suspect that even if there was contact info, there would be little that they can do to stop this attack. Thus it’s going to be incumbent on you to watch out for this email or ones like it as clearly a threat actor is out to get you.
This entry was posted on January 26, 2024 at 9:00 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
A New And Very Dangerous Canada Revenue Agency Email Phishing #Scam Has Appeared
I came across a new phishing scam that uses the name of Canada Revenue Agency to steal your Microsoft 365 credentials. And this one is very dangerous. Let me start with the email that you get:
What caught my attention is that the form that is displayed here looks very much like a Canada Revenue Agency form. And it’s a very good replication. This I can see a scenario where someone might be fooled by this. But in the case of this phishing attempt, here’s where it falls apart.
For starters the email refers to the “Canadian Revenue Service” which doesn’t exist. It’s the Canada Revenue Agency that is the actual name of the part of the Canadian government that collects your taxes. A minor point, but an important one as info like this can help you figure out if something that hits your inbox is real or fake. The next thing that I should point out is that this email is not addressed directly to anyone. It simply says “Dear taxpayer”. That should be an immediate red flag as you would expect that communication from a national government would have your name on it.
The next thing that I usually suggest that people do is to check the email address. Here is what I saw when I did that:
Well that’s interesting. It comes from a Canada.ca address. People might be fooled by that as the webpage for the Canadian government is http://www.canada.ca. Which makes this email appear to be legitimate. But this is a classic attempt to “Spoof” an email address. Meaning that they are pretending to be someone that they are not to fool you. To confirm that, I did some extra digging to show the email headers. This is all the technical information that you normally never need to see. But someone like me can use to determine if an email is a phishing attempt. Now if you ever wanted to see the header of an email that you get, here’s how to do it on Outlook and Mac.
In my case, it showed some very interesting information (click to enlarge):
Now I am only showing you the relevant parts of the header. Specifically the circled area which is where the email came from. And that source is clearly not the Government of Canada based on the fact that it is “Canada-mailer.com”. When I traced that server back to its source, I got this:
That’s very curious. Who is Gophish? Well, here’s what I found out:
So this is an open source platform that companies that companies can use to assess their exposure to phishing. But I suspect a threat actor is using this platform to launch attacks on people. Seeing as the platform is free, that’s totally plausible.
What is the end goal here by the threat actor? Well, if you click on the “Sign In With Microsoft Outlook” button, you get this:
This is an extremely convincing Microsoft 365 sign in page. I say that because here’s the real one:
It’s pretty much an exact replication except for one thing. If you look at the address bar you’ll note this:
That’s clearly not Microsoft. I say that because here’s what you see from the real Microsoft 365 login screen:
You see, it pays to pay attention to the little details to help you to avoid being pwned by a threat actor. Who in this case is clearly trying to harvest credentials.
Since this is an open source platform software I went to the GitHub site as their webpage directed me there, but I didn’t find any contact info to let them know about this. And I suspect that even if there was contact info, there would be little that they can do to stop this attack. Thus it’s going to be incumbent on you to watch out for this email or ones like it as clearly a threat actor is out to get you.
Share this:
Like this:
Related
This entry was posted on January 26, 2024 at 9:00 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.