Phishing e-mail to custom e-mail addresses

Published: 2011-08-31
Last Updated: 2011-08-31 15:20:46 UTC
by Johannes Ullrich (Version: 1)
11 comment(s)

Geoff wrote in with an interesting phishing sample. The part that it interesting is less  the content of the phish, but the e-mail address it was sent to. The content is a standard "ACH Payment Canceled" phish. There are probably a dozen or so that my spam filter dutifully removes each day.

The interesting part: The particular email was send to an address, Geoff only uses for one particular credit rating agency. The "user" part of the e-mail address is the credit rating agencies name.

I assume others here are doing similar tricks to cut down on spam, or at least track where spam is coming from. Many times I see addresses like "" in our database. However, in Geoff's case, this would be "", and it is possible that spammers do us company names like that as part of their username dictionary.

Has anybody else seen addresses used as "To:" addresses in spam? In particular if the company name is a financial institution?


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: phishing spam
11 comment(s)
Diary Archives