Phishing e-mail to custom e-mail addresses

Published: 2011-08-31
Last Updated: 2011-08-31 15:20:46 UTC
by Johannes Ullrich (Version: 1)
11 comment(s)

Geoff wrote in with an interesting phishing sample. The part that it interesting is less  the content of the phish, but the e-mail address it was sent to. The content is a standard "ACH Payment Canceled" phish. There are probably a dozen or so that my spam filter dutifully removes each day.

The interesting part: The particular email was send to an address, Geoff only uses for one particular credit rating agency. The "user" part of the e-mail address is the credit rating agencies name.

I assume others here are doing similar tricks to cut down on spam, or at least track where spam is coming from. Many times I see addresses like "user+sans@example.com" in our database. However, in Geoff's case, this would be "sans@example.com", and it is possible that spammers do us company names like that as part of their username dictionary.

Has anybody else seen companyname@example.com addresses used as "To:" addresses in spam? In particular if the company name is a financial institution?

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: phishing spam
11 comment(s)

Comments

I see spam messages to my custom companyname@example.com addresses all the time and I have received some to custom addresses for financial institutions. I'm considering using random addresses instead of companyname and using a web interface to generate/associate those addresses when I need them.
I've seen spam to an address I used for an account with a company that maintains a reputation based blacklist. When I contacted them about the issue they requested more information from my logs. It turned out that the source was a cable IP in El Paso. Either the spammer made a awesome guess, or the company had an undetected compromise. I'm still not sure which is true.
I use two formats, <vendor>@example.com and <vendor>-<date>@example.com. I receive a trickle of spam (1 a week, say) to addresses in both of those formats, rarely twice to the same one. I would have seen guesses to *@example.com, and I do not, so I conclude the addresses have leaked. Why only one try each?
Was the credit rating agency involved in the Epsilon data breach earlier this year? Or if not that case, perhaps something similar?
In the Netherlands: we did also receive many of those kind of (phishing) mailings (directly targeted at the Netherlands because of the part "/Bestellen" in the URL)
Pointing out to some italian (.it) websites redirecting to GenOrder.zip (which was of course malicious: SpyEye/Zeus)
I agree with Mark, it could be from the Epsilon breach. We saw a spate of emails a few months ago that we traced back to Epsilon, they were unusual in that the spammers new the full name of the recipient rather than just the email address.
Starting on 8/19/2011 I've been receiving a couple spam e-mails a day with a To: address I used for one of the major US credit reporting agencies. The spam points to a .ru domain (I'm not sure what's at the far-end).
For what it is worth, at least one large company: Netflix, has started forbidding you from using netflix@yourdomain.com for your registered email account...perhaps trade mark infringement paranoia? While I was able keep it for a few months, after March of 2009, Netflix would no longer send emails to that address, and they continued to bug me every logon with "your email address is incorrect, please update your email address in your Netflix account settings".
I've seen a few recently sent to e-mail address only given to specific companies. In particular, waiter.com (no surprise..), eat24hours.com (somewhat more surprising), and equifax (disconcerting, and probably the credit rating agency in question). All the same types of spam mails, so presumably the same spammers. Reassuring that it's probably "just" Epsilon though and not a widespread full breach of the actual companies' servers.
I've been using netflix@example.com for years, never any problem (last email received was yesterday). Maybe you had some other kind of delivery issue or something?

Diary Archives