While servicing my email queue, on the way to finding the account information to pay something, I ran into Yet More SPAM and some of it clearly “phishing”. I decided that rather than my usual “click SPAM” and move on, or “delete and move on”; I’d make an example out of some of it.
Now the first thing to do is realize that before you ever open that email, the “from” and topic can give it away as crap. I’d already decided this was crap before I even opened it. And I only opened it since I’m running on a non-windows machine so the bulk of all exploits, mostly aimed at Windows, will fail. Also, links are off by default in my mail reader, so hidden active links to web sites will fail. Before ever looking at Email, I have three levels of defense, (this one got through the SPAM filter, though…).
So I get this email claiming I’m due a refund on my New Zealand Taxes. Only I haven’t been to New Zealand for 40 years… Right there is your first phishing flag. “To good to be true” or “something for nothing”. So first thing to do is click on the “show details” or “show mail headers”. Here’s the email text:
Inland Revenue -Tax Refund Notification
Inland Revenue NZ to you (Bcc)show details
After the last annual calculations of your fiscal activity, we have determined that you
are eligible to receive a tax refund of $41978.50 NZD. Please submit the tax refund
request and allow us 2-3 days in order to process it.
Your TRN (TAX REFUND NUMBER): NZ/811869-2015
Click link below to submit your tax refund request
Note : A refund can be delayed a variety of reasons, for example submitting invalid
records or applying after deadline.
Inland Revenue – Te Tari Taake
Now the details of the headers show:
Inland Revenue -Tax Refund Notification
From Inland Revenue NZ email@example.com hide details
To Undisclosed recipients:;
Two big “tip offs”. First off “undisclosed recipients”. Ah, why?
Second, and far more interesting, the actual email address of the sender: firstname.lastname@example.org
A .edu account is at a school somewhere. Turns out that http://sfsu.edu/ is San Francisco State University. So someone has either hacked an SFSU account, or as a student there is indulging in some particularly stupid phishing attempt.
As this isn’t the first SPAM I’ve had from an SFSU.edu account, I suspect they are just subject to hacking and pwning…
Doing an “inspect element” on that link to “gvt.nz” gives what sure looks like suspicious garbage:
[a removedlink__e205d1b8-8eff-4968-b567-3fc2220c4a7e__href=”https://www2.e-services.ird.govt.nz/secure/login.html” target=”_blank”]https://www2.e-services.ird.govt.nz/secure/login.html[/a]
I’ve replaced the angle brackets with  so wordpress doesn’t steal the text…
One must fish around a lot in the large body of crap that now makes up active email to find the few bits that matter in this kind of investigation…
“removedlink” is kind of a clue that this link doesn’t take you there anymore…
Furhter UP we find: “a style=”COLOR: #333333″ target=”_blank” removedlink__7b0fcf8d-50be-4f3c-83f9-6a6a851bc31b__href=”http //introsimpactantes.com/unosoter/sot.php”
A lookup of the site via a “whois [their site name}” brings up:
Intros Impactantes | Aprende como crear intros impactantes …
http //introsimpactantes.com essay writing diagrams get homework done online buy biology reserach papars how write a good essay skeletal system essay …
where I’ve broken the link so it doesn’t connect.
So this looks like it is just redirecting to some advertising site, maybe… but at this point I’ve lost interest. It’s clearly a scam of some kind, and I have other things to do…
But that’s the kind of thing I get to do a few dozen times when reading email. And why, over the years, I’ve become a bit averse to dealing with email.
Yes, I still use it. For some things it is still “usable”. But frankly, it is a cesspool full of disease in many ways and coping with it is not something I like to do. Oh Well.
I must, so I do.
But that is why email to me can sometimes take weeks to be read, and longer for a response. I’m busy doing other things and it just makes me feel so “tainted”…
It is also the kind of thing everyone ought to be doing for any email they get from anyone they do not know, and for any email they get from someone they DO know that “looks wrong”.