I’m confused; I got a warning saying that an email I sent was blocked, but when I try to confirm my identity, I can’t get it to work. What’s going on here?
Ouch, I suspect you’ve been successfully tricked by what’s known in the biz as a “phishing attack”. The purpose of this attack is to get you to go to an unknown site and enter personal information, typically a site account and password. Often it’ll be asking for information about a Gmail or Outlook.com account, but it could masquerade as being from any site. These attacks can be quite sophisticated, so we have to be vigilant and skeptical of anything that doesn’t make sense, rather than just blindly clicking on whatever link is offered.
Let’s dig into this particular email a bit further, so you can see what I mean.
Here’s a very similar message that I received this morning, and as you can see, it looks pretty darn legit, everything’s spelled correctly and there are no glaring grammatical mistakes:
However, what’s this VSNL.COM? I don’t recall emailing anyone at that particular address, so let’s have a quick peek at the site to see who they are. It bounces to a huge firm called Tata Communications. Headquartered in Mumbai and Singapore, it has more than 8500 employees across 38 countries. And… I didn’t email any of ’em.
Being skeptical and suspicious, I’m going to dig in to this email further. First off, note that a close read of the ostensible error message on the lower portion of the email doesn’t reveal a sender or recipient, just vague generic errors. To whom did I send this “blocked” message? That would appear in a legitimate fail message, which this clearly isn’t.
On any email that’s formatted like this, you can request the “original message source” and look at the resultant source code. I do that in Gmail, search for “click here to verify” and here’s the snippet shown:
My browser has highlighted the matching words in orange and I’ve manually added the red box to point out the Web site to which I would go if I clicked on the link. Notice it’s encryptioncode.myjino.ru
The .ru domain is Romania and I’m 100% sure that I haven’t emailed anyone in that country in the last few, well, years. So it’s a scam, for sure. The domain itself is a red flag to me, but even without it, “encryptioncode” is definitely concerning!
If I try to go to that particular domain in my Chrome browser, Google has already flagged this as a dangerous phishing site:
People who know how to navigate these sites carefully can get beyond this warning, and so when I do finally end up on the myhino.ru site, notice what I see:
It’s some email spoof toolkit called “Advanced PHP Mailer”. Well, the hacker who created it is actually using what’s known as l33t to turn vowels into digits and it’s 4DV4NC3D PHP M31L3R. Can I roll my eyes at this silly naming convention?
To be honest, I’m not entirely sure what this tool lets me do, but it’s clear that you can do something malicious with email from a site that undoubtedly has no idea this particular tool has been installed. It’s not a good thing and it’s not a tool you’d use to share photos with grandma, so… I’m not about to test it.
Anyway, you don’t need to travel as far down the rabbit hole as I did here to ascertain that the email you got was bogus. In general, any email that fails should be included in an error message which is a good way to confirm that it’s real: If you never wrote the failed email, you certainly don’t need to worry about fixing it up or sending it again!
Be careful out there. Be skeptical. And stay safe.
The .ru domain is Russia not Romania.
the .ru is the Russian Federation, not Romania which is .ro
Whoops, thanks for the correction Frederick!