Dec 042023
 

Just for fun (I have admittedly a very weird sense of fun), I thought I’d have a look at one of the phishing emails that came into me. I’ll go through this bit by bit, picking out bits that first occurred to me …

Subject: LastPass : Required action needed regarding your account

Eh? Do I even have a LastPass account? I keep my passwords stored somewhere else, but it’s not impossible – I’ve been known to sign up to things just to test them out. Including cloud-based password managers.

But all the same, let’s give it a point on the suspicion scale. Running total: 1.

From: LastPass <yoji-okugawa1975@tg8.so-net.ne.jp>

Well LastPass certainly use a funny looking email domain (the bit to the right of the “@”), but Marketing departments sometimes aren’t aware of how important that email domain really is. On the other hand, “tg8.so-net.net.jp” does look particularly uncorporate, so let us give it a suspicion point.

Running total: 2

On the other hand, it is too easy to fake domains – I could very easily send you an email from the-management@lástpáss.com (and even more subtle equivalents of “a” – “а”, “ạ”, “ą”, “ä”, “à”, “á”, “ą”). And just to demonstrate something that looks identical can actually be quite different :-

In [8]: print(ord('а'))
1072

In [9]: print(ord('a'))
97

Now this isn’t to suggest that you should run your email headers through some Python code, but just that because something looks like lastpass.com doesn’t mean it really is. The next thing that jumped out at me was the body of the email – I may be well trained, but something new and shiny is still distracting :-

Now the first thing that jumps out at me is that red “Confirm my information” box. Screams “click here” doesn’t it? Well don’t click on it! In my email client (something you’re quite likely not using – claws-mail), if I hold the mouse pointed above a link, it’ll tell me where that link goes in the status bar of the client. In this case it shows up as https://tg8.benchurl.com/…. doesn’t look very much like lastpass.com does it? That’s sufficiently suspicious that I’ll award it 3 suspicion points.

Running total: 5

Notice how they don’t add a “Dear ${name}” to the top of the email? Not personally addressing email is ever so convenient to scammers that want to get your details – because they don’t necessarily know your name. That’s a suspicion point all on its own.

Running total: 6

Next note how it tries to rush you … “log in before January 16, 2024”. It’s subtler than many phishing scams, but it’s still trying to rush you. Add another suspicion point.

Running total: 7

There’s further details we could dig into, but that’s more than enough that the Delete button is the only thing this email should attract. That running total? It was just for fun, it’s not intended as a guideline for when to count something as a phishing email.

In the case of doubt, contact the company via other means.