Friday, January 27, 2017 - 18:33

Interesting fishing attack supported by SPAM against Strato customers

A couple of days ago one of my mail servers got spammed ... massively. That's not uncommon but I rarely see idiots mail-delivery-failure spamming just 1 system account with ~ 60,000 mails. But that wasn't the surprise.

Massively trying to spam a system account with a rather inefficient method doesn't really look like the smart way of doing it. But idiots are idiots for a reason ...

However. After the spam I got a mail from Strato, the hoster in question, informing me that a mail server had been taken off due to spam that it was sending. o.Ô

Did I had such bad judgement and that wasn't spam? Was I spamming and those mdf were actually genuine? Naah.

The mail from the hoster was actually pretty good. If you had a closer look some parts were off but if you'd suspect that you just spammed 60,000+ mails and got your mail server taken offline you might miss it. It's in the general direction of a Strato abuse mail. The fishing site was hosted on a hacked Wordpress installation from a lawyer in Hamburg. They must have taken over the hosting package since they used a remotely suitable subdomain. I assume you could fall for this. Specially if you're slightly pressured by the assumed problem.

It's actually a pretty good fishing attack with the exception of the sloppy subdomain solution and slightly off abuse mail. But I guess the idea is that the pressure to react clouds judgement enough to not notice the clues. And that might actually work better than other attempts. There is of course a wrong customer id but if you have multiple packages like me that's nothing you'll easily spot. What you could spot however is the wrong format. Another sloppy mistake.

But all in all it's a much better stunt than I first suspected.