Yesterday, I received a well-crafted phishing attempt email targeting users of a French e-toll company. While this email contains no mobile malware (my field), I wanted to look into it.
Note that the company reports several phishing attempts currently, and the linked page was particularly useful to understand this was phishing.
A well-crafted phishing attempt
The phishing email is well done:
- The French is impeccable,
- The email and website domain names match and seem reasonably legit,
- There is also an unsubscribe link,
List-Unsubscribe: <[email protected]?subject=unsubscribe>, <https://unsubcribe.ulys-facturation.com>
- The logo looks correct,
- Email headers do not show any particular anomaly. There is a “no-reply” sender, which makes the email look quite “professional”.
Sender: Ulys by VINCI Autoroutes <[email protected]>
HTML view of the email (normally, I use Alpine email client, lol, but that wouldn’t be a very nice screenshot). Note I do not allow remote content in my emails, so the logo does not show. The text says the e-toll account was suspended due to billing issues, and suggests to click on the button to update billing information.The HTML code does not reveal any particular trick, except the button links to hxxps://ulys-facturation.com. However, this domain name looks legit + it matches the email domain names.
So, how do I know it’s phishing? Well, because I don’t have an e-toll device from that company and thanks to the webpage of the official company warning about phishing attempts (link at the top of blog post).
Investigating the domain name
The domain name was registered at Squarespace Domains (NB. the company is legit and is not correlated to the phishing attempt).
The date says today, but actually, on Virustotal, it says yesterday.Currently, the domain name resolves to 91[.]215.85.189 which is hosted in Russia. Note: this is not attributing the attempt to Russia, we’d need much more elements.
Many other domain names resolve to the same IP address. We’ll note a few others targeting the e-toll company ulys-pass-renouvellement[.]com, ulys-vinci-autoroute-renouvellement[.]com, but also a French bank “Société Générale” sg-et-vous[.]com, sg-information-mise-a-jour[.]com…
Phishing domain names— the Crypto Girl
Article Link: Phishing attempt on French e-tolls | by @cryptax | Mar, 2024 | Medium