Christmas Protonmail phishing e-mail

in phishing •  7 years ago 

Christmas is a great period of year. Its special atmosphere fulfilled by joy, happiness, hope, contemplation, grace, gifts and meeting with relatives and friends is really nice and very, very special. At this time no one wants to think of bad things, sad events and problems of all kinds. However all the IT threats are still out there and it is still necessary to be cautious and on guard. I was reminded by that via a special “gift” I received today on Christmas Eve (Dec 24th, 2017) which was A PROTONMAIL PHISHING E-MAIL.

Explanation: Protonmail is an end-to-end encrypted e-mail service, provided by Proton Technologies AG based in Switzerland. It is believed to be one of the safest e-mail services in the world in terms of data and privacy protection. They use a combination of asymmetrical and symmetrical cryptography. Even Protonmail developers do not have an access to user e-mails or reset passwords (there are 2 needed) – if you lose your passwords the party and your e-mails are over.

So here is a short story… On Christmas Eve 2017 I found in my mailbox SPAM folder below mentioned e-mail:

Out of visible information it was more than obvious that the e-mail was a clear phishing attempt, fortunately rather amateurish – let's look at it in detail ...

Phishing signs 1

Sender: a "Proton Mail Admin" writing from "[email protected]", of course not! The site www.link.net is redirected to a site of Egyptian ORANGE. Protonmail admin writing from Egypt? Maybe he is on holiday in the mid of migration. That's what admins normally do, right? :-)
To: there is a clear typo in an address, it is similar to "verify" but not the same..."[email protected]". The site "vefiy.com" does not exist of course. Is anyone surprised?
Please click to verify: the link behind goes to "orangekings.000webhostapp.com". A protonmail verification at such strange site? Ha, ha... The referenced site looks like that:

Again clear phishing site signs...Phishing signs 2

  1. the address is a complete nonsense
  2. the site is picture based...none of the info in footer is clickable
  3. in the right-down corner there is a nice, clearly visible message "Activate Windows. Go to settings to Activate Windows."!!! Is Protonmail Company so poor that they can't afford Windows licences for their admins? Well, I really doubt so... :-)

Once we are at site we can start play games. Let's enter the information requested, E-mail:[email protected], Password: hrajemehryzveselaradostnamtonedela, Mailbox Password:babratsetusdebilama.

Phishing signs 3
As you can see all credentials entered stayed VISIBLE i n the form!!! Such security failure would noone dare to do these days. Would anybody expect that a Protonmail would do that?

After clicking OK we got one nice "LOADING" message.

After clicking on loading we are back at the phishing site.

Well it seems that there will be no more fun with that phishing site. However one may never know right? especially when I in the meantime

  1. notified Protonmail security
  2. notified 000webhost a hosting provider of these fake pages
  3. notified Egyptian ORANGE
  4. wrote to scammer for further assistance

In case of any news I'll share with you.

Stay cautious, enjoy Christmas!!!

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!