Q&A How to identify a phishing or scam email?

Status
Not open for further replies.
Joined
Dec 21, 2017
Messages
131
OS
Windows 10
Antivirus
Kaspersky
#1
I received an email from the below email address, and i think it is a scam! How do I know if it is scam/phishing?
What should I do?



from: YouTube <noreply@youtube.com>
to: (my real name) <(my email address)>
date: Sun, Dec 31, 2017 at 5:15 PM
subject: Have Win Apple iPhone 8 Plus Visit : - t.co/IDCZEz76Dm has made you a moderator on YouTube
mailed-by: youtube-subscriptions.bounces.google.com
signed-by: youtube.com
security:
Standard encryption (TLS) Learn more






Hey (MY REAL NAME),

Lucky you! Have Win Apple iPhone 8 Plus Visit : - t.co/IDCZEz76Dm has made you a moderator on their channel. As a moderator, you can now remove unwanted comments from videos posted on that channel. Comments you remove will be sent to the creator for their review.

View channel

Find out more about moderating comments in the YouTube Help Center.


Thanks,

The YouTube Team

Help centerEmail optionsReport spam
©2017 YouTube, LLC 901 Cherry Ave, San Bruno, CA 94066, USA

above is the exact email i received now and how do they know my real name?
 
D

Deleted member 65228

Guest
#5
This is interesting.

The e-mail does appear to be genuine and the sender is genuine unless it has been spoofed, however I doubt this is the case in this situation. I think this e-mail is genuine and from YouTube, but I'll explain why all of this has happened.

The link in the e-mail will take you to an malicious giveaway website, regarding winning an iPhone 8. Just to be clear, the link in the e-mail is a phishing URL and is indeed malicious; it'll attempt to collect your personal information by tricking you into completing the forms to win the iPhone 8, and the web-page will appear to be the Apple website (seems to look like an old theme of the Apple website) however it's not actually real.

However, the reason the link was displayed in the e-mail was... Quite cleverly handled. It must be a bug with the YouTube e-mail system unless they never took care of URLs in the past, I am not sure. There is a link to the Channel in the e-mail, it points to here: Have Win Apple iPhone 8 Plus Visit : - t.co/IDCZEz76Dm (this URL is safe and genuine and is an actual YouTube channel however the link in the text of the Channel name is malicious).

The name field for the Channel name of the YouTube account is as follows:
Code:
Have Win Apple iPhone 8 Plus Visit : - t.co/IDCZEz76Dm
Now as we can see, the "Have Win Apple iPhone 8 Plus Visit : -" is not a URL, it is standard text and it's also displayed in the e-mail before the link. Now, following this text, is a link. Since it's a genuine URL, the e-mail formatting has automatically picked this up, and displayed it as a clickable link. The URL from the Channel name text was not masked as plain text in the e-mail sent out to you, instead it was converted as clickable because the E-mail system recognised it as a genuine URL, despite it being a malicious one.

The e-mail was sent out to you because the author of the YouTube channel has made you a moderator, which caused the push e-mail notification to be sent out, telling you that <ChannelNameText> has made you a moderator; and thus, <ChannelNameText> includes the text for the link, which is converted as a clickable hyper-link. This doesn't mean you were a "targeted" victim though specifically, the author of the channel probably made many, many people a moderator as an attempt to have the URL spammed through e-mail using YouTube's own push notification system.

The best thing you can do is Report the e-mail and Channel to YouTube (Google) so the user is banned and Google may investigate to prevent this a bit better for the future, and delete the e-mail to prevent you from becoming curious and investigating the URL from the e-mail. I've already done a bit of analysis on the malicious URL, and my verdict is that it's a phishing URL; it'll collect personal information and whether it sends it anywhere or not is unknown to me for the time being however you'll also be required to pay them via surveys. Therefore, there is a need to "worry", because the URL is malicious; however there's no need to "worry" in the sense that you're a "targeted" victim or that you are "infected", because this isn't the case - avoid touching the URL, stay away from it and you'll be fine. Even if you had clicked on it, it doesn't make use of an exploit kit or promote downloads based on my analysis, so don't go on it again if you already have and you'll be fine.

It's a cross between a phishing and spam URL. The intent is malicious though, because the author is intentionally promoting it via abusing YouTube's own push notification service and attempting to mass-spam through invoking the push notification for X amount of people, fully well knowing that there is no iPhone 8 giveaway.
 
Last edited by a moderator:
Joined
Dec 21, 2017
Messages
131
OS
Windows 10
Antivirus
Kaspersky
#8
This is interesting.

The e-mail does appear to be genuine and the sender is genuine unless it has been spoofed, however I doubt this is the case in this situation. I think this e-mail is genuine and from YouTube, but I'll explain why all of this has happened.

The link in the e-mail will take you to an malicious giveaway website, regarding winning an iPhone 8. Just to be clear, the link in the e-mail is a phishing URL and is indeed malicious; it'll attempt to collect your personal information by tricking you into completing the forms to win the iPhone 8, and the web-page will appear to be the Apple website (seems to look like an old theme of the Apple website) however it's not actually real.

However, the reason the link was displayed in the e-mail was... Quite cleverly handled. It must be a bug with the YouTube e-mail system unless they never took care of URLs in the past, I am not sure. There is a link to the Channel in the e-mail, it points to here: Have Win Apple iPhone 8 Plus Visit : - t.co/IDCZEz76Dm (this URL is safe and genuine and is an actual YouTube channel however the link in the text of the Channel name is malicious).

The name field for the Channel name of the YouTube account is as follows:
Code:
Have Win Apple iPhone 8 Plus Visit : - t.co/IDCZEz76Dm
Now as we can see, the "Have Win Apple iPhone 8 Plus Visit : -" is not a URL, it is standard text and it's also displayed in the e-mail before the link. Now, following this text, is a link. Since it's a genuine URL, the e-mail formatting has automatically picked this up, and displayed it as a clickable link. The URL from the Channel name text was not masked as plain text in the e-mail sent out to you, instead it was converted as clickable because the E-mail system recognised it as a genuine URL, despite it being a malicious one.

The e-mail was sent out to you because the author of the YouTube channel has made you a moderator, which caused the push e-mail notification to be sent out, telling you that <ChannelNameText> has made you a moderator; and thus, <ChannelNameText> includes the text for the link, which is converted as a clickable hyper-link. This doesn't mean you were a "targeted" victim though specifically, the author of the channel probably made many, many people a moderator as an attempt to have the URL spammed through e-mail using YouTube's own push notification system.

The best thing you can do is Report the e-mail and Channel to YouTube (Google) so the user is banned and Google may investigate to prevent this a bit better for the future, and delete the e-mail to prevent you from becoming curious and investigating the URL from the e-mail. I've already done a bit of analysis on the malicious URL, and my verdict is that it's a phishing URL; it'll collect personal information and whether it sends it anywhere or not is unknown to me for the time being however you'll also be required to pay them via surveys. Therefore, there is a need to "worry", because the URL is malicious; however there's no need to "worry" in the sense that you're a "targeted" victim or that you are "infected", because this isn't the case - avoid touching the URL, stay away from it and you'll be fine. Even if you had clicked on it, it doesn't make use of an exploit kit or promote downloads based on my analysis, so don't go on it again if you already have and you'll be fine.

It's a cross between a phishing and spam URL. The intent is malicious though, because the author is intentionally promoting it via abusing YouTube's own push notification service and attempting to mass-spam through invoking the push notification for X amount of people, fully well knowing that there is no iPhone 8 giveaway.
Thank you so much!
 
D

Deleted member 65228

Guest
#10
close the channel yourself or ruin it the way you want (since you are the mod now).
I recommend against doing this, it could lead down a path of the Original Poster being accused of having potential involvement and attempting to cover his tracks up by pretending to be a victim and using this as an entry-point to close the channel and rid evidence without being a suspect. I know this sounds unrealistic and even if this did happen, nothing would likely happen, but still. Best avoid touching it yourself.

Report it and let Google know what happened and they should be able to handle everything for you, which prevents hassle for you messing around with it.
 
Joined
Dec 31, 2017
Messages
1
#14
Hi.

I went into naif mode and clicked the link and entered some personal info, just to see where it lead.
When asked to download some apps I stopped.
I've done this in 'incognito' mode and using an VPN.
I was in my android phone, any chance I compromised the device security?

Thanks
 
Joined
Jun 14, 2017
Messages
255
OS
Linux
#15
Email electronic mail which consists of three things
  • Envelope - contains internal processing
  • Body -Itcontainsn message
  • Header - it contains message id, date, to, from, User agent, IP address of sender and receiver

We can use Header to analyze mail it is a great source to identify mail sender information. Whether it's legitimate or not

Go to the mail you would like to see
Click on the red box > Select Show original
In the next window, you will see the email header
Select email header
Copy it before the body starts

Go to this website to analyze the email
Code:
https://www.whatismyip.com/email-header-analyzer/
Paste Header code in the box and click on analyze
You get lot of information about sender ( I hide some information about sender)


When you got sender IP do Checkmyip and find out from where this email come.
For checking links
Expand short link
Scan the link
Note: Link is linked to images so check this also.

Check your knowledge with some real samples
Phishing Quiz
 
Last edited:
D

Deleted member 65228

Guest
#16
EDIT: Removed

The IP address from the e-mail header isn't always accurate, it can be masked by the e-mail service provider for enhanced security. Strictly to prevent attackers from stealing someones IP address upon an e-mail response, etc. VPN can also be used, some companies may use it for enhanced protection.

The IP address from the Cybrary e-mail appears to be coming from a DNS provider, not directly from the client. The connection routes through third-party servers, then the e-mail is sent. This masks the IP address for Cybrary (used in the e-mail example), and provides you the IP address of another service.

Code:
mktdns.com
The servers for the above domain are from California (San Mateo), which is what the IP which was tracked from the e-mail header points to: mktdns.com. The IP address of the actual client sender isn't exposed in this scenario.
 
Last edited by a moderator:

martyca65

New Member
Joined
Dec 31, 2017
Messages
1
OS
Linux Ubuntu
#17
I received an email from the below email address, and i think it is a scam! How do I know if it is scam/phishing?
What should I do?



from: YouTube <noreply@youtube.com>
to: (my real name) <(my email address)>
date: Sun, Dec 31, 2017 at 5:15 PM
subject: Have Win Apple iPhone 8 Plus Visit : - t.co/IDCZEz76Dm has made you a moderator on YouTube
mailed-by: youtube-subscriptions.bounces.google.com
signed-by: youtube.com
security:
Standard encryption (TLS) Learn more






Hey (MY REAL NAME),

Lucky you! Have Win Apple iPhone 8 Plus Visit : - t.co/IDCZEz76Dm has made you a moderator on their channel. As a moderator, you can now remove unwanted comments from videos posted on that channel. Comments you remove will be sent to the creator for their review.

View channel

Find out more about moderating comments in the YouTube Help Center.


Thanks,

The YouTube Team

Help centerEmail optionsReport spam
©2017 YouTube, LLC 901 Cherry Ave, San Bruno, CA 94066, USA

above is the exact email i received now and how do they know my real name?
Got the same email twice with two different urls when I posted a video on a small Youtube Channel with very little views. I had 4 subscribers from India! Two giveaways that mark it as a scam. First telling you that have won an Iphone 8 Plus. A phone retails for over $1,000. Second the poor English. "Have win Apple iPhone 8 Plus" instead of "You have won an Apple iPhone 8 Plus"
 
Joined
Dec 31, 2017
Messages
1
OS
Android
Antivirus
ESET
#18
I received an email from the below email address, and i think it is a scam! How do I know if it is scam/phishing?
What should I do?



from: YouTube <noreply@youtube.com>
to: (my real name) <(my email address)>
date: Sun, Dec 31, 2017 at 5:15 PM
subject: Have Win Apple iPhone 8 Plus Visit : - t.co/IDCZEz76Dm has made you a moderator on YouTube
mailed-by: youtube-subscriptions.bounces.google.com
signed-by: youtube.com
security:
Standard encryption (TLS) Learn more






Hey (MY REAL NAME),

Lucky you! Have Win Apple iPhone 8 Plus Visit : - t.co/IDCZEz76Dm has made you a moderator on their channel. As a moderator, you can now remove unwanted comments from videos posted on that channel. Comments you remove will be sent to the creator for their review.

View channel

Find out more about moderating comments in the YouTube Help Center.


Thanks,

The YouTube Team

Help centerEmail optionsReport spam
©2017 YouTube, LLC 901 Cherry Ave, San Bruno, CA 94066, USA

above is the exact email i received now and how do they know my real name?
I get the same email too at 10:20 today, the given link take me to the website was like apple website a little but the link was not apple.com
 
Status
Not open for further replies.