Q&A How to identify a phishing or scam email?

Discussion in 'General Security Discussions' started by ItsReallyMe, Dec 31, 2017.

Thread Status:
Not open for further replies.
  1. ItsReallyMe

    ItsReallyMe Level 2

    Dec 21, 2017
    59
    157
    Model
    Los Angeles
    Windows 10
    Emsisoft
    I received an email from the below email address, and i think it is a scam! How do I know if it is scam/phishing?
    What should I do?



    from: YouTube <noreply@youtube.com>
    to: (my real name) <(my email address)>
    date: Sun, Dec 31, 2017 at 5:15 PM
    subject: Have Win Apple iPhone 8 Plus Visit : - t.co/IDCZEz76Dm has made you a moderator on YouTube
    mailed-by: youtube-subscriptions.bounces.google.com
    signed-by: youtube.com
    security: [​IMG] Standard encryption (TLS) Learn more





    [​IMG]
    Hey (MY REAL NAME),

    Lucky you! Have Win Apple iPhone 8 Plus Visit : - t.co/IDCZEz76Dm has made you a moderator on their channel. As a moderator, you can now remove unwanted comments from videos posted on that channel. Comments you remove will be sent to the creator for their review.

    View channel

    Find out more about moderating comments in the YouTube Help Center.


    Thanks,

    The YouTube Team

    Help centerEmail optionsReport spam
    ©2017 YouTube, LLC 901 Cherry Ave, San Bruno, CA 94066, USA

    above is the exact email i received now and how do they know my real name?
     
    Weebarra, Marko :), steel9 and 3 others like this.
  2. Danielx64

    Danielx64 Level 8

    Mar 24, 2017
    396
    1,692
    Australia
    Windows 10
    ESET
    That t.co make me think that something is off even if the email really is from YouTube.

    Have you signed up for a YouTube account?
     
    Weebarra, Marko :), Opcode and 2 others like this.
  3. Evjl's Rain

    Evjl's Rain Level 29
    Trusted AV Tester

    Apr 18, 2016
    1,817
    13,243
    Vietnam
    Windows 8.1
    Avast
    #3 Evjl's Rain, Dec 31, 2017
    Last edited: Dec 31, 2017
    this concludes everything

    they might collect your data and info from other websites you signed up
     
  4. ItsReallyMe

    ItsReallyMe Level 2

    Dec 21, 2017
    59
    157
    Model
    Los Angeles
    Windows 10
    Emsisoft
    they sent the email to the same email address of my youtube signed up email! i am uing that email account since 2009
     
  5. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    894
    6,340
    Caille
    Windows 10
    #5 Opcode, Dec 31, 2017
    Last edited: Dec 31, 2017
    This is interesting.

    The e-mail does appear to be genuine and the sender is genuine unless it has been spoofed, however I doubt this is the case in this situation. I think this e-mail is genuine and from YouTube, but I'll explain why all of this has happened.

    The link in the e-mail will take you to an malicious giveaway website, regarding winning an iPhone 8. Just to be clear, the link in the e-mail is a phishing URL and is indeed malicious; it'll attempt to collect your personal information by tricking you into completing the forms to win the iPhone 8, and the web-page will appear to be the Apple website (seems to look like an old theme of the Apple website) however it's not actually real.

    However, the reason the link was displayed in the e-mail was... Quite cleverly handled. It must be a bug with the YouTube e-mail system unless they never took care of URLs in the past, I am not sure. There is a link to the Channel in the e-mail, it points to here: Have Win Apple iPhone 8 Plus Visit : - t.co/IDCZEz76Dm (this URL is safe and genuine and is an actual YouTube channel however the link in the text of the Channel name is malicious).

    The name field for the Channel name of the YouTube account is as follows:
    Code:
    Have Win Apple iPhone 8 Plus Visit : - t.co/IDCZEz76Dm
    
    Now as we can see, the "Have Win Apple iPhone 8 Plus Visit : -" is not a URL, it is standard text and it's also displayed in the e-mail before the link. Now, following this text, is a link. Since it's a genuine URL, the e-mail formatting has automatically picked this up, and displayed it as a clickable link. The URL from the Channel name text was not masked as plain text in the e-mail sent out to you, instead it was converted as clickable because the E-mail system recognised it as a genuine URL, despite it being a malicious one.

    The e-mail was sent out to you because the author of the YouTube channel has made you a moderator, which caused the push e-mail notification to be sent out, telling you that <ChannelNameText> has made you a moderator; and thus, <ChannelNameText> includes the text for the link, which is converted as a clickable hyper-link. This doesn't mean you were a "targeted" victim though specifically, the author of the channel probably made many, many people a moderator as an attempt to have the URL spammed through e-mail using YouTube's own push notification system.

    The best thing you can do is Report the e-mail and Channel to YouTube (Google) so the user is banned and Google may investigate to prevent this a bit better for the future, and delete the e-mail to prevent you from becoming curious and investigating the URL from the e-mail. I've already done a bit of analysis on the malicious URL, and my verdict is that it's a phishing URL; it'll collect personal information and whether it sends it anywhere or not is unknown to me for the time being however you'll also be required to pay them via surveys. Therefore, there is a need to "worry", because the URL is malicious; however there's no need to "worry" in the sense that you're a "targeted" victim or that you are "infected", because this isn't the case - avoid touching the URL, stay away from it and you'll be fine. Even if you had clicked on it, it doesn't make use of an exploit kit or promote downloads based on my analysis, so don't go on it again if you already have and you'll be fine.

    It's a cross between a phishing and spam URL. The intent is malicious though, because the author is intentionally promoting it via abusing YouTube's own push notification service and attempting to mass-spam through invoking the push notification for X amount of people, fully well knowing that there is no iPhone 8 giveaway.
     
    Weebarra, kev216, harlan4096 and 6 others like this.
  6. n0k0m3

    n0k0m3 Level 1

    May 29, 2017
    19
    68
    US
    Windows 10
    ESET
    This is a legit email, the t.co link in the channel name is not.

    What you can do: Report the original owner of the channel, close the channel yourself or ruin it the way you want (since you are the mod now).
     
    Weebarra, shmu26 and Opcode like this.
  7. Vasudev

    Vasudev Level 22

    Nov 8, 2014
    1,109
    2,185
    Student
    India
    Windows 10
    Microsoft
    Yep its a scam. Usually gmail identifies and marks them as spam.
    The fake Apple website is amazing. Hahaa.
     
    Weebarra, shmu26 and Opcode like this.
  8. ItsReallyMe

    ItsReallyMe Level 2

    Dec 21, 2017
    59
    157
    Model
    Los Angeles
    Windows 10
    Emsisoft
    Thank you so much!
     
    Weebarra, roger_m, bribon77 and 2 others like this.
  9. ItsReallyMe

    ItsReallyMe Level 2

    Dec 21, 2017
    59
    157
    Model
    Los Angeles
    Windows 10
    Emsisoft
    Fortinet on virustotal url scan shows the link as Phishing!
    Only Fortinet shows it!
    VirusTotal
     
    Weebarra, shmu26 and Opcode like this.
  10. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    894
    6,340
    Caille
    Windows 10
    I recommend against doing this, it could lead down a path of the Original Poster being accused of having potential involvement and attempting to cover his tracks up by pretending to be a victim and using this as an entry-point to close the channel and rid evidence without being a suspect. I know this sounds unrealistic and even if this did happen, nothing would likely happen, but still. Best avoid touching it yourself.

    Report it and let Google know what happened and they should be able to handle everything for you, which prevents hassle for you messing around with it.
     
    Weebarra, Danielx64 and bribon77 like this.
  11. ItsReallyMe

    ItsReallyMe Level 2

    Dec 21, 2017
    59
    157
    Model
    Los Angeles
    Windows 10
    Emsisoft
    Weebarra and shmu26 like this.
  12. n0k0m3

    n0k0m3 Level 1

    May 29, 2017
    19
    68
    US
    Windows 10
    ESET
    Forgot social engineering is a thing... :/
     
    Weebarra, bribon77 and Opcode like this.
  13. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    894
    6,340
    Caille
    Windows 10
    We humans aren't perfect ;) Which is exactly how social engineering works.
     
    bribon77 and n0k0m3 like this.
  14. theplaypen

    theplaypen New Member

    Dec 31, 2017
    1
    8
    Portugal
    Hi.

    I went into naif mode and clicked the link and entered some personal info, just to see where it lead.
    When asked to download some apps I stopped.
    I've done this in 'incognito' mode and using an VPN.
    I was in my android phone, any chance I compromised the device security?

    Thanks
     
  15. daljeet

    daljeet Level 5

    Jun 14, 2017
    242
    2,398
    india
    Linux Ubuntu
    #15 daljeet, Dec 31, 2017
    Last edited: Dec 31, 2017
    Email electronic mail which consists of three things
    • Envelope - contains internal processing
    • Body -Itcontainsn message
    • Header - it contains message id, date, to, from, User agent, IP address of sender and receiver

    We can use Header to analyze mail it is a great source to identify mail sender information. Whether it's legitimate or not
    [​IMG]
    Go to the mail you would like to see
    Click on the red box > Select Show original
    In the next window, you will see the email header
    Select email header
    Copy it before the body starts

    Go to this website to analyze the email
    Code:
    https://www.whatismyip.com/email-header-analyzer/
    Paste Header code in the box and click on analyze
    You get lot of information about sender ( I hide some information about sender)
    [​IMG]

    When you got sender IP do Checkmyip and find out from where this email come.
    For checking links
    Expand short link
    Scan the link
    Note: Link is linked to images so check this also.

    Check your knowledge with some real samples
    Phishing Quiz
     
    Danielx64, Weebarra, Vasudev and 5 others like this.
  16. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    894
    6,340
    Caille
    Windows 10
    #16 Opcode, Dec 31, 2017
    Last edited: Dec 31, 2017
    EDIT: Removed

    The IP address from the e-mail header isn't always accurate, it can be masked by the e-mail service provider for enhanced security. Strictly to prevent attackers from stealing someones IP address upon an e-mail response, etc. VPN can also be used, some companies may use it for enhanced protection.

    The IP address from the Cybrary e-mail appears to be coming from a DNS provider, not directly from the client. The connection routes through third-party servers, then the e-mail is sent. This masks the IP address for Cybrary (used in the e-mail example), and provides you the IP address of another service.

    Code:
    mktdns.com
    
    The servers for the above domain are from California (San Mateo), which is what the IP which was tracked from the e-mail header points to: mktdns.com. The IP address of the actual client sender isn't exposed in this scenario.
     
    Weebarra and Vasudev like this.
  17. martyca65

    martyca65 New Member

    Dec 31, 2017
    1
    3
    Australia
    Linux Ubuntu
    Got the same email twice with two different urls when I posted a video on a small Youtube Channel with very little views. I had 4 subscribers from India! Two giveaways that mark it as a scam. First telling you that have won an Iphone 8 Plus. A phone retails for over $1,000. Second the poor English. "Have win Apple iPhone 8 Plus" instead of "You have won an Apple iPhone 8 Plus"
     
    Weebarra, Vasudev and ItsReallyMe like this.
  18. a.dhansoiya

    a.dhansoiya New Member

    Dec 31, 2017
    1
    3
    Delhi
    Android
    ESET
    I get the same email too at 10:20 today, the given link take me to the website was like apple website a little but the link was not apple.com
     
    Weebarra, Vasudev and ItsReallyMe like this.
  19. Spawn

    Spawn Administrator
    Staff Member Content Creator

    Jan 8, 2011
    16,267
    24,209
    If you have a YouTube account, check the Settings.
    YouTube

    You can change your name and nickname here:
    Sign in - Google Accounts
     
    Weebarra, ItsReallyMe and roger_m like this.
Loading...
Similar Threads Forum Date
How to identify phishing sites easily with a free android app Android, iOS and Windows 10 Mobile Jul 26, 2014
Help identify PUA.Phishing.Bank malware in file Technology News May 24, 2014
Microsoft Scams: Identify & avoid scams that fraudulently use the Microsoft name Security News Dec 21, 2017