Spam and phishing

Summer in Russia: time for a phishing trip

This morning I received the following message in my Yandex.ru inbox:

Thank you for using the Yandex.ru national email service!

Recently, many email accounts have been opened for the purpose of sending spam. As a result, we have actively begun to delete these addresses from the server.

At present, all email accounts with suspicious names – including yours – have been put on a denylist, and all users are being asked to re-authorize their account using the following link: http://r.yandex.ru/****/yandex/?id=02cfdd227b9735c35a8288f37c020cd2&p=blacklist&mt=0.090866193010010

Once you have completed the re-authorization process, your email address will automatically be removed from the denylist, because it means you will have confirmed reading this email, which could not happen with a spammer address.

All email addresses that are still on the denylist as of August 2007 will be deleted from our server, striking a major blow against spammer organizations and improving Yandex.ru email services.

Don’t forget – if you receive an email with advertising content that you did not request, you can report it as spam. The Yandex.ru administration reviews all complaints and will modify its filtering algorithms for new kinds of spam.

Thanks again for using Yandex.ru.

Sincerely,
The Yandex.ru Administration

I was only half awake when I read this and I almost followed the instructions in the email. But common sense prevailed: I suspected something was fishy and I decided to check this out. Turns out I was right: the address shown in the browser’s status bar when you move the cursor over the link is http://r.yandex.ru/…, which actually takes you to a page hosted by the freebie service tu1. ru. If you go directly to the address (by copying it from the browser window), you will find that there is no such site.

If you look deeper, you will find several other minor things that don’t match up:

  • The email is missing at least one comma (according to Russian grammar rules);
  • The email is suspicious in terms of the general rules of formal correspondence, i.e. the style of the email is strange;
  • Why is the email address for “Yandex.ru Administration” postmaster@sharabee.nichost.ru?
  • If you open the link to the so-called “Yandex authorization service”, you’ll see a context ad in the upper right hand corner – an ad which is nowhere to be found on the official Yandex website.

This is a classic example of phishing. Phishing Russian services is still uncommon. As far as I can remember, this is the first mass phishing email using @yandex.ru addresses – at least of the ones that have got around spam filters. This gives phishers an element of surprise, and there’s no doubt that they’ll manage to harvest numerous passwords, even if their ploy is primitive and poorly thought out (if, for example, there are none of the careless mistakes such as the ones listed above).

It is easy to avoid phishing if you follow some simple rules: always make sure that the domain name of the link is question is authentic. In order to do this, you should not just click on it, but copy and paste it into a new browser window. If you do this, even the slickest phisher tactics used to disguise the real URL won’t work.

If you do fall for a phishing ploy and you entered your password on the page they sent the link to, change your password as soon as possible.

Summer in Russia: time for a phishing trip

Your email address will not be published. Required fields are marked *

 

  1. Google

    What’s up, just wanted to tell you, I loved this post. It was funny.
    Keep on posting!

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox