On Saturday, around 2 in the morning, I received a blind carbon at one of my work addresses that had a frighteningly clever phishing scheme posing as a Red Hat security update. I thought it was real and the only reason I didn’t apply this rootkit to the Linux box I have is because it’s Knoppix and it’s off–although I do have a really old laptop with Red Hat 7.2 on it.
My laziness saved me long enough for my paranoia to set in:
- After a bit, I realized that I never used the address in question to receive Red Hat technical updates. I did sign up for Red Hat technical updates years ago but that address has long since expired. How’d Red Hat get this one?
- The mail was blind carbon, not entirely suspicious in itself but, enough to prompt me to examine the mail more closely.
- I looked at the mail’s markup and headers and saw that they pointed to locations that didn’t make sense: ns1.ultracoms.net, www.wcml.co.uk and 188.8.131.52. Please note, the proceeding links are safe; they point to whois records, not the machine or machines where this spam came from. I have a suspicion these sites won’t be visible on the Net much longer.
- With my browser, firewall and proxy security set to maximum and from an IP number not related to my work address, I viewed these locations. If you’re curious, for the love of all that’s holy to you, please don’t use Internet Explorer to look at these locations!
- Then I started taking strings from the mail to put in a search engine. Sure enough, I got back lots of pages warning about a social engineering hoax that was nearly exactly like the one I got.
Phew! Dodged a bullet there! But clearly, the mail shows that the phishing scheme is mutating. The two pages I cite in point five are already of out of date.
This mail scared me. From now on, whenever someone laughs at my network paranoia, I’m going to point them to this page and say, “Never say never!”