Yesterday, I received a well-crafted phishing attempt email targeting users of a French e-toll company. While this email contains no mobile malware (my field), I wanted to look into it.
Note that the company reports several phishing attempts currently, and the linked page was particularly useful 👍 to understand this was phishing.
A well-crafted phishing attempt
The phishing email is well done:
- The French is impeccable,
- The email and website domain names match and seem reasonably legit,
- There is also an unsubscribe link,
List-Unsubscribe: <unsubcribe@ulys-facturation.com?subject=unsubscribe>, <https://unsubcribe.ulys-facturation.com>
- The logo looks correct,
- Email headers do not show any particular anomaly. There is a “no-reply” sender, which makes the email look quite “professional”.
Sender: Ulys by VINCI Autoroutes <noreply@ulys-facturation.com>
The HTML code does not reveal any particular trick, except the button links to hxxps://ulys-facturation.com. However, this domain name looks legit + it matches the email domain names.
So, how do I know it’s phishing? Well, because I don’t have an e-toll device from that company 😏 and thanks to the webpage of the official company warning about phishing attempts (link at the top of blog post).
Investigating the domain name
The domain name was registered at Squarespace Domains (NB. the company is legit and is not correlated to the phishing attempt).
Currently, the domain name resolves to 91[.]215.85.189 which is hosted in Russia. Note: this is not attributing the attempt to Russia, we’d need much more elements.
Many other domain names resolve to the same IP address. We’ll note a few others targeting the e-toll company ulys-pass-renouvellement[.]com, ulys-vinci-autoroute-renouvellement[.]com, but also a French bank “Société Générale” sg-et-vous[.]com, sg-information-mise-a-jour[.]com…
— the Crypto Girl