brendinghat.com Important Notice: Emails Pending Delivery

From: "brendinghat.com" <ready2drivemd@gmail.com>
Date: 22 Jul 2020 01:14:33 -0700
Subject: Important Notice: Emails Pending Delivery

    Pending Emails        Dear
Nigel@brendinghat.com      A communication error occurred while
delivering some of your  messages.
      The server  detected 7 failed messages, you can view them
here and choose
      what happens to them.

View Verification
 <Suspicious link to firebase storage> 
IT-Help-Desk
phone +25030384200
e-mail: helpdesk@webapp.com
 <Suspicious link to firebase storage> 

This email was automatically generated by the OUTLOOK IT ticket
system. You can reply directly to this email (Please do not change the
reference numb
 <Suspicious link to firebase storage> 

Technical Analysis

The actual Email showed a button to clicked. We have to strip that out for our website. The button link takes you to a form on the Firebase website.

Firebase is a Google sponsored storage area for web developers. It can be used by a scammer to host a simple form which mimics a login and steal a password.

So the victim receives an Email warning them about their account having a problem and presented with the cure – a button to click. They are taken to a login screen where they see their name and as the url mentions google (firebasestorage.googleapis.com) they assume it must be safe.

They enter their password. Behind the scenes, the form redirects the users to another site https://example.com/savepassword?email=nigel@brendinghat.com&password=xyz321 and now the scammer has a new login/password combination to try on various sites – everywhere website my poor colleague has registered with his xyz321 password.

A good example of why we should have a different password for every website.

2 thoughts on “brendinghat.com Important Notice: Emails Pending Delivery”

  1. Hi,
    We work in a industry business in Uruguay. We received the same type mail.

    Whats link do you received in ?

    We received “https://**************** ”

    IT-HelpDesk
    Uruguay

    Reply

    1. Thanks for passing by. I am afraid we have to redact links – we do not want to send people to dodgy sites! Your link appears to be a well established website – the full url could be pointing to a hacked section of their site or they have used a technique to disguise the actual location.

      We do see a lot of the above scams. If you had clicked on the link (please don’t) you are taken to a login screen asking for your password. Enter your password and someone now has your login details.

      We have investigated this Email a bit further, please watch this page. We will add our report shortly.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Exit mobile version