I received a really, really good phishing attempt.

Somebody tried to phish me and I couldn't even be mad

2023-11-25

Tags: Tech, Cybersecurity

Backstory

I host my own email and for that I rent a VPS from Netcup, a german hosting provider. I tried hosting on my own hardware at home, but having a static IP-address and a server where the uptime is reasonably guaranteed is a big plus. I don’t rent dedicated email hosting, just a root server, which I can use to my hearths content (it is also the home for some of my backups). I rent my domain from njalla, a privacy respecting domain registrar.

The story

I get an email from an entity that looks like my hosting provider, where they inform me, that my domain is about to expire and my mail service will be terminated. The “name” above the subject line states its “Netcup GmbH” and the whole email layout looks reasonably legit. Logo, layout, grammar and spelling all seem super legit.

My first thought was: “Huh, I thought I payed Netcup this year already, whats up with that?” (I pay my hosting provider on a yearly basis). After scrolling absently a bit and searching my brain for evidence that I already payed them I finally remember. I don’t rent my domain from Netcup, how the fuck do they know it is about to expire and want me to renew it? With a dawning realization I check the sender address. It’s “contatti@therapeutelyon.fr”. The fuck is up with that, that’s totally not legit! After chuckling a bit to myself that it took me so long I decide to check out the rest of the email.

There is a link to a page where I am supposed to renew the domain. Following the link it sends me to a site with “https://customercontrolpanel.netcupde.com/7748-1-2/” as the domain (Update: this site has been taken down). Netcup has super weird domains for their account- and server-management pages. “customercontrolpanel.de” and “servercontrolpanel.de” respectively. On the first time visiting them I made damn sure they are legit, as those domains look super weird, but indeed, they are legit.

Slight tangent, what the fuck is up with orgs and governments not making use of subdomains on their definitely legit domains. For example the German government or my bank. When I google something related to my government I am never totally sure on the first time visiting a website, if it is legit. Because it will be some super weird domain I definitely would buy for a phishing campaign. Fuck use a subdomain or your definitely verifiable and recognizable domain already!!!

The funny part, where the phishers could definitely could have done better, is, that they actually registered “netcup.com” and made “customercontrolpanel” a subdomain. They totally could have just flipped some letters in the name, registered that, and I would have a much harder time spotting it.

Further, the site looked much better than the legit site, so that was funny too. I searched up Netcup’s site to see if they released something about this happening, and they actually did, so I didn’t notify them about the issue.

Thinking about this for a bit, because I am so stunned that this attempt is so good, I wonder how they got all that information about my server and domain. They knew about my domain and they know, that the server I am using is running on Netcup. Those two informations aren’t linked directly. I have two guesses as to how they linked those.

  1. They scanned all of Netcup’s servers (the IP ranges of most hosting providers are easily accessible), noticed mine was a mail server and used the rDNS entry I set up on Netcup, to get the associated domain.
  2. They scanned my domain, got the IP address and noticed it was a Netcup VPS, because the IP was in the address range of Netcup.

Mind, those are some really rough drafts I came up with within 5 minutes. I checked neither of them for validity and viability. It could also be, that the assumption I based those conclusions on are totally wrong.

In conclusion, if not for the email address and me remembering I rent my domain for a different service (Netcup also offers renting domain, making this even harder to notice if you use that service), it was a really hard to spot phishing attempt. And I work in this field, so it would be even harder for people not in the industry and/or trained to spot this to notice the attempt. The grammar was on spot, no spelling mistakes, the layout of the email and the website was perfect, even better than the original (this also set off some alarm bells in my head, but I just thought that they maybe just redesigned their online appearance.

It was so good, as a person working in the industry, I have to lift my hat^^.

Stay safe out there.