Don't click on that link - A story

Have you received an email with the subject "important",  "invoice" , or "new"  from a friend?  Think about it, does it make sense that your friend is sending you an invoice or an "important" document?

Did the email just have a link, especially one ending with the letters "php."  Despite what you might think, it is not your friend sending you that link. 

Here is an example.  This was received from gmail (Google) and trapped by the anti-virus filter at User Friendly IS (identifying info removed and links made unclickable):

Received: from mail-io0-f193.google.com (209.85.223.193)

  by mail.userfriendlyis.com with RC4-SHA encrypted SMTP; 16 Apr 2016 20:39:25 -0400

Received-SPF: pass (mail.userfriendlyis.com: SPF record at _netblocks.google.com designates 209.85.223.193 as permitted sender)

Received: by mail-io0-f193.google.com with SMTP id g185so19422595ioa.0

        for <removed>; Sat, 16 Apr 2016 17:39:52 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

        d=gmail.com; s=20120113;

        h=mime-version:date:message-id:subject:from:to;

        bh=AE+jgtYVsd23TpgTNPH38w0RQ1Tz/HBNSwZBpcHnIV8=;

        b=HhYhCKmPhGzxlPxgKMJwOOM7uK6kJrAMxXLM0tezdEZvMM2XNJjkt0sFaypKqTy2MK

         gvZpPEj+uY9xdzP4LIBIXFQk63chSK0GDFmFwDWLjfsXoj9WgnNQ70XW25J/PgSRaQig

         vWKivVH7N+fx9QOgam1/T7zJbQCCFcW+UDpqg5zw0iOPYUp7UJGnZjkGeFwDMmDAWqwy

         YSAry41NHjDnw+3tdr5AlUuuNBkyRKv1EgGhbpRx9/R7FB6GzEDurECTbVBujyAAxC58

         RsQnkG9Y4RP4oxzRIj/g8+udpqYeysj7oVqmAxa4w8R8QtNVuURD9tosAxVioMA+rI2m

         FhpA==

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

        d=1e100.net; s=20130820;

        h=x-gm-message-state:mime-version:date:message-id:subject:from:to;

        bh=AE+jgtYVsd23TpgTNPH38w0RQ1Tz/HBNSwZBpcHnIV8=;

        b=bmR/vRcMOJcz2AHNbR17RTKNpfqPfKXGp35nfqHxIl/uq6cjUijrscz9Z1zHmOXG81

         BNUpHfpqvzYUByXCKMw+cM2418LWeUWOEfJORNoRRCcS5FeEIyoeZx22aThbg4a8RwOJ

         vNKZ+YO2Yy8MROg5gFqCbWx8ti1/BJWL9LVb/mzbmMMb33WxGwrLvlo9oqTvyOUObX3H

         cWW6EH3YgSX92dlY7phltkl0vxShgJf/3SzzszwxRPuvfaXdtiZazK6zL1+GqTZrO0zm

         StmLNZ3AGJMYCqgxebTSTEBCTh3t9iGIGO1jbfs9XRVNUS6iksNk0qEyk6E7XRVOOsXN

         8JDA==

X-Gm-Message-State: AOPr4FVPLg22j+DVZIKiIKTCXTPSf3LCQC1IstTJ9R6CoQKBAooMqd1fkGdvW3sgvWRVL73XpJp1KIB7NTuqFA==

MIME-Version: 1.0

X-Received: by 10.107.15.141 with SMTP id 13mr23962486iop.193.1460742653497;

 Fri, 15 Apr 2016 10:50:53 -0700 (PDT)

Received: by 10.107.184.134 with HTTP; Fri, 15 Apr 2016 10:50:53 -0700 (PDT)

Date: Fri, 15 Apr 2016 18:50:53 +0100

Message-ID: <CADkb5G7YYPaMJ_t1Z0pEFSo0cDrh6PGk4ceB15B6s-MhRd+Gyw@mail.gmail.com>

Subject: April Update

From: <removed>

To: <removed>

Content-Type: multipart/alternative; boundary=001a113e9000f880a5053089a6f0

--001a113e9000f880a5053089a6f0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: quoted-printable

 Elaine shared this important document (April-Approval.pdf) with you.

         This document is securely stored using GoogleDocs Online PDF.

 



Click Here

<h__p://irprpro.com/clients/SouthernHomeMed.com/components/com_user/views/r=

egister/tmpl/new/index.php> <--- The LINK -- DON'T CLICK IT

Thank you.

The above email was sent via a gmail server to a large list of users by someone who probably clicked on link in a similar email.  

Can you tell by looking at that link what it is?  No, and neither can I.  Using some tools, I "clicked" on the link (actually just downloaded the content outside of a normal web browser) and what did I find?  An email phising scheme.   It was a web page trying to get you to enter your email credentials so you could get that important document.   

DON'T DO IT. DON'T CLICK THAT LINK.

If you believed the email, clicked the link and entered your email username password than the person behind the email that you received now has your email account and password.  I'm guessing that the important document contains a trojan Microsoft Word Document/PDF/flash file that will execute code on your system that will encrypt your files and make you pay to un-encrypt them or it could just grab you address book and spam all your friends. Who knows what these miscreants will do. 

If you think an email is suspicious, it probably is.

BTW, the software at the link was Joomla, but the interesting thing, it was embedded in a Wordpress install.     

REMEMBER DON'T CLICK THAT LINK

Now here are some links you can click

What did I just say?  LOL.  Checkout our google safe browsing report.  https://www.google.com/transparencyreport/safebrowsing/diagnostic/index.... and the report for our network  https://www.google.com/transparencyreport/safebrowsing/diagnostic/?hl=en...