Covid-19 Email Scam Analysis

Beware of this common NHS Covid-19 Vaccine email scam

Last April I published a blog on the use of the “Friendly From” field to create convincing-looking emails that would fool most users. In this last week, there has been a very convincing email doing the rounds asking users to sign up for their Covid Vaccination.

In this Blog I warn that legitimate-looking email addresses are being put into the “Friendly From” but inside the wrong shape brackets. E.g. (John.smith@company.com) instead of inside <angle brackets> as these are the correct brackets for an email address.

Well, the recent NHS spoof was a simple but very clever twist on this theme.

Here is the actual header information from one of those spoof emails:

From: “noreply@nhs.gov.uk <noreply@nhs.gov.uk> on behalf of NHS digital <noreply@nhs.gov.uk>” <kanda@visceral.co.jp>

Date: 25 Jan 2021 15:58

Subject: Book an appointment using the NHS e-Referral Service – NHSVaccination

Again if you look at this string the only part that matters is the end email address inside the angle brackets. E.g. <kanda@visceral.co.jp> This is the “From address”. What appears before this is the “Friendly From”… you would normally expect this to be something like John Smith and it is just text.

What the attacker has done that is so very clever is they have put everything in the “Friendly From” field inside “quotes”. This has the effect of turning everything inside the quotes into text – The receiving mail system will ignore the angle brackets inside the “friendly from” but most people won’t spot the quotes or even understand the significance of them. To them it will look like the email has come from <noreply@nhs.gov.uk> especially since on a mobile device, the true “From” may not get displayed at all.

The second technique used is to pad out the length of the text string. On some devices, only a limited number of characters from the start of the email address will be displayed. By using a long text string the attackers are hoping that the real “From” address will not get shown. On many devices and clients, only the “Friendly From” is displayed in an attempt to make the interface more user friendly!

You have to recognize the simple but effective techniques used here will fool most people. Even with training, this was not easy to spot. You would think that there would be some way of stopping hackers from putting email addresses inside the “Friendly From” but this is perfectly within the scope of what is defined in the RFC.

I would point out that the Red Sift solution for Inbound Phish detection OnINBOX picked this attack up. We actively monitor the “Friendly From” in every email and if it contains something that looks like an email address we compare it to the real “From” address and if they don’t match we flag the email as a threat. (We also detected the link in the email as malicious as well….)

Check out our website to learn more about how our platform can help your organization combat phishing attacks.

Red Sift find out more

PUBLISHED BY

Grant Revan

2 Feb. 2021

SHARE ARTICLE:

Recent Posts

VIEW ALL
Certificates

Preventing certificate related violations in cybersecurity frameworks:  A guide to certificate monitoring…

Rebecca Warren

TLS is one of the most widely adopted security protocols in the world allowing for unprecedented levels of commerce across the internet.  At the core of the TLS protocol is TLS certificates. Organizations must deploy TLS certificates and corresponding private keys to their systems to provide them with unique identities that can be reliably…

Read more
ASM

Red Sift ASM & Red Sift Certificates: the missing link in your…

Billy McDiarmid

According to Gartner, Attack Surface Management (ASM) refers to the “processes, technology and managed services deployed to discover internet-facing enterprise assets and systems and associated exposures which include misconfigured public cloud services and servers.” This broad category of tooling is used within Continuous Threat Exposure Management (CTEM) programs, with many vendors within it having…

Read more
Email

The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more