It was only a few weeks ago when I blogged about a car tax scam a friend sent me, when this morning a different friend sent me a different DVLA Car Tax Scam!
Red flags;
Email is obviously not right
If you hover over the button it goes here: hXXps://taxreminderservicewebbapps.urbanconcepto.com/?alwasyw – doesnt look very government-y does it!
Its also not addressed to my friend – “Dear Vehicle Owner”
Etc….
The button takes you to a fake website, interestingly after I had visited the website once, it would not let me view it again. I did try clearing cache and changing IP and it still didnt work, but then i switched to my phone and it worked again. They had screenshot blocking technology on the website so I had to take photos of it on a different phone. This made me feel about 78 years old but I didnt have time to get it working on my laptop again so I could take proper screenshots haha.
Same as usual though, fake website on a hacked domain, once you fill those details out it will send them to someone and then boom, you are short a few ££ in your bank account.
Take your time and read things, look out for red flags and if you are unsure – give me a shout 🙂
Honestly, this one was scary! There were ZERO red flags, apart from the fact I know this email address doesn’t exist. Absolutely EVERYTHING ELSE was 100% convincing.
Fake Google Doc Share Email
So I got this email to my work email, from an account with the same domain as my work. So this looked like a 100% convincing internal document share;
So we had another fake Google email as part of a scam recently, but that had a Googlemail.com email as the sender, and a few other things that indicated it was dodgy – this one didnt. This one was VERY professionally put together.
There is nothing there (apart from the fact I know finance@mydomain.url doesn’t exist) to indicate this is not a legitimate email.
Breaking Down the Fake Google Doc Share Scam
So, the email itself looked legit, the URL the button wanted to take me to was this (url obfuscated to avoid it being crawled or clicked);
So on the face of it, it isnt screaming SCAM as it came from what appeared to be a totally legitimate Google email!
NEVER CLICK ON LINKS IN EMAILS OR BUTTONS IN EMAILS IF YOU ARE UNSURE OF THE LEGITIMACY OF THE EMAIL. LEAVE THAT TO IDIOTS LIKE ME.
The URL itself (opened in a controlled environment) opened a page with what appeared to be a Captcha;
Looking into the source code, the page was quite simple and in fact looked like it had been ripped from a template somewhere – there were placeholders like this;
Which is quite surprising, considering how much effort they had put into the rest of it. That said, the implementation of this scam is quite advanced in that they are using an SVG (which is essentially an image) to contain the Base64 encoded payload.
What the page is trying to do is this; the captcha is there to stop Bots and stuff from finding their fake Google Login page, which is what the page was going to redirect me to once I filled in the Captcha.
hXXps://accounts.authenticationsystems.cloud
That is the URL that I decoded from the Base64 hash you can see in the above screenshot. The URL doesn’t work, so maybe had they had already been shut down by the time I got to it?
Why This Scam Seems to Go Nowhere?
So it seems strange that the final step in this puzzle is a dead end. Why go through so much effort, to then fall at the final hurdle?
Well in some cases, that the point. These scams are like a burn-and-rotate kind of scam. The first step is the super convincing email, the second step is like a “gatekeeping” step to stop bots and stuff from following links and flagging the website as malicious.
The final bit of the scam is the piece that can link the perpetrator – and this is the bit that get burned quickly after the scam has taken place. I have reached out to the Cloud domain registrar to see if that domain was in fact registered, and if so – who to – but due to GDPR I dont suspect they will give me any info. I’d like confirmation on whether it was ever registered or not though.
If it had loaded, it would have probably looked identical to a Google login page, and at that point if I had input my details, it would have pretended to log in, send my Google details to some dodgy person somewhere or store them in a file on their server, and then redirect me back to a legitimate Google login page.
I will update this post if I hear back from the Cloud registrar.
UPDATE 15/12/25
I received this on Friday – result!
They confirmed afterwards that the domain was already suspended by the time i had emailed them – which I sort of suspected to be honest anyway. I dont think it was registered long, and in fact there was no WHOIS info available, so its likely it was only online for a very brief period of time. At least its not just me fighting the good fight!
My take-away from all this, is that with the rise in AI and tools that can help you make phishing sites with the click of a button, we are gonna have to be on our toes 100% of the time to ensure we stay safe. This particular scam was so detailed, and had almost no red flags at all. This would have fooled even the most switched-on user.
Things seem to be coming at me thick and fast at the moment. A customer of mine recently signed up to use my agency as their cbd payment gateway partner, we have been integrating it for a while now and we were about to go live when he got this Trustwallet Systems SCAM email;
The Trustwallet Systems SCAM Fake Email
Now most of you reading this may not have heard of a payment company called Trustwallet Systems – but the supplier I work with literally has the word Trust in their name. The similarities between the wording used here and the wording used by my supplier is spooky. Trustwallet systems seems to be actually crypto related, but the similarities between their name and the name of my payment partner are scary.
So what is this Trustwallet Systems SCAM?
I’m afraid this time I wasnt able to find out. All the warnings (Nord, Chrome, etc) suggested that it was Malware related – which would mean visiting the links would result in your PC being infected. And then you would probably get popups about how your device was infected and you had to pay some fake support company in Amazon gift cards to “fix it” for you.
The link at the end of the trail was already dead, so well done whoever reported them 🙂
This was spooky, well timed, and could have fooled my client – but thankfully my clients are switched on and always double check things like this with me first.
I actually use Mailgun, its fantastic – so when I first saw the email subject land in my inbox, I was initially alarmed as I dont want a missed payment to affect the deliverability of website emails etc.
The Mailgun Scam Email
Google did flag the email as suspicious to be fair, but if this had come into a mail client like outlook or thunderbird it may not have been flagged and could have tricked someone.
Mailgun Scam: The Red Flags
OK, so as always we look for the red flags so we can all get better at spotting the scams.
Sender email: This seemed to come from a domain I own, which isn’t unusual.
Reply-to email: info@wasteconnections.com
Pretty sure that isnt an official mailgun email account!
The button: Linked to a huge sendgrid URL so wouldn’t have really been alarming as that’s not unusual. Sendgrid is an email marketing service. I have informed Sendgrid.
Digging Deeper into the Mailgun Scam
**NEVER PRESS BUTTONS OR LINKS IN DODGY EMAILS**
So, I pressed the button (lol) and it took me to some page that looked like it was processing something, and then boom, the Mailgun login window appeared;
This was hosted on Microsoft Azure, so I reported the website to the relevant department at MS.
If I had been tricked up to this point, I think I’d have been a bit alarmed at the fact they pre-filled my email I know Mailgun dont do this as I log into it most days.
None of the buttons apart from “Continue” seemed to do anything – seems to be a trend at the moment.
I added a fake password and pressed next, it asked me to confirm my password – this is NOT how the Mailgun website works. I confirmed my fake password, they then asked me for a 2FA which I also faked.
It seemed to hang at this point, I dont know if it was trying to log into my Mailgun account in the background or something.
I checked in the background and it is pulling a file from here;
That must be the most sketchy looking domain name extension I have ever seen in my life haha. I have reported this domain as well.
The Mailgun Scam: Conclusion
This seems to be a classic “Credential and MFA phishing” scam, focusing on Mailgun for some reason. Perhaps as then once they are in they can send 30,000 spam emails or something.
Remember to check for red flags when getting an email or message that raises alarm bells, and if in doubt send it to me 🙂
Stay eSafe peeps!
Credential and MFA phishing Scam FAQs
Why do scammers create fake login pages that look like services like Mailgun or Sinch?
Because they know those are “backend” services that not many people outside digital teams understand. They rely on the fact that inboxes, tech teams, and marketing people will see the branding and think it’s legit. Once they have your login details, they can get into your email sending service and use it to send out further phishing emails that look totally legitimate (which then spreads the attack).
Why do these fake pages ask for passwords and then a 2FA code as well?
If they only took a password, the victim could still be protected by 2FA. Scammers now know this, so they make the fake form walk you through entering a 2FA token which they immediately use in real time to log into the real service as you. So they capture both your password and your temporary code.
How can I spot these scams before I click on anything?
Always check the actual domain name before typing in any credentials. If the domain is weird, cheap, or doesn’t match the official brand (for example something like “sourcebigwhale.cfd” instead of “mailgun.com”) then it’s almost certainly malicious. Legit login pages will always be on official domains, never random ones. Also, if a link comes out of the blue, treat it as untrusted until you verify it.
