Things seem to be coming at me thick and fast at the moment. A customer of mine recently signed up to use my agency as their cbd payment gateway partner, we have been integrating it for a while now and we were about to go live when he got this Trustwallet Systems SCAM email;
The Trustwallet Systems SCAM Fake Email
Now most of you reading this may not have heard of a payment company called Trustwallet Systems – but the supplier I work with literally has the word Trust in their name. The similarities between the wording used here and the wording used by my supplier is spooky. Trustwallet systems seems to be actually crypto related, but the similarities between their name and the name of my payment partner are scary.
So what is this Trustwallet Systems SCAM?
I’m afraid this time I wasnt able to find out. All the warnings (Nord, Chrome, etc) suggested that it was Malware related – which would mean visiting the links would result in your PC being infected. And then you would probably get popups about how your device was infected and you had to pay some fake support company in Amazon gift cards to “fix it” for you.
The link at the end of the trail was already dead, so well done whoever reported them 🙂
This was spooky, well timed, and could have fooled my client – but thankfully my clients are switched on and always double check things like this with me first.
I actually use Mailgun, its fantastic – so when I first saw the email subject land in my inbox, I was initially alarmed as I dont want a missed payment to affect the deliverability of website emails etc.
The Mailgun Scam Email
Google did flag the email as suspicious to be fair, but if this had come into a mail client like outlook or thunderbird it may not have been flagged and could have tricked someone.
Mailgun Scam: The Red Flags
OK, so as always we look for the red flags so we can all get better at spotting the scams.
Sender email: This seemed to come from a domain I own, which isn’t unusual.
Reply-to email: info@wasteconnections.com
Pretty sure that isnt an official mailgun email account!
The button: Linked to a huge sendgrid URL so wouldn’t have really been alarming as that’s not unusual. Sendgrid is an email marketing service. I have informed Sendgrid.
Digging Deeper into the Mailgun Scam
**NEVER PRESS BUTTONS OR LINKS IN DODGY EMAILS**
So, I pressed the button (lol) and it took me to some page that looked like it was processing something, and then boom, the Mailgun login window appeared;
This was hosted on Microsoft Azure, so I reported the website to the relevant department at MS.
If I had been tricked up to this point, I think I’d have been a bit alarmed at the fact they pre-filled my email I know Mailgun dont do this as I log into it most days.
None of the buttons apart from “Continue” seemed to do anything – seems to be a trend at the moment.
I added a fake password and pressed next, it asked me to confirm my password – this is NOT how the Mailgun website works. I confirmed my fake password, they then asked me for a 2FA which I also faked.
It seemed to hang at this point, I dont know if it was trying to log into my Mailgun account in the background or something.
I checked in the background and it is pulling a file from here;
That must be the most sketchy looking domain name extension I have ever seen in my life haha. I have reported this domain as well.
The Mailgun Scam: Conclusion
This seems to be a classic “Credential and MFA phishing” scam, focusing on Mailgun for some reason. Perhaps as then once they are in they can send 30,000 spam emails or something.
Remember to check for red flags when getting an email or message that raises alarm bells, and if in doubt send it to me 🙂
Stay eSafe peeps!
Credential and MFA phishing Scam FAQs
Why do scammers create fake login pages that look like services like Mailgun or Sinch?
Because they know those are “backend” services that not many people outside digital teams understand. They rely on the fact that inboxes, tech teams, and marketing people will see the branding and think it’s legit. Once they have your login details, they can get into your email sending service and use it to send out further phishing emails that look totally legitimate (which then spreads the attack).
Why do these fake pages ask for passwords and then a 2FA code as well?
If they only took a password, the victim could still be protected by 2FA. Scammers now know this, so they make the fake form walk you through entering a 2FA token which they immediately use in real time to log into the real service as you. So they capture both your password and your temporary code.
How can I spot these scams before I click on anything?
Always check the actual domain name before typing in any credentials. If the domain is weird, cheap, or doesn’t match the official brand (for example something like “sourcebigwhale.cfd” instead of “mailgun.com”) then it’s almost certainly malicious. Legit login pages will always be on official domains, never random ones. Also, if a link comes out of the blue, treat it as untrusted until you verify it.
A good friend of mine asked me to check an email he had received, he had his suspicions already but I checked it for him anyway and he was right – Vehicle Tax Renewal SCAM.
The Vehicle Tax Renewal SCAM Email
The Vehicle Tax Renewal SCAM Analysis
First obvious alarm bell is the sender email;
I’m pretty sure that isn’t a Government email address. I have reached out to Tria to let them know they have either had an email account compromised or they have an hole in their mail servers. They got back to me instantly and have said they are investigating and provided me with some solid advice from a security point of view that would be very useful to someone that wasnt tech-savvy.
The second thing to do is (if on a PC) hover over the button and look in the bottom left corner of your browser (or wherever the link preview shows in your browser);
Doesn’t look very “Government-y” does it! The link below the button on the email also goes to this location.
NB NEVER EVER EVER CLICK ON LINKS IN THESE KIND OF EMAILS – I AM A TRAINED PROFESSIONAL (aka AN IDIOT) SO I DO THESE THINGS FOR YOU!
OOOOO and just when I thought it couldn’t get any juicier I clicked the link on desktop and was greeted with this;
Now this kind of screen here isn’t unusual, as even if I get sent a scam when its pretty new the scam/phishing websites have often already been taken down. The “Mobile_Only” message there intrigued me though, so I switched to a different useragent and refreshed the page and just like magic;
It’s interesting that they have made this a “mobile only” Vehicle Tax Renewal SCAM, the only thing I can think of is that people are more likely to not notice dodgy sender emails and where buttons actually take them too and are therefore more likely to fall for the scam. I think this is even backed up with the way they structured the URL;
I believe they have structured it like that so that no matter what your phone/device screen size you only see part of it;
And therefore it raises less alarm bells.
None of the other links on the page go anywhere, which is unusual. Often I see with these types of scams they make all the other links 100% legit so it comes across more genuine.
However I suspect when the web people at .gov see people being referred to their website from suspicious looking domains it aids in them finding and shutting the scammers down, so this is probably another tactic to not get detected by these particular crooks.
What is the Vehicle Tax Renewal SCAM?
The link on the Vehicle Tax Renewal scam page itself is harmless, its just a form;
Notice the font is different on the “Bank Information” bit? They must have been getting mistakes when people were inputting card details so they added that bit in afterwards so they get two chances to scam you. The card details section did have the ability to check card details to an extent, as it knew my totally made up one was fake – but it did let me use test card details from stripe.
This scam is basically them just trying to steal your identity – if you fill this form out, it just emails them all your info and within a few mins of recieving it they would have rinsed you dry.
DO NOT FILL THESE FORMS OUT.
What to do about the Vehicle Tax Renewal SCAM?
If you are unsure if you have tax due, then you will get a letter from the DVLA through the post – and if you havent and are still not sure, use this link;
And put your reg in and it will tell your if your tax is due. Do not just rely on email and/or postal notices.
I left the scammers a little note afterwards – but it was a bit swear’y so I wont post it haha.
After I updated the card details to test ones from stripe (like mentioned above) it let me submit the form;
I was then redirected to the actual gov.uk website.
All in all, quite a well planned out scam but still very basic – they are just trying to steal your info so they can buy shit.
Get a VPN with browser protection like Nord VPN and when you get emails like this search for the official website for this kind of thing and Nord will help guide you to the correct website where you can safely either check or renew your tax.
If in doubt, speak to that friend you have that is proper nerdy n that. They will be able to help. If you dont have one of those friends, then i’ll be your friend, just comment below.
It’s nice to see the blog comments rolling in again. I’ve given things a bit of a visual refresh and restored a load of old images so lots of old posts have come back to life.
I have recently got my spark for my work and blogging and stuff again. I’m glad, ive missed it.
