| I received 3 of these the other day. For those not aware, Dicks is the largest sporting goods store chain in the USA. DICKS SPORTINGGOODS!! <wqrwrsss-@acohhovldzbqmulu.ml> Subject: You've beean chosen!
SPF: PASS with IP 40.107.117.103 Learn more
DKIM: 'PASS' with domain acohhovldzbqmulu.ml Dicks Sporting Goods Winner <eushfyuefdsf-@chistezlhekofu.ml>
Subject: -You've been chosen!
SPF: PASS with IP 40.107.215.70 Learn more
DKIM: 'PASS' with domain chistezlhekofu.ml Learn more Google detects them all as Persian, and asks if I want to translate. Also interesting: Message ID <6324876e.050a0220.efb1a.fe7bSMTPIN_ADDED_BROKEN@mx.google.com> The only text in the message: Your Name Came Up For a YETI Hopper M//20 Cooler customer Gift Ends up linking to here: https://templarswoards.com/39adf46955f3971c805bc32b65a2cb08 After filling out a 'survey' it asks for name, address, email, phone https://www.simplediscountshop.com/staging/backpack/refresht... It then asks for a credit card number to pay the $6.95 shipping |
Weirdly, in my case the links in the email were pointing at lnkd.in/<some payload>, which is a legit Linked in domain. However, with that payload it was 301-me to some garbage script on google storage and then some shady website. I'm curious how did they make lnkd.in respond with 301 to whatever they want and can't there be a vulnerability of some sort.