Scammers Running Phishing Scam with Tennessee Government Email ID


Scammers Running Phishing Scam with Tennessee Government Email ID




It is easy to hack a domain and set up scams for visitors but using a government email address to run a phishing campaign is a bit odd.


Recently, I received an email which of course went straight to spam. I wouldn’t care if it was a random email but, in fact, it was from a state of Tennesee-based email address.


The email ID is Darlene.Kirk@tn.gov and belongs to Darlene Kirk, a Carroll County clerk at Department of Motor Vehicles. It is unclear if the email is hacked or someone is using it to get people onto the phishing site.


Here’s a complete analysis of this phishing campaign:


The email comes from “Darlene.Kirk@tn.gov” email ID (from a Tennessee IP address: 170.141.166.33) with the subject: “Helpdesk & Support Updates.” The email content talks about detection of an unusual sign-in activity and warns the users that their webmail account has been violated from an IP address: 59.69.159.72. which goes back to the ISP “China Education and Research Network Center” in Nanyang city.

scammers-running-phishing-campaign-using-tennessee-government-email
The IP address goes back to China

The email further asks the user to click the link below to confirm their location.

scammers-running-phishing-campaign-using-tennessee-government-email-1
Screenshot from the phishing email


 



//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js (adsbygoogle=window.adsbygoogle||).push({});

Upon clicking the link, the user is directed to a Netherlands-based domain (hansidmar.nl/onleech.me/index.php) which is probably hacked to run this phishing scam. The link opens with an Outlook login page asking users to enter their username and password.

scammers-running-phishing-campaign-using-tennessee-government-email-3
Screenshot from the phishing page shows Outlook login box

If you are using Google Chrome, the good news is that it already prevents users from accessing the site and has listed it as a phishing scam.

scammers-running-phishing-campaign-using-tennessee-government-email-4
Screenshot from Chrome

If you are using Safari browser, it shows that the phishing page has been deleted from the site, either way it is a win-win situation.

scammers-running-phishing-campaign-using-tennessee-government-email-5
Screenshot from Safari

This phishing scam is history, however, there are thousands of scams well active and stealing login credentials from users around the world. HackRead believes on online security and urges readers to keep yourself safe from such scams. In case, you have been scammed or know about an ongoing scam email right now at waqas@hackread.com.