Post · bonfire.cafe

Post

@neurovagrant@masto.deoan.org · 2 weeks ago

Oh well that's fucking clever. A threat actor is sending out phishing emails pretending to be SendGrid, and explaining that all their emails will include "Support ICE" banners in order to trigger ragebait clicks through to the phishing kit.

#threatintel

https://www.linkedin.com/posts/simokohonen_ragebait-as-a-phishing-tactic-a-threat-activity-7415349853754638336-gcCu?utm_source=social_share_send&utm_medium=member_desktop_web&rcm=ACoAABIZhqYBjXCQuV7JX7N_3xlpxZY6alHZ77o

Screencap showing the phishing email and button.

Ragebait as a phishing tactic.. a threat actor pretending to be SendGrid is sending out phishing emails with the note: '..We will be adding a "Support ICE" donation button to the footer of every email sent through our platform'. Feels like the de facto way for phishing people was always trying to lure people with something pleasant, like a list of Christmas bonuses for the year - but psychology has known this effect for a long time, i.e. losing $100 hurts more than finding $100 feels good, or in this case, appearing to support ICE hurts more than knowing the bonuses of the IT department feels good. Still, I feel like this is a bit too over the top.. what do you think? 😆

Aral Balkan

@aral@mastodon.ar.al replied · 2 weeks ago

@neurovagrant s/clever/evil/

Ian Campbell

@neurovagrant@masto.deoan.org replied · 2 weeks ago

I hate scumbags like this, but I have to have some respect for decent craft.

Ian Campbell

@neurovagrant@masto.deoan.org replied · 2 weeks ago

So here's the historical pDNS and domain data for sender domains in the headers of these emails from the samples I have.

SendGrid UPNs have been a bust so far, but guessing the attack isn't something to really write home about, but I'd like to see this group in particular inconvenienced for the ragebait aspect.

#threatintel

https://drive.proton.me/urls/V2AGD9P57W#MqEEZYyRVjmI