Oh well that's fucking clever. A threat actor is sending out phishing emails pretending to be SendGrid, and explaining that all their emails will include "Support ICE" banners in order to trigger ragebait clicks through to the phishing kit.
Discussion
Loading...
@neurovagrant huh. I thought it was a warning about sea level rise.
@neurovagrant @monoxyd Got that one, too. This is a huge campaign. They pretended to add an lgbtq banner before. Probably the new strategy is "rage phishing". https://tldr.nettime.org/@leitmedium/115865040267681231
@neurovagrant fuck. I would definitely fall for that one
@AuntyRed Stay frosty out there. It's a great time for bastards.
@neurovagrant im curious is this a targeted attack only at those who aren't cool with horrendous shit being done to people on a daily basis in the name of some imaginary line in the sand
@Li nah it's wider than that - there are legit samples trying to ragebait the rigth as well
@neurovagrant
Hah, they are playing both sides on this.
The previous variant talked about a Black Lives Matter footer for a month.
@ftg Yep I've now seen "Support LGBT+" variants as well as general technical ones. Definitely a wider campaign than at first glance.
@neurovagrant @ftg The bad guys have been stomping around Sendgrid's servers for at least eleven months. I've probably gotten over 100 of them. Here's my thread: https://ruby.social/@jamiemccarthy/115728934673241939
@neurovagrant same scam but different targets, previous I've seen include threatening Pride banners, commemorating a trans women's death, celebrating Black Lives Matter, to trigger MAGA types. I've been wondering what the converse would be so thanks 🙂
@neurovagrant why would someone want to donate to a government institution? Isnt that what taxes are for?
@comrad The emotional manipulation involve specifically targets irrational actors, so trying to make sense of it is crazymaking.
@neurovagrant I fucking hate this world, man...
@nyanbinary yup. Been swearin all morning about this.
@neurovagrant That is innovative. Got to give them props for the grift. Still hope non of my users fall for it.
A victimless crime. No actual human beings will be harmed
@neurovagrant when opportunity knocks
@neurovagrant s/clever/evil/
@neurovagrant I wonder whether anyone on their team has extensive social media management experience. Optimizing posts to maximize engagement, usually through rage-bait, has been a thing there for years. It's one of the worst aspects (in my opinion) of algorithmic social media, and it should not be allowed to catch on in other industries.
@neurovagrant Daaaaang they're getting crafty!
@neurovagrant Very clever, very evil.
@neurovagrant Peak social engineering.
@neurovagrant 👋 I have also been receiving these messages. I have sent you the ones I still have as an attachment to the email you shared in this thread.
@neurovagrant I could see myself falling for that.
I've been receiving these phishing emails for a while now. I saw this one this morning!
@neurovagrant so: DO NOT CLICK SETTINGS, because it is fake
@neurovagrant I’ve gotten these from other email providers as well. The email looked legit based on headers (DMARC, SPF.)
@neurovagrant I saw one two weeks ago about having rainbow templates on all customer emails to support lgbtq+ rights unless you click the link.
@drewdaniels You wouldn't happen to have the email headers or content from that email, would you?
:D
@neurovagrant I can’t seem to find that one, but I got a new one this morning about Sendgrid’s authentication changing to sinch by the end of the month. From “Sendgrid” but the from address was noreply at nysar.org
@neurovagrant @drewdaniels share with the class plz 
@neurovagrant I'll take stupid human tricks for 500 Alex.
I hate scumbags like this, but I have to have some respect for decent craft.
So here's the historical pDNS and domain data for sender domains in the headers of these emails from the samples I have.
SendGrid UPNs have been a bust so far, but guessing the attack isn't something to really write home about, but I'd like to see this group in particular inconvenienced for the ragebait aspect.
@neurovagrant
Someone needs to do this to target MAGA. Just say "Your [gun related thing] will not include [something'woke'] and click to opt out and also include a feedback link. No way is MAGA going to pass up a chance to tell some lefty what for.
Inclusion of a domain doesn't necessarily indicate malicious actions on the part of the domain's owners.
Guessing it's a mix of compromised domains, and active domains with an exploitable misconfiguration common to cloudflared domains that opens their relay up, though I don't know one off the top of my head.
@neurovagrant Wow, that's annoyingly clever.
In unrelated news, i was reflecting this morning on how "sad sack of shit" was probably one of my favourite insults.
@neurovagrant i often find myself both disgusted at the depravity of some cybercriminals, yet impressed by their technical skill.
@neurovagrant #ty for reading the toxic positivity site so i do not have to 🙃
and i def tip my hat to those threat actors. brilliant emotional manip!