Hijacking existing email threads: taking phishing to a new level

Phishing e-mails is the most common way for a hacker to breach the initial attack surface. Filters and blacklisting technologies have been less than effective in stopping such threats, and it is up to the cybersecurity training and awareness of the user to ensure safe choices are made. Now phishermen have new ideas about making their bait more trustworthy; hijacking existing mail threads, piggybacking on existing interpersonal trust. A received an e-mail sent me from a contact who told me he realized he’d fallen for a scam the second he submitted his username and password to the phoney login site he was led to. Here’s (a somewhat edited) excerpt of the e-mail thread leading him into the phisherman’s trap.

From: Jim Salesman
To: Danny Customer

Subject: Re: confirm order details

Dear Danny,

thank you for your purchase. Please download and check these documents.


With best regards,

From: Danny Customer
To: Jim Salesman

Subject: Re: confirm order deetails

Dear Danny,

I agree to the conditions as you have suggested. Make sure the part serial numbers are indicated correctly on the labels.

With best regards,

——- (after multiple e-mails back and forth)

Where does the link lead to?

The link does not lead to a Google page, despite claiming to be a Google Docs file. Also the lack of Google branding in the download section could be an indicator. The URL is “ehbd-dot-ml/hbdesigns/gibberish/” and is rendered over http – no security. It displays a selection of “login credentials” to choose from.


OK, so here are several well-known brand names.

So, who owns the domain ehbd-ml? A whois search shows the domain is registered to Mali Divi. B.V. in the Netherlands.This firm has been active since 2012 and owns a number of free domains. It has a VAT number and one employee, according to this site: https://www.opencompanies.nl/elektrotechniek-mali-dili-bv-amsterdam-56155794.

Why submitting your info is dangerous

My friend realized the mistake the moment he hit “submit”. He then called his company’s IT department, and was told to change his passwords and run a virus scan. That was the right thing to do. But why is this dangerous?

Giving hackers access to your e-mail makes it easy for them to:

  • your e-mails and attachments
  • they can impersonate you by sending e-mails as you
  • they can hijack other accounts where your email is used to reset your password

Lessons learned

Phishing scammers are skilled at exploiting established trust between you and your contacts. Always be suspicous about links in e-mails, even from people you know. Before clicking, always check:

  • Does the URL look reasonable?
  • Does the branding (logos etc.) look right for the contents?
  • Is the site it leads to secured when you would expect it to be? All major service providers will only serve https – not http
  • Is the domain name strange? The .ml top domain is the national domain for Mali in Africa. Google Docs does not use that as the default login site domain.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s