New Reddit “just followed you” Phishing Scam

New Reddit "just followed you" Phishing Scam
Share the knowledge

There is a fresh phishing email scam targeting Reddit users. The Reddit phishing emails exactly mimic the “you have a new follower” Reddit email, but when you click on the “View Follower” button, well, you do get an eyeful, but not the view you were expecting. Generally the purported followers are national brands (we’ve seen samples saying that the new follower is Kroger, and PrudentialFinancial, among others). Of course, what this means is that the scammers have managed to scrape data from Reddit, as they have both the Reddit user name and that user’s email address.

You can identify the Reddit phishing emails (as well as other phishing emails) by looking at the actual email address that the email is sent from (see sample below), not the so-called ‘friendly address’. [Read here for why having your email program display a contact’s profile picture and/or name instead of their email address can play right into phishers’ and scammers’ hands.] As always, the best way to avoid falling for these sorts of phishing scams is to never click on links in email, but rather go to the site directly.

New Reddit "just followed you" Phishing Scam from address

Below are some sample headers from some of the Reddit phishing emails, if you’re into that sort of thing. All of the ones that we have seen came through Digital Ocean.

Get New Internet Patrol Articles by Email!


 

Have you received any of these?

Headers #1

Compuserve-Gripping-Topsy: 979ddd2381
Return-Path:
Arc-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning [email protected] does not designate 69.12.213.130 as permitted sender) [email protected]; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=uws.edu.au
X-Google-Smtp-Source: ABdhPJxhr0o/jY6txOBsojn1myD7Uc4YZXmK9QbOtMT66mDbi0JvHGVSGegCNIohvNBH+dw7Jk+X
Mime-Version: 1.0
X-Virus-Scanned: Content scanner at isipp.com
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning [email protected] does not designate 69.12.213.130 as permitted sender) [email protected]; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=uws.edu.au
Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=date:thoughts-dishonestly:serviceman-potentiometers-irritated:to :message-id:from:content-transfer-encoding:mime-version:subject :compuserve-gripping-topsy; bh=rDZSG13yEYLHme0PUgCzYoUn1QDRypjEcMFi0EzYDt4=; b=aFtX2YzTrC4cFQAVJVM7Fr9Bh1NlJEzPyfX5mPqPsomGr8SnCRwG7XXobBitLvngwt 9BrMxXeq34h3laQnTuqC1HqblS3JFnJLERWpxds+k5l58EIv8n0VjhBZ14/aewxLiayN LizF6RgnwrPBPqbrfxGc/HMQmqoNwYxEm2+B1Jcp6645EmU9VJqlcCYslgNpGnyidhVN lzEiefMUCkWUGyy5HWdciiZqxfQORYo+IbAQ8UVAQ6ZzazElrSU5HpsGSP1gHoFTekm6 BOOFhxup1ZA7ExJjj2Jlb9XLd7JSYnV6pUcAJ+3JWsKupF2ENyt7uL6eIw//v+Anvyqh wd4g==
Thoughts-Dishonestly: B7D8A9B29D628
Content-Transfer-Encoding: base64
<[email protected]>
Content-Type: text/html; charset=UTF-8
Received-Spf: softfail (google.com: domain of transitioning [email protected] does not designate 69.12.213.130 as permitted sender) client-ip=69.12.213.130;
Serviceman-Potentiometers-Irritated: recurrence
Received: by 2002:a55:fd9b:0:b0:146:bc05:391a with SMTP id o27csp287783egm; Mon, 7 Feb 2022 10:46:51 -0800 (PST)
Received: from localhost ([46.101.111.77]) by [redacted] with ESMTP id 217IkgZD001671

Headers #2

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

Speculate-Referral-Attain: dmitri
Arc-Seal: i=1; a=rsa-sha256; t=1644265026; cv=none; d=google.com; s=arc-20160816; b=aHoggxkcx28qkrQ5bRzaj5STOBQyQEN6FWdYdDedTXPTyHquczyXB9ldUbfyNsSX/O D/fQ3D6ULxYiarAgLZBX/rQJQsfoou9XGXS4LGYpbn18rjYY8yzd2ZWc6LHrm1BE7az9 ITBR/aIl0O75gJ7VTIIWQMe1nRCXoX2wPco3OCfdr5vZejYZZMMPH2aEt89G5CLfMGTc DrfyKfIDhOcHcYVWm1idBkbMLQhhcVz/9uvk8suNiDkhkl9yI8Hiy2o1QOQlR3vIez38 ooEnWN3LYzDIlcSpS6R6+8d7wAKJVqnUSSN5JBnDUYXbh6c2rG24a4lSLw081Wx9XDyh shkg==
X-Received: by 2002:a63:338e:: with SMTP id z136mr856938pgz.510.1644265026692; Mon, 07 Feb 2022 12:17:06 -0800 (PST)
Return-Path:
Arc-Authentication-Results: i=1; mx.google.com; spf=neutral (google.com: 69.12.213.130 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Characterizable-Cupful-Vilifications: 7894
X-Google-Smtp-Source: ABdhPJxhJlgVVBt07vTi+9/L/VvL97LfdMYE38K25sUBmd5WxUrJv7OVF4vLn6f7TaiLLoqv9RIR
Mime-Version: 1.0
X-Virus-Scanned: Content scanner at isipp.com
Authentication-Results: mx.google.com; spf=neutral (google.com: 69.12.213.130 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:anxious-fuss-backgrounds :characterizable-cupful-vilifications:progressive-impersonated :speculate-referral-attain:to:message-id:date:from :content-transfer-encoding:mime-version:fluctuates-garibaldi; bh=2mZ9HSO939RkQUjQui+xQblvwyk3501jI5tG3GcA/nw=; b=S8kwFkBVTF24p0uztJVsQRmFzi6HTvsVIXisGZvEcmQNvZlqrrNb0D7tfyzjJ1jaL0 4odwjPV83wXxUaV+NkEva42s+EoCzWGh0VPNXxu/o+NIveAmxcpte7VhLuSVgy0FZzDW SLDDNpjgm09OihVaCYPAv3cvyweCVQ0DpuzrIAAa/Ew5d4vGQARW3PfE4kmBwbYv6ynq 4C2ptYhLV2B3JWpix0VMrNWzdNdMCon1Ws7/Hj6Wv/ClqNgoCVDtGqzrNm6o4mHEstCt RjBr2H7HA/kFFm+INS/YqoRrGTW5OEne9fbDgMdVWtfmY4kHTqWeB8zyBn4YGXpFbAat CHFQ==
Content-Transfer-Encoding: base64
<[email protected]>
Anxious-Fuss-Backgrounds: 739
Fluctuates-Garibaldi: 9b8f8b1b467
Progressive-Impersonated: c98fea1766ddff2
Content-Type: text/html; charset=UTF-8
Received-Spf: neutral (google.com: 69.12.213.130 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=69.12.213.130;
Received: by 2002:a55:fd9b:0:b0:146:bc05:391a with SMTP id o27csp331685egm; Mon, 7 Feb 2022 12:17:06 -0800 (PST)
12:17:06 -0800 (PST)
Received: from localhost ([146.185.142.185]) by [redacted]


Share the knowledge

Leave a Reply

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.