Konloch Software

Brazilian Government Email Phishing Jagex Accounts

Published 10/16/2024

My email is fairly public. It’s published in the majority of the source code I write, it’s on my public social media profiles, and I include it on most forums I’ve visited throughout the years.

I tend to get large amounts of spam / phishing emails due to this, thankfully almost all of it gets filtered by G-Mail before I’m even aware of it.

It’s so rare in-fact, that I’ve decided to make a blog post about one that got past - a warning to others that this tactic still exists. And can be very effective if you’re not paying attention.

  1. The first mistake I made was connecting my email to my phone. This isn’t insecure by default, but it makes it a bit less obvious the email is fraudulent when the From sending address is not clearly visible. (Obviously this is relative to your mail client, but the point still stands.)

  2. The second mistake I made was reading my email before bed. This also doubles if you’re reading your email when you first wake up, something I’m also guilty of. (The point being, I am tired in both instances, and would be easier to fall victim to a phishing attack)

  3. The third mistake I could have made, was to use the same email for everything. Thankfully I keep my public stuff public, and my gaming stuff gaming. Separate when possible. In practice this means I have multiple emails, so I know what to expect when I’m receiving anything incoming.

Enter The Fraudulent Email

Brazilian Government Jagex Account Phishing Attempt(Click to enlarge)

Obviously, I didn’t request this action to happen, and I’ve never seen the kingrile****@******.com email address before. My first thought was my gaming account had been stolen. After the initial shock, I quickly realized it was fake. I explain how I did that in the preventing phishing section.

The email was sent from a Brazilian government email, according to the address: [email protected].

  • The .gov.br denotes that the Brazilian government owns and operates the email service at sme.prefeitura.sp.gov.br.

I assume this is the entire reason the email was able to get through Google’s filters. The email itself cleared all the usual email authentication such as dkim, dmarc, spf, etc. The email is clearly coming from their services, and it was fully authorized to do so.

From Google’s perspective, it was a government email, probably important. So I assume it’s just bypassing their filter system entirely, or at-least enough to let this email go through.

Quick Investigation

A quick Google search returns https://educacao.sme.prefeitura.sp.gov.br/

  • SME from @sme.prefeitura.sp.gov.br probably standing for Secretaria Municipal de Educação.

Maybe these are school education emails given out to students?

  • Normally these would be .edu.br, as .gov.br is assumed to be reserved for government related emails.

Another possibility is the account robson.correia is compromised, and it’s being abused to phish Jagex accounts.

  • Searching for Robson Correia Secretaria Municipal de Educação on Google - brings up a few results, a person of that name does, or did work there.

After some more digging, I found https://educacao.sme.prefeitura.sp.gov.br/lista-de-servidores-e-contatos/ and it contains multiple @sme.prefeitura.sp.gov.br email addresses belonging to official SME government employees - so I assume the account was most likely compromised, rather than a student address being misused.

Phishing Prevention

To help prevent this attack in the future, I’ve blocked the sender - along with any other addresses from that domain. But I assume this type of proxy-email phishing attack will be a cat and mouse game.

  • Any compromised email can be a potential sender, so this is not a long term solution by any means.

The best way to prevent these style of attacks are when you experience them first-hand, you need to verify who the sender is.

  • The easiest way to do this is by looking for the From address in your email client.
  • The address should be from a known domain you recognize as an authority of the service you are signed up for. (In my case it should be clearly @jagex.com)

If you think the sender could be legitimate, you should now look the URL they are trying to make you click.

  • This can be achieved by hovering over the button / hyperlink. If on mobile you can press and hold, then copy the URL.
  • The URL should be from a known domain you recognize as an authority of the service you signed up for. (In my case it should be clearly jagex.com)

Another easy way to tell, although not nearly as obvious - the email doesn’t contain any unique identifiers that the service should know about me.

  • Emails should include my name, or account username. The phisher in this case does not know those details, but sometimes they do.

In this instance, both the senders address and the link they wanted me to click were both obviously a phishing link.

  • This is not always the case, as sophisticated phishing attacks will involve domains that are typos of the main website.

Notes

The email address kingrile****@******.com is (probably) entirely unrelated to the phishing attack and was most likely taken from the same list my email was on.

  • Spam emails are sent by providing an email template, and a massive list of harvested email addresses. (Normally in the millions line count)

I’ve included the raw email with the headers intact for anyone who wants to investigate this further. Click here for the full raw email.

Feel free to copy anything here, consider this writing public domain / creative commons licensed.

12/01/2024 Edit

There seems to be a public report regarding this issue over at https://www.spam.org/complaint?uid=C-2A01111F403C0035-DNDALCNPXF

This issue is still ongoing, stay safe out there!