Phishes with internal information

Posted on 2023-01-31 by laf

I am in between fascination and anger about the phishing emails that arrive in my mailbox. They are full of internal context of my university and seemingly connected to current events.

Phishing example

In this email we have the name of the online learning environment, combined with a common abbreviation of a course. And seemingly even the ordinal number fits the current assignment number.

If I look at the header, I find a valid DKIM signature for the recipient. The DKIM sender is the same as the sender in the “From” header — the one I blackened in the image. Thus it seems likely that the attacker had control over the email account of the sender given as recipient. Nothing new actually on that front.

The important part, thus is, that the attacker seemingly has knowledge about me, or at least my university, attached to my email or the domain of the university. Do spammers have databases filled with this kind of relations between suitable topics or terminology with given domains or individual recipients? How much effort is going into this? How large are the databases? What is the granularity of the recipient-information?