Recursive phishing email

Bruce Sterling received a phishing email purporting to be a followup to a report of a phishing email. Coming soon: a phishing email purporting to be a phishing email purporting to be a followup to a report of a phishing email.

US-CERT is forwarding the following Phishing email that we received to the APWG for further investigation and processing.

Please check attached report for the details and email source

US-CERT has opened a ticket and assigned incident number PH0000005007349. As your investigation progresses updates may be sent at your discretion to and should reference PH0000002359885.

Phishing email arrives disguised as phishing email


  1. Yeah, I got one of these too.  Trojan attached.

    I think they reconfigured their spambots afterwards, but not very well. My next one was from Con-Ed, but the from address was US CERT.

  2. I’ve gotten a ton of these. I just trashed them on sight, figuring that a) if they were legit they wouldn’t be going to bogus addresses in my domain and b) US CERT wouldn’t be sending the additional information as an executable attachment. What’s annoying is that they’re coming from such a variety of sources that I can’t blacklist them effectively.

  3. Phishing is no small thing. US Education student loans service has selected an outside firm to process and collect loan repayments, many $Bs from millions of students. The problem is, the list of student loans was stolen, used by <–, with virtually indistinguishable Net (uses a 3rd-party e-mail) and billing stationery with a slightly different POB address, that surely $Bs of dollars are being bled away from US Treasury (US). "And nobody seems to notice, and nobody seems to care."

  4. I get a fair number of Nigerian 419 spams that do the same thing. “We heard that you’re a sucker who got bilked by a Nigerian 419 scam, so let us fix it for you. You can trust us; we’re from the Nigerian government.”

  5. It’s hilarious that the ticket is “assigned incident number PH0000005007349″ and if you wish to send updates, reference “PH0000002359885.” It’s like all the Craigslist apartment rental scams where the number of bedrooms in the subject line doesn’t match the number in the main text. Scammers seem to be poor proofreaders.

  6. My daughter suddenly started getting emails claiming they were “Important Information” from her bank. Attached to the email was password-protected PDF. There was no explanation other than instructions to use her account password to open the PDF.

    Sounds like a classic phishing email, right? She kept deleting them, accordingly.

    Turns out, though, they were legit emails from her bank. The password-protected PDF was a notice that she had overdrafted her account. Ouch!

    I can’t imagine how such a phishy method got adopted by the bank. Oh wait…I CAN imagine. They probably factored-in that many people would ignore the emails because they looked so obviously like phishing mails. That equates to overdraft fees! Profit!!!

    1. I’ve occasionally gotten a phishing e-mail the same day that I did a transaction with the business being used. I almost clicked the link.

      If I get an e-mail from my bank saying that I have an important message, I just go sign on the normal way to see if there’s something there.

Comments are closed.