Phishing Email purporting to be from Thailand Post delivered to my inbox 30-12-2021

[pablo el sueco]

Beware.  If you receive a message like this, do not click on the links embedded in the email.  I am convinced it will try to install malware on your computer.

 

The text of the email I received today was in Thai language beneath an official-looking graphic --

 

 

I used Google translate to render the Subject and the Body of the email into English.

 

The Subject:

"Your parcel could not be delivered. please pay shipping"

 

The Body:

"Hello Warning: This email notifies you that your shipment is pending. Your package could not be delivered on 29.12.2021 due to non-payment of customs duties ( 36.14 ฿ ). Deadline for delivery between 31.12.2021 Amount to be paid: 36.14 ฿ Beneficiary: Thai Post - Thai Post To confirm the delivery of your package, click here.

You will receive an email or SMS when you arrive at your home address, you will have 8 days from the date it becomes available to withdraw your package. When withdrawing, you will be asked for your ID. for additional services Track your shipment by clicking here. Thank you for your trust,, Yours sincerely, Serving your Thai Post Group customer service"

 

There were many clues that this was not a legitimate contact from Thailand Post.  The main one being that Thailand Post does not contact addressees by email to arrange for delivery of a package; they leave a notice in the mailbox.

[CharlieH]

Print it and inform your local Post Office.

[Speedo1968]

Don't open any emails purporting to come from Thai Post Office they never use email to contact a customer

[chicowoodduck]

Holy <deleted>, I never even open emails from my family members! ????????

[rwill]

Go for it.  You will probably find out you actually have several hundred packages that need to be delivered, if not more.

 

That is just a joke.

[Oxx]

19 hours ago, pablo el sueco said:

I am convinced it will try to install malware on your computer.

Most unlikely.  I suspect if you click on the link they'll ask you to transfer the supposed duty to their account.  And the amount is so small than when you realise you've been scammed you'll do nothing about it.  Multiply by thousands and you've got a nice little earner.

[JustinCredible]

Interesting that the amount in question is the same as the amounts vanishing from Thai Bank accounts some weeks ago.

[pablo el sueco]

I just got another one about 27 hours after the first one.  The message differed only slightly from the first one -- the deadline for delivery date changed from 31.12.2021 to 01.01.2022.

 

There was also an interesting change in the sender field.  Both emails reflect the sender as being "Thailand Post." including the period at the end.  When I hover my cursor above the sender name to reveal the sender's contact information, both emails track to an electronics corporation in Germany.  The contact id for the first email was "noraeepliy@" followed by the German company web address.  The contact id for the second email was "noraeaapy@" followed by the same web address.

 

All other details of the two emails appear to be the same.

 

Viewing the "raw message" which reveals much about the metadata of the two emails, I find that the source for the graphic image for Thailand Post is

  https://canadaposte-ca.servebeer.com/th.jpg

[kidneyw]

Maybe the parcel was from a Nigerian Prince.

[steven100]

maybe you've won the lottery and they're trying to send you the cash.

[pablo el sueco]

I have more discovery to reveal about the phishing email purporting to be from Thailand Post.  According to the email metadata, the two links that must be clicked on to engage the malware both point to a subdirectory within a Venezuelan charity's website.  Mind-boggling.

 

I guess sophisticated malware experts can disguise the links somehow; perhaps they appear to connect to Venezuela but actually they pass through to some malevolent cyber ring in Russia.

 

I do NOT intend to research this any further by clicking on the links to see what happens!

 

[Oxx]

1 hour ago, pablo el sueco said:

I do NOT intend to research this any further by clicking on the links to see what happens!

How about posting the links here?  I'll happily follow them and report back.  (I use Linux, not Microsoft Windows, so really am not at risk.)

[Jai Dee]

8 minutes ago, Oxx said:

How about posting the links here?  I'll happily follow them and report back.  (I use Linux, not Microsoft Windows, so really am not at risk.)

Please do NOT post dodgy links on the open Forum.

 

You can use the PM function if you wish, but please NOT on the open Forum.

 

1 hour ago, pablo el sueco said:

I do NOT intend to research this any further by clicking on the links to see what happens!

Smart move!

[Sydebolle]

I get these emails regularly and have them automatically dumped into the spam filter - no worries! 

[MadMuhammad]

I got a call today from +888100 purporting in thai that I had a package that needs collecting, press ‘1’ for details. 
Obviously I didn’t and blocked the number 

[unblocktheplanet]

I got one, too.

[pablo el sueco]

 

3 hours ago, unblocktheplanet said:

I got one, too.

I speculate that I was targeted because I used my email account when I registered at thailandintervac for covid vaccine assistance;  I also used it when I registered for the Thailand Immigration 90-day app and website.  I think we all know that such websites have had issues with maintaining strict security protocols.  I suspect you were targeted due to the same vulnerability.

[pablo el sueco]

8 hours ago, Oxx said:

How about posting the links here?  I'll happily follow them and report back.  (I use Linux, not Microsoft Windows, so really am not at risk.)

I, too, use a Linux operating system, but I don't feel the same invincibility as do you.  I don't plan to share the links. 

 

I have now received five of the phishing emails from "Thailand Post", and some have gone straight to my spam folder.  Check your spam folder, Oxx, and you may find your own to play with.  If you do, and are brave enough to risk clicking on the links, please report back ... and good luck to you.

[fangless]

14 hours ago, Oxx said:

I use Linux, not Microsoft Windows, so really am not at risk.)

Says who?

[Nojohndoe]

Similar emails purporting to be from Postal Services in various countries have been happening for quite a while. The "sender" address is usually the giveaway of them being bogus.

[Liverpool Lou]

On 12/30/2021 at 4:23 PM, Speedo1968 said:

Don't open any emails purporting to come from Thai Post Office they never use email to contact a customer

That's not true.   Thailand Post does frequently use email for correspondence with customers. I had many email conversations with then trying to track down items sent from here to Canada and lost by Canada Post and from the UK.

Edited January 2, 2022 by Liverpool Lou

[Liverpool Lou]

On 12/31/2021 at 3:33 PM, pablo el sueco said:

I have more discovery to reveal about the phishing email purporting to be from Thailand Post.  According to the email metadata, the two links that must be clicked on to engage the malware

So you have had it confirmed that it is a malware installation issue as opposed to simply being the well-known delivery fee scam?   

Edited January 2, 2022 by Liverpool Lou

[simon43]

[quote]

...

but actually they pass through to some malevolent cyber ring in Russia.

[/quote]

 

Jeez... or some malevolent cyber ring in the USA, or the UK, or Thailand etc

[Liverpool Lou]

On 1/1/2022 at 12:12 AM, pablo el sueco said:

I speculate that I was targeted because I used my email account when I registered at thailandintervac for covid vaccine assistance; 

Everyone used an email account so why speculate that they picked on you as a result of Thailandintervac registration?   If that was the case, everyone who registered there would get the same contact.  I got no such contact after my registration.

[pablo el sueco]

3 minutes ago, Liverpool Lou said:

So you have had it confirmed that it is a malware installation issue as opposed to simply being the well-known delivery fee scam? 

No, I don't know what it is; it is not legitimate, that much is obvious.  I wasn't aware of the existence of a well-known delivery fee scam.  Wouldn't a delivery fee scam be correctly categorized as a malicious operation?  Since it is so well-known, please let us all know how it works.

[KhaoNiaw]

3 minutes ago, pablo el sueco said:

No, I don't know what it is; it is not legitimate, that much is obvious.  I wasn't aware of the existence of a well-known delivery fee scam.  Wouldn't a delivery fee scam be correctly categorized as a malicious operation?  Since it is so well-known, please let us all know how it works.

I've been getting these for a year or more, probably 4 or 5 per month. They've always just gone straight to spam and I've always just deleted without opening. No idea what triggered them but Gmail has always identified them as spam. 

[Liverpool Lou]

30 minutes ago, pablo el sueco said:

46 minutes ago, Liverpool Lou said:

So you have had it confirmed that it is a malware installation issue as opposed to simply being the well-known delivery fee scam? 

No, I don't know what it is; it is not legitimate, that much is obvious.  I wasn't aware of the existence of a well-known delivery fee scam.  Wouldn't a delivery fee scam be correctly categorized as a malicious operation?  Since it is so well-known, please let us all know how it works.

I'm pretty sure that "a malware installation" is categorised very differently from a "malicious operation" (a scam)?

 

You know how it works, you've had the instructions apparently!   You get an unsolicited email from a scammer about a delivery you know nothing about,  advising you that a small, upfront delivery fee/postage charge has to be paid for the item you're not expecting.  You pay the fee.  The end.

[worgeordie]

On 12/30/2021 at 12:07 PM, pablo el sueco said:

Thank you for your trust

From Thai post , that would be warning enough that something is dodgy.

regards Worgeordie

[pablo el sueco]

8 minutes ago, Liverpool Lou said:

You know how it works, you've had the instructions apparently!   You get an unsolicited email from a scammer about a delivery you know nothing about,  advising you that a small, upfront delivery fee/postage charge has to be paid for the item you're not expecting.

No, I really don't know how it works.  The instructions just tell me to click on the link.  What happens after that is a mystery.  Can you shed more light on it?  The emails are in Thai language; is the linked website in Thai language as well?  How is the bogus fee supposed to be transferred by the victim to the grifter?  Bitcoin is the only method I can think of that can offer the bad guy some anonymity.  Does the linked website, masquerading as Thailand Post have instructions in the Thai Language requesting the victim to send 36.14 Baht in Bitcoin to some crypto Wallet?

[pablo el sueco]

1 hour ago, Liverpool Lou said:

Everyone used an email account so why speculate that they picked on you as a result of Thailandintervac registration?   If that was the case, everyone who registered there would get the same contact.  I got no such contact after my registration.

Okay.  Fair question  Thailandintervac is one of only three or four accounts that I set up in Thailand using my email address.  The others are Thailand Immigration, and Thailand Banks.  Those three or four accounts define the full universe of sites where my email address is linked to anything Thai, and could conceivably engender a Thai languge scammail to be issued to my inbox.  I focused my speculation on thailandintervac and immigration because of their highly publicised data breaches in 2021 where scads of accounts were compromised.  I am unaware of any publicised data breaches involving Thai banks, so I eliminated them from my speculation.   If, indeed, my email account was targeted because of the thailandintervac data breach, it means that my registration thereon occurred prior to the data breach being discovered and repaired.  That you have registered on thaliandintervac and have not been victimized, could be due to several factors, of which the three most obvious are

• your registration on thailandintervac occurred after the data breach was resolved
• the grifters who gained access to the data haven't targeted everyone involved in the breach ... yet
• my speculation, though logical, was erroneous