dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
8

Krisnatharok
PC Builder, Gamer
Premium Member
join:2009-02-11
Earth Orbit

Krisnatharok

Premium Member

Re: Phishing from an AZ .gov address?

Could I get someone's confirmation that this was not a spoofed header? I might be contacting AZDHS IT--any ideas if it is this person's computer or perhaps the larger network that is infected?

Angels
@verizon.net

Angels

Anon

I also received a message like that through my gmail, please let me know if it's fake or a scam or what. Thanks

Krisnatharok
PC Builder, Gamer
Premium Member
join:2009-02-11
Earth Orbit

Krisnatharok

Premium Member

It's obviously a fake or scam. I don't have the background in IT security to ascertain how it got sent from what seems like an actual AZ DHS computer on the .gov network.

Waiting for some questions to be answered here and I might give them a call.
dsilvers
join:2009-05-17
Canyon Lake, TX

dsilvers to Krisnatharok

Member

to Krisnatharok
said by Krisnatharok :
Could I get someone's confirmation that this was not a spoofed header? I might be contacting AZDHS IT--any ideas if it is this person's computer or perhaps the larger network that is infected?
Your hunch is likely correct: Appears to be from 159.36.7.43 Arizona Department of Health Services.

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

leibold

MVM

said by dsilvers:


Your hunch is likely correct: Appears to be from 159.36.7.43 Arizona Department of Health Services.

Actually if the headers aren't forged then the email originally came from 159.36.7.40 (HSPHXMEXMB01.hs.azdhs.gov) and was relayed by 159.36.7.43 (hsphxmcas02.hs.azdhs.gov) and 159.36.129.203 (smg0.hs.azdhs.gov / securemail3.azdhs.gov).

Given that the hostname HSPHXMEXMB01 appears also in the message id and mime multipart separator either means the headers are valid or someone did an above average effort at faking them.
dsilvers
join:2009-05-17
Canyon Lake, TX

1 recommendation

dsilvers

Member

My bad, you are correct, all those IP numbers belong to Arizona department of health.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS to leibold

MVM

to leibold
said by leibold:

Given that the hostname HSPHXMEXMB01 appears also in the message id and mime multipart separator either means the headers are valid or someone did an above average effort at faking them.

That name almost certainly identifies a specific computer at AZ-DHS.

Krisnatharok
PC Builder, Gamer
Premium Member
join:2009-02-11
Earth Orbit

Krisnatharok

Premium Member

I called their general intake line, and asked to be transferred to someone in IT to report phishing from one their employees, and they instead transferred me to the employee in question(!!), who was rather embarassed, and said I was probably the third person today to contact her and let her know her computer was infected.

She seemed sure it wasn't a virus, but it sounded like she was a rather typical, non-technical user, so I can only hope AZDHS is professional enough to be monitoring their own network.

You would think it would be easy enough for local law enforcement to subpoena the email address listed as the POC for the scam and go from there, but what do I know... I guess Sheriff Joe has other, more important priorities right now.

AVD
Respice, Adspice, Prospice
Premium Member
join:2003-02-06
Onion, NJ

AVD

Premium Member

This is better in scams and phishbusters. Maybe MGD See Profile can take a crack at it.

Krisnatharok
PC Builder, Gamer
Premium Member
join:2009-02-11
Earth Orbit

Krisnatharok

Premium Member

Not sure what there is to crack, I'm willing to bet the State of AZ has all sorts of nasty viruses flying around its network.

goalieskates
Premium Member
join:2004-09-12
land of big

goalieskates to AVD

Premium Member

to AVD
I'm happy with it being here. It's a reminder that government entities can pose as much security risk to users as anyone else, if not more.

A sad reminder, at that.