Scammers Running Phishing Scam with Tennessee Government Email ID

It is easy to hack a domain and set up scams for visitors but using a government email address to run a phishing campaign is a bit odd.

Recently, I received an email which of course went straight to spam. I wouldn’t care if it was a random email but, in fact, it was from a state of Tennesee-based email address.

The email ID is Darlene.Kirk@tn.gov and belongs to Darlene Kirk, a Carroll County clerk at Department of Motor Vehicles. It is unclear if the email is hacked or someone is using it to get people onto the phishing site.

Here’s a complete analysis of this phishing campaign:

The email comes from “Darlene.Kirk@tn.gov” email ID (from a Tennessee IP address: 170.141.166.33) with the subject: “Helpdesk & Support Updates.” The email content talks about detection of an unusual sign-in activity and warns the users that their webmail account has been violated from an IP address: 59.69.159.72. which goes back to the ISP “China Education and Research Network Center” in Nanyang city.

scammers-running-phishing-campaign-using-tennessee-government-email
The IP address goes back to China

The email further asks the user to click the link below to confirm their location.

scammers-running-phishing-campaign-using-tennessee-government-email-1
Screenshot from the phishing email

 

Upon clicking the link, the user is directed to a Netherlands-based domain (hansidmar.nl/onleech.me/index.php) which is probably hacked to run this phishing scam. The link opens with an Outlook login page asking users to enter their username and password.

scammers-running-phishing-campaign-using-tennessee-government-email-3
Screenshot from the phishing page shows Outlook login box

If you are using Google Chrome, the good news is that it already prevents users from accessing the site and has listed it as a phishing scam.

scammers-running-phishing-campaign-using-tennessee-government-email-4
Screenshot from Chrome

If you are using Safari browser, it shows that the phishing page has been deleted from the site, either way it is a win-win situation.

scammers-running-phishing-campaign-using-tennessee-government-email-5
Screenshot from Safari

This phishing scam is history, however, there are thousands of scams well active and stealing login credentials from users around the world. HackRead believes on online security and urges readers to keep yourself safe from such scams. In case, you have been scammed or know about an ongoing scam email right now at waqas@hackread.com.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.