Email phishing spam switches from ReMax to Coldwell Banker

Version imprimable, PDF et e-mail

By Dave Michmerhuizen – Research Scientist

Phishing spam aims at all sorts of targets.  Bank accounts, social network accounts, website hosting accounts – almost anything that requires a password has been phished at some time or another.  One type of account stands out as the big prize – the email account.  So many other online accounts are linked to your email for verification or password recovery that capturing an email address and password is like being granted the master key to your digital identity.

One of the most successful email account phishing campaigns in the past few years leverages the almost universal desire to get a good deal in real estate. Emails pretending to be from the ReMax company offered real estate deals but asked for – and stole – your email credentials.

Recently the spam traps at Barracuda Labs have turned up a new twist on this approach. The spammers have tired of the ReMax logo and switched to using Coldwell Banker.


Sometimes these specifically target investors, as with the example above.  Others are more general and designed to appeal to consumers searching for a residence.

Clicking on the link in one of these emails takes you to a phishing page hosted on a hacked website.


This phishing page takes advantage of the trend towards using well-known web properties as authentication providers.  Specifications such as OpenID make it easy for small websites to completely avoid having to create and manage user accounts.  Instead, the website lets you “log in with Google”, or some other large website.  Normally when you do that you temporarily visit the website, such as Google, that provides the authentication service.  This is a process that unsophisticated users may not pay much attention to. That inattention is exactly what the phisher is hoping for in this case.

Clicking on one of the logos doesn't take you to a login portal on the corresponding website. Instead, all that appears is a JavaScript dialog box asking for your credentials.  Enter them, click “Sign In”, and your data gets sent back to the compromised website and forwarded on to the phishers.


The end result? Possible identity theft, and a very bad day.

Never provide your email address unless you are certain you are on the webpage of the email provider, and steer clear of unsolicited email links in general.  If a real estate company wants you to view their listings, visit their website directly.


Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.



Remonter en haut de page