Phishing Email

glricker408b14_ESO · November 2019

I received a phishing email today. It's clearly not from Zenimax. The text encourages one to reply to the email to receive a deal of buy 30 days of plus and get 30 days free.

glricker408b14_ESO · November 2019

https://imgur.com/gallery/0D6jIs0

Elsonso · November 2019

That could be a legitimate email. It is hard to tell from a screen cap.

It all depends on whether it actually comes from "custhelp.com" or if that is spoofed. It also depends on what they are asking for in the reply email.

ZephyrWestwind · November 2019

glricker408b14_ESO wrote: »

I received a phishing email today. It's clearly not from Zenimax. The text encourages one to reply to the email to receive a deal of buy 30 days of plus and get 30 days free.

Does not look like a phish at first glance, but would need to see the actual headers to confirm that it came from the address listed. The address on the from line is a legit address.

RefLiberty · November 2019

ZephyrWestwind wrote: »

glricker408b14_ESO wrote: »

I received a phishing email today. It's clearly not from Zenimax. The text encourages one to reply to the email to receive a deal of buy 30 days of plus and get 30 days free.

Does not look like a phish at first glance, but would need to see the actual headers to confirm that it came from the address listed. The address on the from line is a legit address.

Please be careful when giving such advices.

First, email address can be spoofed, more info here if you want:
https://help.hover.com/hc/en-us/articles/217282017-Email-spoofing-and-undeliverable-notices

Besides mail is clearly something that ESO would not send mail from. mails connected to ESO should be from mail.elderscrollsonline.com

Second, that domian does not have clear ICANN Registrar Information and is not registered under Zenimax domains:
http://whois.domaintools.com/custhelp.com

This is how great and clean record look like:
http://whois.domaintools.com/elderscrollsonline.com

Furthermore, why would Zenimax send an email from MX (mail servers) named as rightnowtech.com.

dig MX custhelp.com @8.8.8.8
custhelp.com. 899 IN MX 10 filteram11.rightnowtech.com.
custhelp.com. 899 IN MX 10 filteram12.rightnowtech.com.

A records is:
dig custhelp.com @8.8.8.8
custhelp.com. 812 IN A 74.117.206.70

Also, that IP is some shared hosting service.

And, since we know that mails from ESO are coming from mail.elderscrollsonline.com, you can see that the A, MX and all other records are completely different:
elderscrollsonline.com. 29 IN A 159.100.230.103
elderscrollsonline.com. 29 IN A 198.20.198.103
elderscrollsonline.com. 299 IN MX 10 mxb-00253101.gslb.pphosted.com.
elderscrollsonline.com. 299 IN MX 10 mxa-00253101.gslb.pphosted.com.

This is how good records looks like:

dig ANY elderscrollsonline.com
elderscrollsonline.com. 299 IN SOA ns1.p02.dynect.net. hostmaster.elderscrollsonline.com. 2019111301 3600 600 604800 60
elderscrollsonline.com. 21599 IN NS ns1.p02.dynect.net.
elderscrollsonline.com. 21599 IN NS ns4.p02.dynect.net.
elderscrollsonline.com. 21599 IN NS ns2.p02.dynect.net.
elderscrollsonline.com. 21599 IN NS ns3.p02.dynect.net.
elderscrollsonline.com. 29 IN A 159.100.230.103
elderscrollsonline.com. 29 IN A 198.20.198.103
elderscrollsonline.com. 299 IN MX 10 mxb-00253101.gslb.pphosted.com.
elderscrollsonline.com. 299 IN MX 10 mxa-00253101.gslb.pphosted.com.
elderscrollsonline.com. 299 IN TXT "facebook-domain-verification=z8mj81uto8auurwmummphryporl7pe"
elderscrollsonline.com. 299 IN TXT "google-site-verification=poBFcrO4a6T9d-wH0rbXwnxjEX1royQn9Ehd7vnjxME"
elderscrollsonline.com. 299 IN TXT "MS=ms53559830"
elderscrollsonline.com. 299 IN TXT "v=spf1 mx a:verify2.zenimax.com a:verify.zenimax.com ip4:38.124.136.16 ip4:38.124.136.15 ip4:12.145.63.34 ip4:12.145.63.39 ip4:12.145.63.75 ip4:12.145.63.68 include:rnmk.com include:sendgrid.net include:spf.protection.outlook.com -all"
elderscrollsonline.com. 299 IN SPF "v=spf1 mx a:verify2.zenimax.com a:verify.zenimax.com ip4:38.124.136.16 ip4:38.124.136.15 ip4:12.145.63.34 ip4:12.145.63.39 ip4:12.145.63.75 ip4:12.145.63.68 include:rnmk.com include:sendgrid.net include:spf.protection.outlook.com -all"

OP, just open a tikcet so they can submit a Abuse report to that domain Hosting company to block/cancel the domain hosting due to spoofing/phishing emails.

idk · November 2019

It has been noted before by someone who ceased their ESO+ that they had received such an email. That email was legit

However, as others have stated you need to make sure it is really from the address stated and any links are what they say they are vs spoofed info.

RefLiberty · November 2019

idk wrote: »

It has been noted before by someone who ceased their ESO+ that they had received such an email. That email was legit

However, as others have stated you need to make sure it is really from the address stated and any links are what they say they are vs spoofed info.

Oh boy, if they do that, they really need to make that less shady, I guess it is outsourced marketing company, I mean, the the records are nasty:

Registrant: REDACTED FOR PRIVACY
On a shared hosting:
IP Address 74.117.206.70 - 18 other sites hosted on this server

Not transparent, not at all. They need to look into this then, cos marketing will fail if people delete the email thinking it is just a spam

It seems that it is outsourced service then.

validifyedneb18_ESO · November 2019

lordrichter wrote: »

That could be a legitimate email. It is hard to tell from a screen cap.

It all depends on whether it actually comes from "custhelp.com" or if that is spoofed. It also depends on what they are asking for in the reply email.

"teso_help@mailmw.custhelp.com" - totally non dodgy sounding, and totally ZOS related URI. Im sure everyone knows exactly what mailmw stands for.

Incomplete title

Letterboxing on the image

The image being a picture of Manimarco 5 years after he was deposed as the main titular bad guy

To all those people saying it looks like it could be legit at first glance, or looks legit from what little you can see... YOU are the reason why phishing has become such a huge problem.

validifyedneb18_ESO · November 2019

RefLiberty wrote: »

idk wrote: »

It has been noted before by someone who ceased their ESO+ that they had received such an email. That email was legit

However, as others have stated you need to make sure it is really from the address stated and any links are what they say they are vs spoofed info.

Oh boy, if they do that, they really need to make that less shady, I guess it is outsourced marketing company, I mean, the the records are nasty:

Registrant: REDACTED FOR PRIVACY
On a shared hosting:
IP Address 74.117.206.70 - 18 other sites hosted on this server

Not transparent, not at all. They need to look into this then, cos marketing will fail if people delete the email thinking it is just a spam It seems that it is outsourced service then.

this ^ the fact that the who-is listing has no clear path back to Bethesda or Zenimax, the registrar is an unknown and the vast majority of the information is optionally redacted... I am confused to see so many people say this is a legit domain. Looks shady as all hell.

ZephyrWestwind · November 2019

validifyedneb18_ESO wrote: »

RefLiberty wrote: »

idk wrote: »

It has been noted before by someone who ceased their ESO+ that they had received such an email. That email was legit

However, as others have stated you need to make sure it is really from the address stated and any links are what they say they are vs spoofed info.

Oh boy, if they do that, they really need to make that less shady, I guess it is outsourced marketing company, I mean, the the records are nasty:

Registrant: REDACTED FOR PRIVACY
On a shared hosting:
IP Address 74.117.206.70 - 18 other sites hosted on this server

Not transparent, not at all. They need to look into this then, cos marketing will fail if people delete the email thinking it is just a spam It seems that it is outsourced service then.

this ^ the fact that the who-is listing has no clear path back to Bethesda or Zenimax, the registrar is an unknown and the vast majority of the information is optionally redacted... I am confused to see so many people say this is a legit domain. Looks shady as all hell.

To you and the other who question my advice. This question has come up before. See the link below and read address #5 in the list.
https://help.elderscrollsonline.com/app/answers/detail/a_id/21335/~/i-have-received-an-e-mail-asking-me-to-activate-my-
account-via-a-suspicious

Since that email address is on the list and there is no evidence the from line was spoffed (no headers shown), That should explain why I, and others, would say at first glance it appears legit.

ZephyrWestwind · November 2019

validifyedneb18_ESO wrote: »

lordrichter wrote: »

That could be a legitimate email. It is hard to tell from a screen cap.

It all depends on whether it actually comes from "custhelp.com" or if that is spoofed. It also depends on what they are asking for in the reply email.

"teso_help@mailmw.custhelp.com" - totally non dodgy sounding, and totally ZOS related URI.

Why, yes, it is. That's exactly why it is on the list of verified email addresses to send players mail.

RefLiberty · November 2019

ZephyrWestwind wrote: »

validifyedneb18_ESO wrote: »

lordrichter wrote: »

That could be a legitimate email. It is hard to tell from a screen cap.

It all depends on whether it actually comes from "custhelp.com" or if that is spoofed. It also depends on what they are asking for in the reply email.

"teso_help@mailmw.custhelp.com" - totally non dodgy sounding, and totally ZOS related URI.

Why, yes, it is. That's exactly why it is on the list of verified email addresses to send players mail.

Ummm... He was sarcastic.

ZephyrWestwind · November 2019

RefLiberty wrote: »

ZephyrWestwind wrote: »

validifyedneb18_ESO wrote: »

lordrichter wrote: »

That could be a legitimate email. It is hard to tell from a screen cap.

It all depends on whether it actually comes from "custhelp.com" or if that is spoofed. It also depends on what they are asking for in the reply email.

"teso_help@mailmw.custhelp.com" - totally non dodgy sounding, and totally ZOS related URI.

Why, yes, it is. That's exactly why it is on the list of verified email addresses to send players mail.

Ummm... He was sarcastic.

and the "Why, yes, it is." wasn't? Darn, need more practice.

RefLiberty · November 2019

ZephyrWestwind wrote: »

RefLiberty wrote: »

ZephyrWestwind wrote: »

validifyedneb18_ESO wrote: »

lordrichter wrote: »

That could be a legitimate email. It is hard to tell from a screen cap.

It all depends on whether it actually comes from "custhelp.com" or if that is spoofed. It also depends on what they are asking for in the reply email.

"teso_help@mailmw.custhelp.com" - totally non dodgy sounding, and totally ZOS related URI.

Why, yes, it is. That's exactly why it is on the list of verified email addresses to send players mail.

Ummm... He was sarcastic.

and the "Why, yes, it is." wasn't? Darn, need more practice.

My apologies.

Acrolas · November 2019

The email address and source are legitimate.
You can alternatively reply to just ESO_Help@helpmail.elderscrollsonline.com which will open up a support ticket with Bethesda Customer Support.

RefLiberty · November 2019

Acrolas wrote: »

The email address and source are legitimate.
You can alternatively reply to just ESO_Help@helpmail.elderscrollsonline.com which will open up a support ticket with Bethesda Customer Support.
]

All cool Acrolas, but do you see the difference, the point I and "validifyedneb18" are making.
Yes they are cool because if you search the forums you can find where Mod confirms and you saw it and you know it, your emails search just show that you got some promo emails from that email, it could also be a spam emails.

Look...
- ESO_Help@helpmail.elderscrollsonline.com comes from "elderscrollsonline.com" if you are looking at sender domain. You get the domain whois records trace as legit, all good, we good.
-
- mailmw.custhelp.com comes from "custhelp.com", the F is that. You look at that and think, ha??

You look it up at whois, you dig it, and you get Registrant: REDACTED FOR PRIVACY and you get "rightnowtech.com" as MX server. Nothing connects - You delete.

And ofc it will open a ticket when you send to "ESO_Help@helpmail.elderscrollsonline.com",
It is Zenimax registered domain.

That domain and custhelp.com has nothing in common, not the same mail server, not same hosting, not same DNS records, not connecting Registrar records. That is the what we are talking.

The hell if I know and if I need to know who "custhelp.com" is. No no clear path back to Bethesda or Zenimax, I delete.
You comment make no sense: "You can alternatively reply to just ESO_Help@helpmail.elderscrollsonline.com" you are sending the mail to completely different mail, yes maybe it will open a ticket if there is a forward set, but that is another story.

Really as validifyedneb18 said, no wonder the spam and compromised accounts are such issue there days.

Nyladreas · November 2019

lordrichter wrote: »

That could be a legitimate email. It is hard to tell from a screen cap.

It all depends on whether it actually comes from "custhelp.com" or if that is spoofed. It also depends on what they are asking for in the reply email.

LMFAO you can't be serious... Look at the Friggen email adress. /megafacepalm

Acrolas · November 2019

RefLiberty wrote: »

- mailmw.custhelp.com comes from "custhelp.com", You look at that and think, ha??

It's a series of customer service tools from Oracle. I have probably about 100 total emails from companies that employ the service. Some businesses host promotions and offers from the site. Others just use it to create selective mailing lists.

Not saying it's a perfect system. When Bethesda sent out the t-shirt promo codes it was listed as no_reply@mailmw.custhelp.com which probably didn't help confidence in that email.

But just for general knowledge, if you receive an email from a custhelp.com address and you reply directly to that address, it's coming from a registered business that you have previously shared your contact email with. Oracle isn't going to host fraudulent entities as it would damage the integrity of the entire service.

code65536 · November 2019

ZOS uses a lot of third parties for communication.

For example, some years ago, when I won a (minor) prize from their sweepstakes, the mail came from the third-party company that they used to administer the sweepstakes.

In any case, as noted earlier, custhelp.com is one such third-party that is used by a lot of companies. Including ZOS. And as people have said, you don't know if a mail is spoofed or not unless you examine the full e-mail headers (depending on your e-mail client, it could be view headers, view source, view raw message, etc.) and verify that it has a valid cryptographic signature (DKIM). If it does (and it should if it really did originate from custhelp.com), then this is legit.

(Also, other people have reported getting these sorts of offers over the years. These are legit offers.)

Nestor · November 2019

code65536 wrote: »

ZOS uses a lot of third parties for communication.

.....custhelp.com is one such third-party that is used by a lot of companies. Including ZOS. ..... if a mail is spoofed or not unless you examine the full e-mail headers (depending on your e-mail client, it could be view headers, view source, view raw message, etc.) and verify that it has a valid cryptographic signature

This thread illustrates that ZOS should send it's marketing emails from it's domain and not some third party where someone has to Vet the email headers to verify it. I mean, really, just a subset of the population knows what an email header is, less how to do it or even what a whois search is.

@ZOS_JessicaFolsom

code65536 · November 2019

Nestor wrote: »

code65536 wrote: »

ZOS uses a lot of third parties for communication.

.....custhelp.com is one such third-party that is used by a lot of companies. Including ZOS. ..... if a mail is spoofed or not unless you examine the full e-mail headers (depending on your e-mail client, it could be view headers, view source, view raw message, etc.) and verify that it has a valid cryptographic signature

This thread illustrates that ZOS should send it's marketing emails from it's domain and not some third party where someone has to Vet the email headers to verify it. I mean, really, just a subset of the population knows what an email header is, less how to do it or even what a whois search is.

@ZOS_JessicaFolsom

Yes. And the fact that multiple people have mentioned whois but not DKIM shows that an even smaller subset understand what to actually look for and what the significance of those things are.

For example, whois isn't that important, particularly for a well-known domain like custhelp.com (I've had a lot of different companies correspond with me via that domain), and especially since whois is effectively deprecated these days due to the increasingly common practice of obfuscating or outright redacting whois information. A Google search is often more effective in establishing who owns a domain.

But what is important is checking the DKIM signature and/or SPF of an e-mail, since that is what validates the e-mail as really having come from custhelp.com and not someone pretending to be custhelp.com.

Idinuse · November 2019

glricker408b14_ESO wrote: »

I received a phishing email today. It's clearly not from Zenimax. The text encourages one to reply to the email to receive a deal of buy 30 days of plus and get 30 days free.

Very possibly a legit mail. I've taken them up on that offer before. ^^b