{“lastseen”:”2025-10-21T08:05:16″,”description”:”We received a timely phishing email pretending to come from Home Depot. It claimed we\u2019d won a Gorilla Carts dump cart (that\u2019s a sort of four-wheeled wheelbarrow for anyone unfamiliar)\u2014and said it was just one click away.\\n\\nIt wasn\u2019t.\\n\\nclickable image in the email\\n\\nThe whole image in the email was clickable, and it hid plenty of surprises underneath.\\n\\n**Sender:**\\n\\nThe senderemail\u2019s domain (yula[.]org) is related neither to Home Depot nor the recipient.\\n\\nemail header\\n\\nThe `yula[.]org` domain belongs to a Los Angeles high school. The email address or server may be compromised. We have notified them of the incident.\\n\\n**Hidden characters:**\\n\\nBelow the main image, we found a block filled with unnecessary Unicode whitespace and control characters (like `=E2=80=8C, =C3=82`), likely trying to obfuscate its actual content and evade spam filters. The use of zero-width and control Unicode characters is designed to break up strings to confound automated phishing or spam filters, while being invisible to human readers.\\n\\n**Reusing legitimate content:**\\n\\nBelow the image we found an order confirmation that appears to be a legitimate transactional message for trading-card storage boxes.\\n\\nold but legitimate order confirmation\\n\\nThe message seems to be lifted from a chain (there\u2019s a reply asking \\”When is the expected date of arrival?\\”), and includes an embedded, very old order confirmation (from 2017) from `sales@bcwsupplies[.]com`\u2014a real vendor for card supplies.\\n\\nSo, the phisher is reusing benign, historic content (likely harvested from somewhere) to lend legitimacy to the email and to help it sneak past email filters. Many spam and phishing filters (both gateway and client-side) give higher trust scores to emails that look like they\u2019re part of an existing, valid conversation thread or an ongoing business relationship. This is because genuine reply chains are rarely spam or phishing.\\n\\n**Tracking pixel:**\\n\\nWe also found a one-pixel image in the mail\u2014likely used to track which emails would be opened. They are almost invisible to the human eye and serve no purpose except to confirm the email was opened and viewed, alerting the attacker that their message landed in a real inbox.\\n\\nThe address of that image was in the subdomain `JYEUPPYOXOJNLZRWMXQPCSZWQUFK.soundestlink[.]com`. The domain `soundestlink[.]com` is used by the Omnisend \/ Soundest email marketing infrastructure for tracking email link clicks, opens, and managing things like \u201cunsubscribe\u201d links. In other words, when someone uses Omnisend to send a campaign, embedded links and tracking pixels in the email often go through this domain so that activity can be logged (clicks, opens, etc.).\\n\\n## Following the trail\\n\\nThat\u2019s a lot of background, so let\u2019s get to the main attraction: the clickable image.\\n\\nThe link leads to https:\/\/www.streetsofgold[.]co.uk\/wp-content\/uploads\/2025\/05\/bluestarguide.html and contains a unique identifier. In many phishing campaigns, each recipient gets a unique tracking token in the URL, so attackers know exactly whose link was clicked and when. This helps them track engagement, validate their target list, and potentially personalize follow-ups or sell \u2018confirmed-open\u2019 addresses.\\n\\nThe streetsofgold[.]co.uk WordPress instance hasn\u2019t been updated since 2023 and is highly likely compromised. The HTML file on that site redirects visitors to bluestarguide[.]com, which immediately forwards to outsourcedserver[.]com, adding more tracking parameters. It took a bit of tinkering and a VPN (set to Los Angeles) to follow the chain of redirects, but I finally ended up at the landing page.\\n\\nNot a real Home Depot website\\n\\nOf course, urgency was applied so visitors don\u2019t take the time to think things through. The site said the offer was only valid for a few more minutes. The \u201cone-click\u201d promise quickly turned into a survey\u2014answering basic questions about my age and gender, I was finally allowed to \u201corder\u201d my free Gorilla Cart.\\n\\nGorilla Cart decription priced at $0.00\\n\\n## The fake reward\\n\\nBut no surprise here, now they wanted shipping details.\\n\\nHow to claim your Gorilla Cart\\n\\nWait\u2026 what? A small processing fee?!\\n\\nForm for your details\\n\\nThis is as far as I got. After filling out the details, I kept getting this error.\\n\\n\\n\\n\\u003e \u201cSomething went wrong with the request, Please try again.\u201d\\n\\nThe backend showed that the submitted data was handled locally at \/prize\/ajax.php?method=new_prospect on prizewheelhub[.]com with no apparent forwarding address. Likely, after \u201ccollecting\u201d the personal info, the backend:\\n\\n * stores it for later use in phishing or identity theft,\\n * possibly emails it to a criminal\/\u201caffiliate\u201d scammer, and\/or\\n * asks for credit card or payment details in a follow-up.\\n\\n\\n\\nWe\u2019re guessing all of the above.\\n\\n## Tips to stay safe\\n\\nThis campaign demonstrates that phishing is often an adaptive, multi-stage process, combining technical and psychological tricks. The best defense is a mix of technical protection and human vigilance.\\n\\nThe best way to stay safe is to be aware of these scams, and look out for red flags:\\n\\n * Don\u2019t click on links in unsolicited emails.\\n * Always check the sender\u2019s address against the legitimate one you would expect.\\n * Double-check the website\u2019s address before entering any information.\\n * Use an up-to-date real-time anti-malware solution with a web protection component.\\n * Don\u2019t fill out personal details on unfamiliar websites.\\n * And certainly don\u2019t fill out payment details unless you are sure of where you are and what you\u2019re paying for.\\n\\n\\n\\n## IOCs\\n\\nDuring this campaign we found and blocked these domains:\\n\\n`www.streetsofgold[.]co.uk` (compromised WordPress website)\\n\\n`bluestarguide[.]com` (redirector)\\n\\n`outsourcedserver[.]com` (fingerprint and redirect) \\n\\n`sweepscraze[.]online`\\n\\n`prizewheelhub[.]com`\\n\\n`techstp[.]com`\\n\\nOther domains we found associated with bluestarguide[.]com\\n\\n`substantialweb[.]com`\\n\\n`quelingwaters[.]com`\\n\\n`myredirectservices[.]com`\\n\\nprizetide[.]online”,”published”:”2025-10-21T07:13:52″,”modified”:”2025-10-21T07:13:52″,”type”:”malwarebytes”,”title”:”Home Depot Halloween phish gives users a fright, not a freebie”,”source”:””,”references”:””,”id”:”MALWAREBYTES:921E9FA1FD32D39A45F2C631CB05DDD5″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2025\/10\/home-depot-halloween-phish-gives-users-a-fright-not-a-freebie”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-21T08:05:16″,”description”:”We received a timely phishing email pretending to come from Home Depot. It claimed we\u2019d won a Gorilla Carts dump cart (that\u2019s a sort of…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-22484","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n