We love an oxymoron. You know…. “Jumbo shrimp” or “deafening silence.” How about an opaque fish bowl? A friend of ours is an internet-savvy teacher at a small school. She sent us this email invitation she received to ask if we thought this was a scam. The email appears to have come from fishbowlteachers[.]com and says to the teacher “You’ve been invited by a co-worker from [NAME OF SCHOOL] to join Fishbowl. The immediate issue is that she knows all the teachers at the school and NO ONE invited her. No one subscribes to something called Fish Bowl Teachers. The link in this email to “Join Fishbowl” points to an email marketing service called MixMax[.]com. (MixMax[.]com also owns the domain mixmaxusercontent[.]com)
There is also a service called Fishbowl which is used to generate conversations in the workplace. Fishbowl has a resource designed for teachers and it can be found at their domain fishbowlapp.com.
So, at the surface, it appears that Fishbowl used a marketing service to reach out to teachers and invite them, albeit with a lie, to join Fishbowl. Right? But hold on, this fish bowl is not quite so clear! Trusting our sixth-sense, we decided to check that mixmaxusercontent link through several security services and Sucuri.net informs us that it detected malware at the end of the link. After getting infected, the recipient will then be forwarded to the teacher webpage at fishbowlapp[.]com.
But how is this possible? MixMax is a legitimate email marketing service. Don’t they vet their clients, or at least require clients to identify themselves in some way that can be traced and verified? Apparently not! In seconds we were able to find multiple instances showing that the MixMac email marketing services have been misused many times by criminals who target us all with malware. Check out this screenshot of part of our Google search…
overing how easily a legitimate email marketing service can be misused was a game-changer and had us thinking about the difference between fishbowlteachers[.]com and fishbowlapp[.]com. When we used Google on Firefox to look up those two domains (WITHOUT VISITING THEM!) we found a significant difference. There was a lot of information, and many links to represent fishbowlapp[.]com but literally nothing but the domain itself to represent fishbowlteachers[.]com. (NOTE: If we had used Google on Chrome to search for a domain, Chrome simply sends you to the website, which could be dangerous when investigating suspicious websites.) A WHOIS lookup of both domains doesn’t help clarify ownership since both domains were registered by proxy services.
This is very disturbing. Apparently we can’t make any assumptions about the emails that arrive in our inboxes, even when they appear to come from a known service through a known email marketing company.