Information Protection

Security Brief: Sing Us a Song You’re the Piano Scam 

Share with your network!

What happened 

Proofpoint recently identified a cluster of activity conducting malicious email campaigns using piano-themed messages to lure people into advance fee fraud (AFF) scams. The campaigns have occurred since at least January 2024, and are ongoing. Most of the messages target students and faculty at colleges and universities in North America, however other targeting of industries including healthcare and food and beverage services was also observed. Proofpoint observed at least 125,000 messages so far this year associated with the piano scam campaigns cluster. 

In the campaigns, the threat actor purports to offer up a free piano, often due to alleged circumstances like a death in the family. When a target replies, the actor instructs them to contact a shipping company to arrange delivery. That contact address will also be a fake email managed by the same threat actor. The “shipping company” then claims they will send the piano if the recipient sends them the money for shipping first.  

Figure 1

Lure email purporting to be giving away a “free” piano. 

Figure 2

Shipping options provided by the fake shipping company.  

The actor requests payment via multiple options including Zelle, Cash App, PayPal, Apple Pay, or cryptocurrency. The actor also attempts to collect personally identifiable information (PII) from the user including names, physical addresses, and phone numbers.  

Proofpoint identified at least one Bitcoin wallet address the piano scam fraudsters directed payment to. At the time of this writing, it contained over $900,000 in transactions. It is likely that multiple threat actors are conducting numerous different types of scams concurrently using the same wallet address given the volume of transactions, the variations in transaction prices, and overall amount of money associated with the account.  

While the email body content of the messages is similar, the sender addresses vary. Typically, the actors use freemail email accounts, usually with some combination of names and numbers. Most of the campaigns include multiple variations on the email content and contact addresses.  

Attribution 

To obtain more information about the fraudsters, researchers started a discussion with the actors and convinced them to interact with a researcher-managed redirect service. Proofpoint was able to identify at least one perpetrator’s IP address and device information. Based on the information obtained, researchers assess with high confidence that at least one part of the operation is based in Nigeria. 

Figure 3

Screenshot of a part of a conversation between a researcher and threat actor.  

Advance Fee Fraud (AFF), which in the past has been referred to as 419,” “Nigerian 419,” or “Nigerian Prince” email fraud, occurs when a threat actor asks the potential victim for a small amount of money in advance of a larger, promised payout to be given to the victim at a later date. There are endless variations of this type of fraud. Typical schemes contain elaborate stories that explain why there is a large sum of money, job opportunity, or other goods or services available to the victim and why the sender needs a small upfront or advanced fee before the victim gets the promised money or goods. The fraudsters often bait victims with subjects such as inheritance, awards, government payouts, and international business.   

Once the victim provides the small amount of money to the fraudster, however, they cut all contact and disappear.  

Why it matters 

Proofpoint has previously published research on AFF campaigns using a variety of different themes to entice recipients to engage with them, including employment opportunities targeting university students and cryptocurrency fraud. In all cases, AFF relies on elaborate social engineering and the use of multiple different payment platforms. People should be aware of the common techniques used by threat actors and remember that if an unsolicited email sounds too good to be true, it probably is.  

Indicators of compromise 

Indicator 

Description 

First Seen 

hamj6842@gmail[.]com 

Sender Email 

March 2024 

Kentronphillipsemail.24hrs@email[.]com 

Sender Email 

March 2024 

brireedmoversse@outlook[.]com 

Sender Email 

March 2024 

dereckadamsprivatemail21@mail[.]com 

Sender Email 

March 2024 

Kentronphillipsemail[.]24hrs@email[.]com 

Sender Email 

March 2024 

aldo[.]moran97 @anahuac[.]mx 

Sender Email 

March 2024 

verocaress@gmail[.]com 

Sender Email 

March 2024 

17kE4HzqAiPxwoC7rqHwJHoPwAk2bV2hKU 

BTC Wallet 

March 2024 

ABCITY113 

Reference Number 

March 2024