Just before Christmas, I began to notice a large number of emails, seemingly from my contacts, that contained only a single link. A lot of the contacts were old ones, colleagues I’ve not heard from in years or people I had little contact with. I knew they were scams, but it worried me as there were so many of them.
I decided to look into the matter more thoroughly and this is what I found.
The Spam Email from a Contact
The emails were all similar in format:
- The subject line was empty, i.e. ‘no subject’
- The email address looked like it was from a known contact, i.e. the from line showed a real contact’s name.
- The email body showed my name followed by a single URL link.
- Then it was signed off using the contact’s name.
The Spam Link
The link in the spam email, when clicked, went to a malware infected website – as evidenced in the image below.
What is Going On?
My immediate concern was that my own email had been hacked and my list of contacts breached. To check this, I went into my email activity section of my account. The email client in question was Microsoft Outlook. To access this section:
- Click to open My Account
- Click on Security (at the top of the page)
- Enter your password
- Choose Sign in Activity
Once in that section, I could see that there had indeed been several attempts to perform an ‘Automatic Sync’. This is a method that can be used to synchronise an email account with another email client or app. It uses a protocol called IMAP.
This synchronisation was a second pronged attack against my account. As well as the malware infected link they fraudsters tried to brute force their way into my email account.
When I checked the IP addresses shown in the “Sign in Activity” section, I found that the associated IP was known and had been reported multiple times for brute force attacks and other hacking attempts.
In this case, the sync failed; helped because I have two-factors setup to secure my login to that account.
If the fraudsters had succeeded and used another account such as Exchange or Outlook, they would have had access to all of my emails, contacts, calendars, etc. They could then have perpetuated their attacks on others in my own contact list.
The Multi-Pronged Domino Effect of Scams
Cybercriminals are good planners. They plan attacks that often use multiple methods to increase success. The fraudsters in this scam used contact lists that had previously been breached to attempt to breach another account. To execute this, they used phishing links that took the recipient to an infected website. Once infected, the malware would likely use keylogging software to capture login credentials or other personal data.
At the same time, they attempted to brute force attack my account.
Cybercrime of this nature is often multi-pronged and acts as a domino effect, one hacked account leads to another, and so on.
The only way to stop it is to cut off the fuel at source. Always use robust authentication to login to email accounts. If available, set up a second factor to log in. This is usually something like an SMS text sent after you successfully enter your username and password.
And, always keep abreast of phishing and other scams by being security aware.
Email addresses are stolen when a data breach occurs – you can check if any of your emails are exposed by using HaveIBeenPwned. In this case, it is possible that several of my older contacts had their contact list hacked – the result being, that those contacts were sent the same phishing emails.
The Defence Works has written about the confusion that can happen when emails that look like they come from friends, are actually spam. In our post “Has my email been spoofed or hacked?” we explained how to tell if yours or your friend’s account was spoofed or hacked.
Why not help your colleagues stay safe and send them this little reminder. Feel free to edit, copy/paste the advice below:
The Email Contact Spoof Scam
You may have noticed unusual emails coming in from contacts you have. These emails seem to be from a known person, but the email only shows a website link. These emails are highly likely to be scams. If you click on the link you will be taken to a malware infected website that could infect your computer.
DO NOT CLICK THE LINKS IN THIS TYPE OF EMAIL. LET THE CONTACT KNOW ABOUT THE EMAIL AND SUGGEST THEY UPDATE THEIR PASSWORD AND TURN ON A SECOND FACTOR TO LOGON TO THEIR EMAIL ACCOUNT (IF AVAILABLE).
For more information on what to do if you receive a phishing email check out “What to Do if You Click on a Phishing Link?”
Don’t forget to share this with your colleagues and friends and help them stay safe.
Let’s keeping breaking scams!
Subscribe to the Proofpoint Blog