April 27, 2015Less [Info] is More [Curiosity]
Imagine seeing this in your email inbox listing:
From: Ty Ronca
Subject: Your account #105570127846 has been frozen
Now, you have no idea who or what "Ty Ronca" is...and that's exactly what the crook who sent the email is counting on. The recipient's reaction to this email listing is intended to be outrage ("How dare someone freeze my account!"). The immediate goal is to trick you into opening the message, upon which you'll see:
Your account #105570127846 was frozen for violation of our TOS. Please see attached.
Gifhorner Str. [removed] 29379 Knesebeck
+49 5834 [removed]
+49 5834 [removed]
The From: name/email address information is not—in any way—associated with the crooks behind this email barrage. Instead, the data comes from the email list of recipients. I just saw another instance of this email message with an Italian "sender". In fact, it's quite likely that there are copies of this trash going around with my email address as the "sender" (they obviously have my address because they sent the message to me).
As for the physical address and phone number information shown in the message body's signature, it was snarfed from a German company's web site. The company's domain name is completely different from that of the "sender".
If I could see the template used to generate these messages, I know I'd see a bunch of placeholders where either random data is inserted (e.g., the account number, also assigned to the .zip file attachment) or a randomized pick from a list of blank-fillers (e.g., "frozen", "suspended", and the From: field data).
And so, the recipient is incensed to be accused of violating the Terms of Service, even though there is no recollection of having an account with the signatory. In a fit of pique, the recipient double-clicks the attachment, thinking it contains information about the account.
In this case, that .zip file contains a Trojan loader that affects Windows PCs. Not only has the recipient discovered nothing about this ghost account (which does not exist), but his or her PC is now under the spell of the crooks who have full reign over everything going on within that computer (capturing passwords, logging network traffic, grabbing email addresses, and so on).
This campaign is the antithesis of those that try to trick users by fabricating all kinds of elaborate stories. In this case, there is very little to go on. Yet the lack of details is exactly what drives recipient curiosity to double-hit that mouse button ASAP.Posted on April 27, 2015 at 11:10 AM