It's becoming easier to spot a scam email claiming to be from your bank, or Amazon, or even a friend. And scams from strangers are simple to spot.
Or are they?
A new email scam currently sweeping the UK (and looking set to spread to the USA, Canada, and beyond) is deceptive in its simplicity. In short, it doesn't pretend to come from a business or institution which you're connected to. It isn't masquerading as a message from a friend or relative.
In fact, it's pretty explicit in its admission that the sender has information about you. The trick here is in the presentation, and the attachment.
The Scam That Knows Where You Live
A few days ago, into my inbox popped an unusual email. It wasn't stopped by my email-scanning tool, or highlighted as spam, and it appeared to originate from a kind-hearted individual who was trying to help me out…
Hello Christian!I am bothering you for a very serious reason. Though you don't know me, but I have a large ammount [sic] of data concerning you. The matter is that, most likely mistakenly, the data of your account has been sent to me.For example, your address is:[MY CORRECT ADDRESS, REDACTED]I am a lawful citizen, so I decided to personal information may have been hacked. I pinned the file - Cawley.dot that I received, that you could learn what info has become accessible for scammers.Document password is - 6096Bets wishesNorene Liano
It's a fascinating read, isn't it? Here we have, at first glance, a helpful email from Norene Liano (which may be a fake name, or the name of a botnet-controlled email account), sending you some of your own personal data. They don't want scammers to affect you.
How kind!
But if we look closely, we can see something else going on; something that identifies this as a clever scam.
Of Course, It's a Scam!
Now, when I first received this email, I was out and about, so it was picked up by the Gmail app on my Android device. It's clearly a scam (the whole concept of someone "sending" me my data was enough of a giveaway) -- yet the fact that the email featured my actual living address was somewhat concerning.
However, research proves that there are many places in which you can find my address. The concerning part is the matching of my email address with my postal address. This suggests that an online store, bank, utility, or other business I have a consumer relationship with has been hacked.
With so many hacks occurring over the years, it's tricky to narrow down which one, but at this stage I'm going to suggest eBay. It's one of the few online accounts that has my address, and has been the target of some major hacks in recent years. The security was such a mess that we once recommended abandoning the online auction store altogether.
Have You Been Pwned?
The origin of the address data continues to pique my interest. Some have suggested the UK electoral roll, or a charity. However, the lack of recent hacking reports around these institutions means I continue to suspect eBay.
And this means that the scam won't be centered on the UK. Sooner or later, it's going to hit Canada, the USA, Europe, Australia… and then everywhere else in the world.
Whether the data has come from an eBay hack or not, you should check the website Have I Been Pwned? Use the form to input your email address and check what breaches involved your data.
If you find anything, make sure you change your passwords.
The Attachment
Now, the presence of my postal address is really a dangling carrot with which to draw me in. If you received this message from a stranger, bearing your postal address, you'd want to check what other information was leaked, wouldn't you?
The attachment that ships with these messages is in the DOT format, used for Microsoft Word template documents. This is a useful file type that you can use to create a standard document template -- perhaps a letter -- that can be reused over and over. It's also capable of running macros.
Macro scripts have been the cause of many security issues in the past, so much so that they're disabled by default. Some security researchers recommend avoiding Microsoft Office entirely, due to the threat from macros.
If you opened the attachment and had Word installed on your PC, you would see a prompt to input the password stated in the email (in my case, 6096). This would then display a standard This Document is protected! screen, which demands that you enable macros. To do this, you would click the Enable Content button.
Do not do this!
This is the point at which the trap is sprung. Enabling the macro will result in you being infected with the Troj/Agent-AURH zombie malware. This is botware; the malware will communicate with its command-and-control network to await instructions. Perhaps it will coerce your computer to take part in a DDOS. Or, the malware could download other malicious software to your PC -- anything from worms to a data-encrypting ransomware infection is likely.
Never Open Odd Email Attachments!
By now, email scanning tools should be updated with the profile data of this scan. If not, you know what to look out for. We'd suggest that you remain vigilant with online and computer security, and avoid opening unsolicited email attachments.
In fact, avoid all email attachments with unusual file extensions. In this age of cloud storage, there is no real reason why anyone should send a document when they can share it from the cloud.
Should you receive an email that you're confused about, the best thing to do is leave it until you can find someone you know and trust to give you their opinion. If that person is more technologically savvy than you, even better. Don't ask the sender for advice. They're likely to tell you to open the attachment!
If in doubt, delete. No one is sending you money via email, so you won't miss out on anything by ignoring it.
Have you received an email of this type? Did you open, or delete? Tell us about it in the comments.