We are under attack!

Topic

Starting last week, we received at least five emails that looked as if they were from our email service provider but were not.

The message read:

                                             Dear XXXXX User

This message is to inform all our users that a new version update is now available to all our XXXXX Users and all our users are required to update to the latest version of our webmail failure to update your XXXXX Webmail might end up in lost of personal data in our database kindly click on the link below to update your XXXXX Webmail.

UPDATE NOW

we’ll send you personalized tips, news and recommendations for our XXXXX WEBMAIL

© 2022 XXXXX WEBMAIL  All rights reserved.

In addition, we have been receiving email messages that appeared to be from our cloud (telephone) communications provider. The messages contained images that looked as if they contained text messages.

We have not set up text messaging on our desk phones and the email senders address was separate and distinct from that of our communications provider.  Thus, we did not click to open the message and marked the emails as spam.

We anticipated that if we clicked the links in the emails we would have been attacked.

This is why we restrict email communication to PCs that are electronically isolated from the workstations that we use for analysis.

2 users thanked author for this post.

Charlie, OscarCP

Replies

Look at the header — from shows the true information.

And, I suspect your actual name or anything that identifies you specifically is not present.

You’ve been phished, not attacked. Don’t answer. Don’t click anything in the mail.

Spam. Spam. Spam.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender WuMgr
offline▸ Acer AspireOne Atom N270 RAM2GB HDD GuineaPig
online▸ Win11Pro 21H2.22000.739 x64 i5-9400 RAM16GB HDD Firefox103.0b2 MicrosoftDefender WuMgr

Moderator:

Moved to Cybersecurity forum, not Windows 10

Susan Bradley Patch Lady

1 user thanked author for this post.

Kathy Stevens

I have commented elsewhere on some very convincing-looking emails that were supposed to be from my IP and my email service that are both independent from each other. But hovering over the links I was advised to click on to see more, etc., that showed they were not from those addresses but from a site called “Weby” that is described as a company that develops Web sites (yes: this is not the one called “Webly”, that is better known). So I deleted the emails without opening them.

Later someone posted in the same thread that there were crooks that “hijacked” genuine email addresses and changed the sender around to look like these had been sent from the address of some business that now and then would send legitimate emails to the owner of the hijacked address. I have not heard more about this. Has anyone here?

Related to this:

https://www.askwoody.com/forums/topic/the-gmail-smtp-relay-service-exploit/

Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

We forwarded one of the suspect emails to our email service provider and got the following response.

This is a scam, yes; we are working on blocking them and have reported the website used. Real emails from XXXXX always address you by name and contain links pointing back to the XXXXX website rather than random links. The sender will also be a recognizable one such as support@XXXXX.com, thank you.

Just got another one.

This time it is from Josu Takala   <josu.takala@uwasa.fi>

The message,

“Can you act as an intermediary (Escrow Representative) to our customers in your region? If Yes; Reply for details on description, commission and salary involved.

Email: recruitcic@associaterecruitgroup.com

A web search of uwasa.fi takes you to the University of Vaasa.

Their web site states,

“We cultivate new knowledge. We are an internationally competitive, productive and specialized research university. Our core competence consists of high-level expertise in business, technology, management and communications. Our fundamental purpose is to cultivate new knowledge and nurture civilization as a core value of our society.”

Their mailing address is, PB 700, 65101 VAASA, FINLAND

The university’s domain is uwasa

Email addresses for individual members of the university’s staff are in the form of firstname.lastname@univaasa.fi

Student email addresses are formatted as username@student.uwasa.fi

A search of the domain where replies are directed ( http://associaterecruitgroup.com ) reveals that it is ZOHO a domain development and hosting organization

Looks funny to us.

Kathy Stevens: That very suspicious email has been (apparently) sent from the address of a person working at the university of Vaasa, in Finland, and it’s not a message from the university itself.  So the email might be from someone with an address there who might be up to no good, or someone spoofing that address, somehow, but the university itself has nothing to do with this.

This university was created by the Finish Government and is a legitimate organization:

https://en.wikipedia.org/wiki/University_of_Vaasa

(The word “university” tends to used too freely these days, as in this case, because it actually is used to designate a place where a broad (“universal”) diversity of subjects is taught at a higher education level: law, mathematics, physics, medicine, engineering, humanities … But this does not mean the organization itself is a bad one.)

Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

Escrow representative? This phrase and similar phrases and terminology are found in spam.

Do any of these emails have anything to do with your business?

Delete them, report them, flag them as unwanted correspondence, block them, ignore them.

Don’t read them. Don’t click their links. Don’t answer them.

And stop posting suspect email addresses and links here. They’re live.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender WuMgr
offline▸ Acer AspireOne Atom N270 RAM2GB HDD GuineaPig
online▸ Win11Pro 21H2.22000.739 x64 i5-9400 RAM16GB HDD Firefox103.0b2 MicrosoftDefender WuMgr

geekdom

I thought I made it clear that when I titled this topic “We are under attack!” that the emails I was discussing were spam.

And yes, the emails had the potential of impacting our business! The first email I discussed was prepared by an expert. It looked exactly like correspondence that may have come from our email service provider down to the copyright information at the bottom of the page that read, “© 2022 XXXXX WEBMAIL  All rights reserved.” I regret now that I did not include an image of the email so that others could see the sophistication of its creator.

Fortunately, our practice is not to click on links contained in email. However, in this case – because of the importance of email to our operation and the skill of the sender – we went to our email host’s website and looked for information related to the “new version update” that we were being asked to install. There was no reference to an update on their website.

We then forwarded a copy of the suspicious email to our email service host’s customer service department and received a response thanking us for contacting them and advising that we were not the only ones that received the suspicious email and that they were taking action against the sender including possibly blocking their ISP from the site.

Yes, “Escrow representative? This phrase and similar phrases and terminology are found in spam.” We included reference to it simply to highlight the fact that we are receiving a steady stream of spam of various types and sophistication.

You offer good advice when you recommend that we, “Delete them, report them, flag them as unwanted correspondence, block them, ignore them.” “Don’t read them. Don’t click their links. Don’t answer them.”

In fact, we did take appropriate action by:

• Warning our email service provider that their clients were being exposed to a scam.
• Logging into the email services provider’s website and reporting the subject emails as scam.
• Opening the email application that we use on our PCs and clicking on the tab of our internet security’s firm’s app and marking the emails as spam.
• Opening the spam folder on the appropriate PC and deleting the subject emails.
• Opening the Trash folder on the appropriate PC and deleting the subject emails.

And no, we will not, “… stop posting suspect email addresses and links here. They’re live.”  We are posting them as information so that the uninitiated can see and avoid similar spam. We work under the assumption that the readers of this Topic are mature enough to avoid walking into a scam uninvited.

Kathy Stevens: “I thought I made it clear that when I titled this topic “We are under attack!” that the emails I was discussing were spam.”

Actually, from what you have told us, that looks more like phishing. “Spam” equals “Obnoxious Junk Mail”: it’s junk mail that just floods in. It is not dangerous, just annoying and inconvenient. But if one goes away for a couple of weeks and comes back to find the mail folder full of it, with some important correspondence drowning underneath and very hard to find among all the junk, then it could also be a larger problem.

Phishing, on the other hand, is some email that comes with one or more links you are incited in the text to click on: you do it and (drum roll) all is lost!  Just like that.

That aside, your description of the problem at your company is something I have noticed recently in my own modest home mailbox and think is a new and ominous development: Phishing with emails that are virtually letter and picture-perfect when compared to a real email from the real sources these phony ones are supposed to come from. Sources with good reputation that we have long known about, or even matter to us, such as one’s ISP or email service provider.

Long gone, the generous Nigerian Princes with their urgent needs to leave Nigeria and to safeguard their riches abroad. Always willing to share a substantial part of their loot, as compensation to someone “of such an honorable reputation as yours” if equally willing to carry it all to a Swiss bank, or one in the Cayman — after leaving a proportionate monetary deposit as guarantee with the Prince representatives, of course.

Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

Speaking of ZOHO:

Subject:
URGENT ATTENTION 05/25/
From:
David Miller <xxxxxxx@gmail.com>
Date:
5/25/2022, 8:46 PM
To:
<xxxxxx@zohomail.com>
X-Account-Key:
account12
X-UIDL:
4752e7
X-Mozilla-Status:
0000
X-Mozilla-Status2:
00000000

XXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXX

Hello, I am sorry to encroach into your privacy in this manner, I found you listed in the Trade Center Chambers of Commerce directory here and I find it pleasurable to offer you my partnership in business. I only pray at this time that your address is still valid. I want to solicit your attention to receive money on my behalf. I am Capt. David Miller , an officer in the USA Army and also a West Point Graduate presently serving in the Military with the 82nd Air Borne Division Peace keeping force.

I really need your help in assisting me with the safe keeping of Two Military Trunk Boxes. I hope you can be trusted?  If you can be trusted, I will explain further when i get a response from you for further clarification.

Thanks for your cooperation, God bless you and America !!

Best Regards
Capt. David Miller
US ARMY.

I just joined the club!

[Moderator edit] please do not post email addresses. Removed existing

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Hey! The Nigerian Prince is still out and about and has gone into business for himself in The Army!

Charlie, you should be yourself both profoundly humbled and deeply honored!

Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

[Charlie]

OscarCP wrote:

Charlie, you should be yourself both profoundly humbled and deeply honored!

Why?  Please explain.

Hey Oscar, I think you should have sent this to Wavy.

We're getting Sticker Shock everywhere now, not just car dealers.

• This reply was modified 1 month, 1 week ago by Charlie.

Sorry, Charlie, but don’t worry: the Nigerian Prince most likely will also reach to you with a request of help and, along with it, a most profitable proposition, any day now. As he probably shall reach to me and a few other trustworthy and honorable personalities of this day and age, with equal purpose.

It’s not just about wavy. Not if the Nigerian Prince is in it.

Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

Oscar are you trying to tell me I shouldn’t have sent the fine gentleman $2000 to pay for a storage facility? What and not help my country??
I am aghast at such a suggestion!!

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

wavy: “Oscar are you trying to tell me I shouldn’t have sent the fine gentleman $2000 to pay for a storage facility?”

Not at all! Quite the opposite! In fact, had I known, I’d have encouraged you to be bountiful and offer His Highness to pay more for something better, even if he says he is satisfied with a storage facility of such humble quality as to charge a mere, paltry, pitiful  $2000 for keeping his containers and the contents therein!

Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

Gosh, I’m feeling left out.  The Nigerian Prince has never contacted me!

We're getting Sticker Shock everywhere now, not just car dealers.

Charlie (not wavy): Just wait a bit … Never fear, His Highness will get in touch.

He’ll never fail to contact a person of your caliber.

Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.