Let's take a closer look.
It's from the RBA? No, it's about the RBA? What is this?
I'm confused. What is this about?
As we explore further, you'll see that this email in itself was also confused.
So, apart from the strange subject line, we can also see that the sender of the email is attempting to hide their identity. Whilst the name their email offers is 'Emma', one of the email addresses it is using is 'Liam@aapt.net.au', but it is being sent via another domain.
Who ever Emma/Liam is, they have not paid for quality data on which to launch their scam campaign. Clearly they do not have my name (yet), but their do have my email address. That is not anything to worry about as that is not a secret. But, it should clearly identify this as a scam. If this really was from the RBA or ay other financial institution that would have a legitimate reason to send me an email, they would know my name.
Next we have some oddities in the grammar of the email content: Doubled-up words like "history history". Odd phrases such as "breakdown of payment delays", and "lawsuit against you on the suit" which make no sense in the context they are presented.
Then there is the threat that the RBA will use their "law enforcement bodies". Given that the RBA has lawyers, but does not have police nor other enforcement specialists, this really is out of context again.
This scam email sticks out particularly because, whilst the text is confused, contradictory and makes little sense, there are no spelling errors. Combined with the Signature line which does not use a persons name, but the name of the RBA itself, tends to suggest that whoever compiled this is from an English speaking background, or at least had the preparation to use a spell-checker. However, they do not seem to be mature, or worldly enough to understand what the RBA is, how it operates, nor how grown-ups doing business really communicate.
A peak under the covers.
Going down into the raw data of the email (view original or view source) gives a few more clues.
The message ID does not match the supposed senders email domain. Normally this would raise flags with the Google spam filters. Not sure why it did not on this occasion.
The scammer has attempted to obfuscate the trail in a cheap way. The reply-to address and domain are different to the From address details. This would be a cheap way of initially obfuscating any follow up. However the fact that such a cheap option is being used, suggests that the scammer(s) have limited resources. Perhaps they are just starting out. Perhaps their names are Liam and Olivia.
What is the payload?
We know that the download link was a big green arrow - an image. Looking through the HTML code behind the email, we find the image. It has a reference to an Internet URL. Clicking on the image would download a file called "instructions.zip". Zip files can hide malicious scripts if the target has very weak security scanners. Most reputable anti-malware scanners have the ability to interrogate the contents of zip files. This tactic is either counting on one or more victims to have no protection, or to have options to scan zip files turned off to prevent a drain on resources.
If this is so amateur, why bother writing about it?
Yes this scam is amateur. If my assertions that this is a small group of 'scipt-kiddies' is true, then this post may actually help them to do a better job next time. So why write it? As much as I have slammed the childish nature of this scam, it did not get picked up by the GMail scanners. I did not find it in my Spam folder - it was in my Inbox folder. Sometimes the tools that we rely upon to protect us are so finely tuned to find high-grade professional scams, they will miss the juvenile scams.Be alert. Use the best protection that you can reasonably afford to help you, but do not rely upon it entirely. Always ask questions for yourself. #ASKOUTLOUD
No comments:
Post a Comment