To kick off our scam of the week series I'm going to start with a scam email that was delivered to me this morning. Let's start by taking a look at the message as it appeared in my inbox.
Looking at the subject line I see that the email appears to be from Australiawideit Support - it's apparent that the sender has generated this subject line based on our email domain of australiawideit.com.au.
This message has an attachment that looks kind of like a voicemail message and the message content backs that up.
Now let's take a look at some of the strategies that this message uses to try to convince the reader that it is legitimate-
- The subject line contains our domain name
- They have embedded the Microsoft logo - presumably to try and convince the reader that the message originate from Microsoft
- The email is addressed to me, using my proper first name
- There are no major grammatical problems
- The footer of the email where it says "This email was sent to firstname.lastname@example.org" is a common feature of legitimate emails sent by automated systems
So how can we tell that this is a scam?
- The first and most important piece of information is that we do not have any kind of voicemail system setup with Microsoft. In our case we do actually have an email to voicemail system but the messages which that system produce look nothing like this.
- The next big clue is the attachment. This attachment ends with .htm which is the same format that web sites use to display pages. If it were a real voicemail I'd expect the file to be a .wav, .mp3 or some other familiar audio format.
- The message says I missed a call from +61 (835) 835-3088. The +61 at the start is the international prefix for Australia but the rest of the number formatting is no consistent with an Australian phone number.
- The message sign-off says "Regards, Australiawideit Admin" - clearly an auto generated piece of text; the same goes for the "Organization: Australiawideit". I'm willing to give a pass to the American spelling of 'Organization' given that they are trying to convince me this message is from Microsoft, an American company.
Certainly any one of these clues is enough for me to know that this message is a scam.
What are the scammers trying to achieve?
I am writing this paragraph before I have taken a look at the message attachment and I'm going to make a prediction. When I do eventually open the attachment I think I'm going to be presented with a web page that encourages me to login to something that looks like my Office 365 account thereby providing the scammers with my real Office 365 username and password. Let's see what happens....
WARNING: NEVER OPEN AN EMAIL ATTACHMENT IF YOU DON'T KNOW EXACTLY WHAT IT IS.
This is what I see when I open the attachment-
I like this, it's pretty cool and not one that I've seen before. What you can;t see from this screenshot is that the little green progress bar is moving to suggest that my voicemail message is being downloaded and in the background it is trying to download and play a real audio file. The audio file that it links to is not working so I don't know what might have been in it. After about 5-10 seconds my browser window automatically refreshed and then I saw this web page-
Ahh, this is what I was expecting - a web site that looks like an exact replica of the real Office 365 sign-in page. They've even gone to the effort of pre-filling the username for me just like the real thing. Just for shits and giggles let's see what happens if I keep going.
There's not a chance I am going to give them my real email address so I've changed it to a made up one. As soon as I click the 'Next' button I am presented with the familiar password prompt-
After entering a junk password the window below appears. I don't know what would happen if I entered a real user name and password and I'm not willing to sacrifice one to find out but my guess is that the site would continue displaying the 'incorrect password' dialogue box in the hopes that I would just keep entering a bunch of different passwords for them to exploit.
What is the point?
This is the number one question I am asked, why are the scammers doing this? What could they possibly want my email address and password for?
The answer if pretty simple, money.
Every time someone falls for this scam the usernames and passwords that they provided to the scammers end up on a list which goes up for sale to the highest bidder. Each username and password combo on its own is probably only worth a few cents, maybe not even that, but if you have a big list with millions of compromised usernames and passwords the money that can be made from this can be significant.
I hope you have enjoyed this scam dissection and learned something from it. Feel free to leave a comment or suggestions for a future post below.