Do NOT Open Email Links from gcromwell@thomaskeller.com

If you find this useful please share it!

A new malware scam is hitting email inboxes. The email sample that we have comes from an email address at thomaskeller.com (ours is specifically from gcromwell@thomaskeller.com), and claims to have received an invoice from your company. They even include your company name in the email, making it seem more legit. But it isn’t.

Here’s a sample:

(Note that we further explain this below.)

 

george cromwell scam email thomas keller

Here’s the actual text of the email as it would appear to you in your email reader:

From: “gcromwell@thomaskeller.com” gcromwell@thomaskeller.com
Subject: FW: Re: invoice #25304533
Date: February 1, 2017 at 8:17:58 AM MST
To: ****@theinternetpatrol.com

my company just got this from theinternetpatrol.com.
can you confirm this invoice was really issued by you?

Invoice #25304533

Thanks

George Cromwell
Senior Accountant
Tel: 443-261-2115
Fax: 443-261-5662

Again, it seems fairly innocuous. That’s the thing about social engineering – it draws you in, causing you to ignore those small details that otherwise should tip you off that something is amiss.

So who is behind this? It’s nearly impossible to tell. Information about the Thailand-based domain to which that link actually goes shows:

Read Internet Patrol Articles Right in Your Inbox
as Soon as They are Published! Only $1 a Month!

Imagine being able to read full articles right in your email, or on your phone, without ever having to click through to the website unless you want to! Just $1 a month and you can cancel at any time!
Do NOT Open Email Links from gcromwell@thomaskeller.com
Or get notified of new Internet Patrol articles for free!

Domain: TIMECONSULTING.CO.TH
Registrar: T.H.NIC Co., Ltd.
Name Server: NS1.NETDESIGNHOST.COM
Name Server: NS2.NETDESIGNHOST.COM
Status: ACTIVE
Updated date: 8 Jul 2016
Created date: 8 Jun 2014
Renew date: 8 Jun 2016
Exp date: 7 Jun 2017
Domain Holder: Time Consulting Co., Ltd. (บริษัท ไทม์ คอนซัลติ้ง จำกัด)
18th Fl. Alma Link Building No. 25 , Chidlom Ploenchit Lumpini Pathumwan Bangkok
10330
TH

Tech Contact: 119647
Host Yim
91/3-4 ถ.สุวินทวงศ์ แขวง มีนบุรี เขต มีนบุรี กรุงเทพฯ
10510
TH

That’s not super-helpful for the average person (although anti-spammers and other security folks may use it to reach out to the registrar to alert them to the issue).

It’s worth noting that the actual Thomas Keller, and his domain thomaskeller.com almost certainly have nothing to do with this, and may have no idea that their domain is being spoofed (a practice that is known as being ‘joe jobbed‘).

 

It’s unknown at present whether the link will download malware (possibly making your computer part of a botnet), or ransomware (locking up your computer until you pay a ransom), but it’s clear that you should avoid clicking on that link!

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money.That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?Thank you!

Do NOT Open Email Links from gcromwell@thomaskeller.com

Get notified of new Internet Patrol articles!
People also searched for \*@@thomaskeller com\ (1)

If you find this useful please share it!

7 Replies to “Do NOT Open Email Links from gcromwell@thomaskeller.com”

  1. Thanks for this information. I got several and many more so because some people at work just don’t care if they are spam or genuine mail and so click on anything that comes into their in-box. This actually open the gates to the server and everyone of us are victims to spammers.

  2. Thanks, just got the one re Thomas Keller. It’s too bad this happens because I’m not opening links in messages even from friends and relatives.

  3. Okay, so I didn’t realise till after I clicked the link and I immediately closed the page.Nothing happened or opened up. What should I look for or expect virus-wise? Any news or confirmation on what happens after you click the link?

  4. I just got a similar, but now gcromwell@le-bernardin.com. Know enough to never click on to see attachment, but went online to le-bernardin and sent them an email alerting them that they were being used in scam. Phone # for George Cromwell/Senior Accountant is the same as the one above. Le-Bernardin is not that phone #. Have a blessed day

  5. I received similar spam from gcromwell@le-bernardin.com, which is a restaurant in New York. So they are using more than just thomaskeller.com. Beware!

  6. Thanks for posting, I received the email as well and fortunately did not opened it without doing some research first.

Leave a Reply

Your email address will not be published. Required fields are marked *