A new malware scam is hitting email inboxes. The email sample that we have comes from an email address at thomaskeller.com (ours is specifically from firstname.lastname@example.org), and claims to have received an invoice from your company. They even include your company name in the email, making it seem more legit. But it isn’t.
Here’s a sample:
(Note that we further explain this below.)
Here’s the actual text of the email as it would appear to you in your email reader:
From: “email@example.com” firstname.lastname@example.org
Subject: FW: Re: invoice #25304533
Date: February 1, 2017 at 8:17:58 AM MST
my company just got this from theinternetpatrol.com.
can you confirm this invoice was really issued by you?
Again, it seems fairly innocuous. That’s the thing about social engineering – it draws you in, causing you to ignore those small details that otherwise should tip you off that something is amiss.
So who is behind this? It’s nearly impossible to tell. Information about the Thailand-based domain to which that link actually goes shows:
|Read Internet Patrol Articles Right in Your Inbox
as Soon as They are Published! Only $1 a Month!
Imagine being able to read full articles right in your email, or on your phone, without ever having to click through to the website unless you want to! Just $1 a month and you can cancel at any time!
|Or get notified of new Internet Patrol articles for free!
Registrar: T.H.NIC Co., Ltd.
Name Server: NS1.NETDESIGNHOST.COM
Name Server: NS2.NETDESIGNHOST.COM
Updated date: 8 Jul 2016
Created date: 8 Jun 2014
Renew date: 8 Jun 2016
Exp date: 7 Jun 2017
Domain Holder: Time Consulting Co., Ltd. (บริษัท ไทม์ คอนซัลติ้ง จำกัด)
18th Fl. Alma Link Building No. 25 , Chidlom Ploenchit Lumpini Pathumwan Bangkok
Tech Contact: 119647
91/3-4 ถ.สุวินทวงศ์ แขวง มีนบุรี เขต มีนบุรี กรุงเทพฯ
That’s not super-helpful for the average person (although anti-spammers and other security folks may use it to reach out to the registrar to alert them to the issue).
It’s worth noting that the actual Thomas Keller, and his domain thomaskeller.com almost certainly have nothing to do with this, and may have no idea that their domain is being spoofed (a practice that is known as being ‘joe jobbed‘).
It’s unknown at present whether the link will download malware (possibly making your computer part of a botnet), or ransomware (locking up your computer until you pay a ransom), but it’s clear that you should avoid clicking on that link!
No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free? Thank you!
|Get notified of new Internet Patrol articles!