A new malware scam is hitting email inboxes. The email sample that we have comes from an email address at thomaskeller.com (ours is specifically from firstname.lastname@example.org), and claims to have received an invoice from your company. They even include your company name in the email, making it seem more legit. But it isn’t.
Here’s a sample:
(Note that we further explain this below.)
|Pssst! Get notified of new TIP articles here:|
Here’s the actual text of the email as it would appear to you in your email reader:
From: “email@example.com” firstname.lastname@example.org
Subject: FW: Re: invoice #25304533
Date: February 1, 2017 at 8:17:58 AM MST
my company just got this from theinternetpatrol.com.
can you confirm this invoice was really issued by you?
Again, it seems fairly innocuous. That’s the thing about social engineering – it draws you in, causing you to ignore those small details that otherwise should tip you off that something is amiss.
So who is behind this? It’s nearly impossible to tell. Information about the Thailand-based domain to which that link actually goes shows:
Registrar: T.H.NIC Co., Ltd.
Name Server: NS1.NETDESIGNHOST.COM
Name Server: NS2.NETDESIGNHOST.COM
Updated date: 8 Jul 2016
Created date: 8 Jun 2014
Renew date: 8 Jun 2016
Exp date: 7 Jun 2017
Domain Holder: Time Consulting Co., Ltd. (บริษัท ไทม์ คอนซัลติ้ง จำกัด)
18th Fl. Alma Link Building No. 25 , Chidlom Ploenchit Lumpini Pathumwan Bangkok
Tech Contact: 119647
91/3-4 ถ.สุวินทวงศ์ แขวง มีนบุรี เขต มีนบุรี กรุงเทพฯ
That’s not super-helpful for the average person (although anti-spammers and other security folks may use it to reach out to the registrar to alert them to the issue).
It’s worth noting that the actual Thomas Keller, and his domain thomaskeller.com almost certainly have nothing to do with this, and may have no idea that their domain is being spoofed (a practice that is known as being ‘joe jobbed‘).
It’s unknown at present whether the link will download malware (possibly making your computer part of a botnet), or ransomware (locking up your computer until you pay a ransom), but it’s clear that you should avoid clicking on that link!
You might also like some of our other articles: