A new malware scam is hitting email inboxes. The email sample that we have comes from an email address at thomaskeller.com (ours is specifically from gcromwell@thomaskeller.com), and claims to have received an invoice from your company. They even include your company name in the email, making it seem more legit. But it isn’t.
Here’s a sample:
(Note that we further explain this below.)
Here’s the actual text of the email as it would appear to you in your email reader:
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
From: “gcromwell@thomaskeller.com” gcromwell@thomaskeller.com
Subject: FW: Re: invoice #25304533
Date: February 1, 2017 at 8:17:58 AM MST
To: ****@theinternetpatrol.com
my company just got this from theinternetpatrol.com.
can you confirm this invoice was really issued by you?
Invoice #25304533
Thanks
George Cromwell
Senior Accountant
Tel: 443-261-2115
Fax: 443-261-5662
Again, it seems fairly innocuous. That’s the thing about social engineering – it draws you in, causing you to ignore those small details that otherwise should tip you off that something is amiss.
So who is behind this? It’s nearly impossible to tell. Information about the Thailand-based domain to which that link actually goes shows:
Domain: TIMECONSULTING.CO.TH
Registrar: T.H.NIC Co., Ltd.
Name Server: NS1.NETDESIGNHOST.COM
Name Server: NS2.NETDESIGNHOST.COM
Status: ACTIVE
Updated date: 8 Jul 2016
Created date: 8 Jun 2014
Renew date: 8 Jun 2016
Exp date: 7 Jun 2017
Domain Holder: Time Consulting Co., Ltd. (บริษัท ไทม์ คอนซัลติ้ง จำกัด)
18th Fl. Alma Link Building No. 25 , Chidlom Ploenchit Lumpini Pathumwan Bangkok
10330
TH
Tech Contact: 119647
Host Yim
91/3-4 ถ.สุวินทวงศ์ แขวง มีนบุรี เขต มีนบุรี กรุงเทพฯ
10510
TH
—
That’s not super-helpful for the average person (although anti-spammers and other security folks may use it to reach out to the registrar to alert them to the issue).
It’s worth noting that the actual Thomas Keller, and his domain thomaskeller.com almost certainly have nothing to do with this, and may have no idea that their domain is being spoofed (a practice that is known as being ‘joe jobbed‘).
It’s unknown at present whether the link will download malware (possibly making your computer part of a botnet), or ransomware (locking up your computer until you pay a ransom), but it’s clear that you should avoid clicking on that link!
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Thanks for this information. I got several and many more so because some people at work just don’t care if they are spam or genuine mail and so click on anything that comes into their in-box. This actually open the gates to the server and everyone of us are victims to spammers.
Thanks, just got the one re Thomas Keller. It’s too bad this happens because I’m not opening links in messages even from friends and relatives.
Okay, so I didn’t realise till after I clicked the link and I immediately closed the page.Nothing happened or opened up. What should I look for or expect virus-wise? Any news or confirmation on what happens after you click the link?
I just got a similar, but now gcromwell@le-bernardin.com. Know enough to never click on to see attachment, but went online to le-bernardin and sent them an email alerting them that they were being used in scam. Phone # for George Cromwell/Senior Accountant is the same as the one above. Le-Bernardin is not that phone #. Have a blessed day
I received similar spam from gcromwell@le-bernardin.com, which is a restaurant in New York. So they are using more than just thomaskeller.com. Beware!
Same here in Denmark, hopefully no harm !
Thanks for posting, I received the email as well and fortunately did not opened it without doing some research first.