I have received two emails this week from different senders that I have never met. Both were cleverly worded to deceive me into clicking on a malicious link that would launch code and infect my computer. Luckily, I didn’t click on the link as both emails were suspicious on the surface. I wanted to share an example of both emails with you so that you can be aware of what to look for and to educate your team so that we can prevent any compromise to security. Actual sender name and email account removed for privacy.
Subject: RE:RE: Invoice #721052 from derek anderson
Body (curse words removed):
derek anderson **** you , we wont pay ****.
On Thu, Nov 17, 2016 at 4:27 PM, firstname.lastname@example.org wrote:
Here’s the bill… I’m waiting for the payment
Bill # 721052 (malicious link removed)
As you can see, this email was designed to look like the sender is responding to a bill payment request sent by me. The email was all text and not in the format of a typical reply email.
How did I know this was spam?
1. I did not recognize the sender
2. The invoice sequence does not match the sequence we use
3. If I did send an invoice, it would say it came from Biztek Solutions not derek anderson
Subject: RE:RE: phone for derek anderson
derek anderson I tried to call the number on the business card you sent me.
Are you sure your number is correct, because the call didn’t go through.
On Mon, Nov 21, 2016 at 2:14 PM, email@example.com wrote:
Here’s my business card , give me a call about the contract.
derek anderson Business Card (malicious link removed)
Again, this email was designed to look like a response to an email I sent. It followed the same format as the invoice email. I knew this was spam because, again, I did not recognize the sender and I had previously received the other email.
Both emails were designed to entice me to click on the link at the bottom, one for an invoice and one for a business card. The links in both emails went to different infected websites, but both would have produced the same result, infecting my machine with a Cryptowall like virus that would encrypt and lockout my files and hold them at ransom until I pay up.
Here is one of the actual links for example but DO NOT CLICK ON IT! Hover your mouse over the link WITHOUT clicking on it to see the website it wants to take you to, and you will see it is not a recognizable site: derek anderson Business Card. Use this tip of hovering your mouse over the link to verify the destination of links you click. This will work in emails and web pages.
How Did This Happen and Why Did I Receive These Emails?
The sender’s email accounts were compromised in some way, likely by viruses on their computers. Both sender’s email domains were not configured with proper anti-spam security called an SPF record. The SPF record only allows email to be sent from specific servers which prevents hackers from simply using your email address and sending from any email server. Had these senders had an SPF record on their domain, the hackers would not have been able to send email using their account. I received the emails because my name and email address were likely stolen from another company website or database, likely from a website that I entered my name and email address and then a hacker gained access to that site’s database. Unfortunately, these things happen all the time. While there is not much I can do to prevent receiving these emails if a website I entered my information in was compromised, we do protect our domain and client’s domains with SPF records to prevent emails like this being sent out to unsuspecting recipients.
I urge you to always be aware and suspicious of emails that you receive to prevent infection of your system. Remember, malicious emails can come from someone you know, so if there is something suspicious about the email, call the sender to verify they actually sent the email or forward the email to firstname.lastname@example.org for us to inspect it.