Spam and phishing mail

A very Russian scam

If you got unsolicited email asking for your employees’ personal details, would you respond? Hopefully, you’d have enough sense not to. But what if the email promised some sort of benefit for your employees? This is what one of the most recent Russian mass mailings has been doing.

The messages supposedly come from a government department, and promise medals ‘for outstanding work’ to those nominated by their organizations. They lay particular stress on these medals being awarded to veterans of the Second World War and other military conflicts. Additionally, the messages promise that a note will be made of the award in the recipient’s ‘work book’. (This is a passport size book which has to be provided to an employer by the employee. It acts as an official record of employment and the lack of a work book, or a negative record can affect employment prospects.)

In addition to the message itself, there’s a form to fill in, which asks for the nominee’s personal details: name, date and place of birth, address, place of work etc. etc.

A quick bit of research shows that the message is a fake – the addresses, phone numbers and email addresses aren’t connected to any government department, and the legal jargon references points of law which don’t actually exist. But if you’re a busy employer, and think that by filling in the form your older employees might benefit, you’re probably not going to bother to do any research. Exactly what the scammers are counting on.

Spam designed to help the bad guys get their hands on personal data is nothing new. What’s interesting about this mass mailing is that it’s very clearly targeting pensioners’ details. My best guess is these details will then be used by the scammers to trick vulnerable older people out of their homes. Sadly, this is all too common in Russia – for instance several workers in the social care sector in Vladivostok were recently convicted of getting pensioners to sign over their property under false pretences.

A very Russian scam

Your email address will not be published. Required fields are marked *

 

Reports

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox