Tech support scammers are again stooping low with their email campaigns. This particular one hints that one of your contacts may have met an untimely end.
It all starts with an email titled “Sad announcement” followed by a full name of someone you know. The email may appear to come from the person themselves.
A co-worker who received such an email pointed it out to our team. Looking around, I found the first report about such an email in a tweet dating back to February 5, 2024.
With some more information about what I was looking for, I managed to find several more.
There is a great deal of variation between the emails, but we do have enough samples to show you a pattern which looks like this:
Subject: Sad announcement:
Sometimes the colon is replaced by the word “from”.
Then a short sentence to pique the reader’s curiosity, which often references photos. Here are some examples:
“When you open them you will see why I actually wanted to share them with you today”
“Never thought I would want to share these images with you, anyways here they are”
“I’m presuming you should remember these two ladies, in that photo”
“When I was looking through some old folders I found these 3 pics”
“it wasn’t initially my plan, but I had to change my mind about it”
“Two pictures that I wanted to share with you. They’re likely to bring a flood of memories to you, as they did to me…”
“Probably should have contacted you a little bit earlier. Anyways just wanted to keep you updated”
This is then immediately followed by a link. These also follow a certain pattern:
gjsqr.hytsiysx.com
tmdlod.vdicedohf.com
gtfhq.rmldxkff.com
pdbh.ramahteen.com
owwiu.dexfyerd.com
roix.unrgagceso.com
yrlbi.vohdsniuz.com
uqjk.mbafwnds.com
vjdbd.hhesdeh.com
mbjzo.enexoo.com
These domains are all registered with NameCheap and are only active for a few days.
To close the emails off, the scammers end with a quote in the format:
“You do not find the happy life. You make it.” – Camilla Eyring Kimball
The sender addresses are spoofed to look like they were coming from family or friends of the target. The actual sender addresses are compromised accounts from all over the world.
The campaign looks to have targeted mainly the US, but I also found some located in Ireland and the UK and some odd ones in India and Italy.
So, the question is, what are they after? The short-lived domains really made it hard for me to figure that out. It took me quite a bit to find a domain that was still active, but then I knew soon enough what the end-goal of the spammers was.
A short chain of redirects sent me to https://niceandsafetystore0990.blob.core.windows[.]net/niceandsafetystore0990/index.html which is now blocked by Malwarebytes Browser Guard.
The blob.core.windows.net subdomains are unique identifiers for Azure Blob Storage accounts. They follow this format:
Where windows.net part of the domain makes them look trustworthy.
The website itself probably looks familiar to a lot of readers: A fake online Windows Defender scan.
The fake Windows Defender site shows that your system is infected with loads of threats.
Funny enough the site claims to be Windows Defender, but uses Malwarebytes’ detection names. For example: Microsoft does not detect the Potentially Unwanted Program which Malwarebytes detects as PUP.Optional.RelevantKnowledge.
Anyway, the website quickly takes up the entire screen, so you have to click or hold (depending on your browser) the ESC button to get back the controls that allow you to close the website.
Now that you have seen the patterns in the email, we hope that you will refrain from clicking the links. The redirect chain can be changed and may be different for your location and type of system. So, there may be more serious consequences than an annoying website.
How to avoid the “sad announcement” scam
- Always compare the actual sender address with the email address this person would normally use to send you an email.
- Never click on link in an unsolicited email before checking with the sender.
- Don’t call the phone numbers displayed on the website, because they will try to defraud you.
- If in doubt, contact your friend via another, trusted method
If your browser or mobile device “locks up”, meaning you’re no longer able to navigate away from a virus warning, you’re likely looking at a tech support scam. If something claims to show the files and folders from inside of your browser, this is another signal that you’re on a fake page. Close the browser if possible or restart your device if this doesn’t work.
Despite the occasional arrests and FTC fines for tech support scammers and their henchmen, there are still plenty of cybercriminals active in this field. Scams range from unsolicited calls offering help with your “infected” computer to fully-fledged websites where you can purchase heavily over-priced versions of legitimate security software.
Unfortunately for some people these warnings may have come too late. So what should you do if you have fallen victim to a tech support scam? Here are a few pointers:
- Have you already paid? Contact your credit card company or bank and let them know what’s happened. You may also need to file a complaint with the FTC or contact your local law enforcement agency, depending on your region.
- If you’ve shared your password with a scammer, change it on every account that uses this password. Consider using a password manager and enable 2FA for important accounts.
- Scan your device. If scammers have had access to your system, they may have planted a backdoor so they can revisit whenever they feel like it. Malwarebytes can remove backdoors and other software left behind by scammers.
- Keep an eye out for unexpected payments. Be on the lookout for suspicious charges/payments on your credit cards and bank accounts so you can revert and stop them.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.