419 Scams

Email is still an integral component of communication in today’s connected world and many fraudsters still exploit it extensively. So-called 419 scams are fraudulent emails requesting money that appear to be from reputable sources – as indicated below. Previously these fraudsters could reasonably easily be identified by their poor syntax and spelling errors in such emails but they have upped their game in recent years and improved their use of the languages employed.

In the above attempt, the subject and content of the email would cause most people to be concerned and respond. Everyone knows not to mess with the government and associated departments. On closer inspection though, the sender is using a Gmail account and the given contact information is for someone using a Yahoo account. These are both identifying signs of the scam. By now, most should know that reputable companies utilise their company name in the email address. For example, someone working for SARS will use an @sars.gov.za email account for business emails, never Yahoo or Gmail. The same applies to almost every other recognisable business. In some cases an alias is used for the mail address of the sender so it may look like it comes from, say, joebloggs@genuinecompany.com but clicking on reply to the mail in your mail programme (without actually sending a reply) usually reveals the genuine e-mail address which will then be very different. This scam uses emotion to scare the recipient into paying a fraudster for nothing. Once a payment is made in error, one can forget about ever getting a refund or finding the culprit as it then becomes extremely difficult to track. The culprits typically impersonate different institutions and vary the wording in these fraudulent emails, but the motive remains the same.

Credential Phishing

These types of attacks generally also involve the use of emails but are not limited to this method. Typically, a cleverly worded scheme is used that requests that the user navigate to a link and enter their credentials. In the two examples below, the scammer makes the user believe that the credentials are required to proceed.

Example 1:

 

The Phisher in the above case is asking outright for the victim’s credentials in order to steal their identity. One should never respond to these emails and simply delete them.

Example 2:

In this particular case, the email came from a Gmail account and is advising a business/private email user that their mailbox is filling up. This is immediately suspicious. The email also did not contain any related information, such as the company name, email address, service provider etc and one should never click on the links given. Analysing the link reveals that it connects to multiple locations with malicious files waiting to be activated and or downloaded. In most cases, this type of attack will use the stolen credentials to access the associated contact list and then spam them for their credentials as well. In a worst-case scenario, all the associated accounts are compromised.

Example 3:

Credential phishing schemes are not limited to business accounts. In this example, Facebook Messenger is the platform used for distribution. Here, a Facebook user was sent a link to what looks like a YouTube video with the title ‘it’s you? :o’, as shown below.

 

The link visible at the bottom of the message makes no reference to YouTube which should already raise alarm-bells and the main link in the message navigates to another page on the user’s account with yet another suspicious link. Unfortunately, the user in this case unknowingly clicked on this link and had their account hacked followed by all their contacts spammed.

 

 

Malicious Document Attachments

In these cases an attachment is received from an unknown source. Such attachments tend to circulate frequently and may look perfectly safe to open, but are not.

For example:

In the above screenshot, the PDF document is seen launching Internet Explorer, which is especially susceptable to exploitation, and it then accesses malicious resources over the internet, as indicated in the analysis of the exploit that was sandboxed (i.e. isolated in a safe environment for testing purposes) to determine what actions it took.

Files like these take full advantage of legitimate programs to run exploits on unprotected systems. Without up-to-date anti-malware and software patches, the affected system would be completely compromised without the user’s knowledge. Once compromised, the hacker can then remain in the system, monitoring any transactions that may take place.