Pandemic Compensation Used as Lure to Steal Numerous Types of Data
Scammers are using the lure of pandemic compensation as a lure to steal close to a dozen different types of data from their victims.
At the beginning of July, 秋葵视频色 | AppRiver spotted an attack email that claimed to originate from the World Health Organization (WHO).
The email arrived with the subject line 鈥減andemic grant compensation.鈥 It used this premise to inform the recipient that they had supposedly won a lottery connected to Microsoft as a means of providing financial assistance to individuals affected by coronavirus 2019 (COVID-19). Specifically, the email told them that they had won 900,050 pounds sterling (worth about 1.13 million USD at the time of writing).
At that point, the email explained that a recipient could claim their prize by submitting some pieces of personal information to Microsoft as a means of verifying themselves.
So Much Wrong鈥o Little Time鈥
Let鈥檚 look at the most glaring errors that these email fraudsters made in their campaign.
Starting us off, the email is inconsistent in terms of which organization is sending out the email. Indeed, the message claimed to originate from the World Health Organization with the email address 鈥渨hoconvid19grantsclaims@gmail[dot]com.鈥 (It鈥檚 important here to note that employees of the specialized United Nations agency don鈥檛 use Gmail accounts to conduct official WHO business. Their email addresses almost certainly use the 鈥淍who.int鈥 format, as gleaned from visiting the health organization鈥檚聽.)
Despite this WHO mask, the email listed 鈥渕sfoundation4convid19@webmail[dot]co[dot]za鈥 as its reply-to email, and it asked that all recipients send their information there. That鈥檚 a bizarre request considering the fact that the email lists Microsoft鈥檚 physical address in Washington at the beginning of its text. The attack email made no mention of South Africa, the owner of the country code top-level domain 鈥.za.鈥
Speaking of that physical address, the email printed a fax number 鈥086 667 2070鈥 in connection with Microsoft鈥檚 Redmond location. The number is unlikely to be associated with the Redmond-based tech giant, as it is associated with the Country Calling Code for China.
So, whom were the attackers impersonating in their alleged Microsoft email?
They claimed that the email had originated from Paul Allen, an official at the 鈥淢icrosoft /MSN Corporation.鈥 A quick search on Google confirmed that Paul Gardner Allen was an American businessman who had indeed been involved with Microsoft. He had co-founded Microsoft with his childhood friend Bill Gates in 1975. But Allen then left the company in 1983. Even more than that, Allen passed away in 2018, so there鈥檚 no way that he would be the one sending out these emails.
The Microsoft /MSN Lottery Nomination
The attack email was unclear in exactly how the recipient came to allegedly win the pandemic grant compensation.
After addressing the recipient as 鈥淢icrosoft Nominee,鈥 (It鈥檚 clear that those responsible for this campaign were using spray-and-pray tactics and knew nothing about their recipients.) the attackers began their email with the following sentence: 鈥淲e acknowledged receipt of your mail and the contents noted.鈥 This sentence would imply that the recipient knew that they were applying for something and had submitted materials to that effect.
But just a few paragraphs later, the email explained that 鈥測ou might be confused about how you were nominated or if actually this is true.鈥 The email then clarified that a 鈥渃omputer balloting system from over 100,000 unions, associations, and corporate bodies that are listed online from Canada, Australia, United States, Asia, Europe, Middle East, Africa and Oceania鈥 had selected the recipient鈥檚 email address randomly.
According to the email, this computer balloting system apparently operated under the ownership of the 鈥淢icrosoft Corporation Lottery Nominee.鈥 The fake Paul Allen described this entity as 鈥渁n independent Internet Lottery organization that has been financially assisting people with its intention to change people鈥檚 life since 1998 and especially this Coronavirus (Convid19) Pandemic, so many people have benefited from it over the years.[sic]鈥
This is not the first time that some form of Microsoft lottery or promotion has appeared in a spam campaign. Indeed, back in January 2018, for instance, a user took to聽聽to share an email that they had received about a fake Microsoft International Awareness Program. The message claimed that yet another computer balloting system had been responsible for selecting the recipient as the winner of 200,000.00 pounds British pounds and a Microsoft Surface laptop. After indicating that the recipient鈥檚 documents had been approved, the email informed them that a delivery officer would be arriving at a nearby airport and would accompany them to a bank to complete the delivery and transfer of their winnings. Before that could happen, though, the individual would need to pay 10,300 INR (worth about $150 USD) in 鈥済overnment taxes.鈥
Since then, other users have shared similar scams, including notifications of having won the聽聽and the聽.
The issue with all of these emails is that Microsoft doesn鈥檛 operate a lottery organization. There鈥檚 therefore no computer balloting system selecting people for cash prizes. There are only malicious actors seeking to capitalize on unsuspecting people.
The Spoils of a COVID-19 Relief Scam
Malicious actors leverage Microsoft lottery scams to profit in various ways. As indicated in the scam shared in Microsoft鈥檚 Community, nefarious individuals attempted to trick a user into paying what they thought was government tax on an even larger cash prize, for instance.
But sometimes, they just want cold, hard data.
That was the case in the ruse that 秋葵视频色 | AppRiver recently discovered. This particular campaign asked the recipient to submit 10 different pieces of information. Much of that requested data included the usual personally identifiable information (PII) such as the recipient鈥檚 name, address and phone number. It also included the recipient鈥檚 email address, a detail which the 鈥淢icrosoft Corporation Lottery Nominee鈥 should already know if its computer balloting system had indeed selected them as a winner in the first place.
That being said, the email also requested that the user send over more sensitive details about themselves. Those requested data included the user鈥檚 nationality and occupation, date of birth and ID/passport/driver鈥檚 license number.
If they complied with this request, the user would have given the attackers all they needed to commit identity theft. They could have then used those details to open bank accounts, apply for mortgage and engage in other fraudulent activities under their victim鈥檚 name.
Defending Your Employees鈥 Data Against a Microsoft Lottery Scam
The scam campaign described above highlights the need for organizations to defend their employees鈥 passport details and other data against a Microsoft lottery scam. One of the ways they can do this is by strengthening their email security. Specifically, they should consider investing in a solution that鈥檚 capable of scanning incoming messages for IP addresses, malware signatures, campaign patterns and other indicators of known malware operations. That tool should analyze in emails in real-time, thus allowing legitimate pieces to reach their intended destination without disrupting the business.