Compromised Email accounts used for Scamming contacts – A Case Study

I recently had the opportunity to observe a case of compromised email scam tactics–a friend called me in to assist in tracking the issue down. I thought it would be interesting to relate–many of you will have seen this MO 100 times, but I work on back-end issues and normally don’t get to assist in incident response.

The attacker used the compromised account to scam contacts into purchasing Amazon gift cards. It’s sometimes hard to believe that this tactic still works, but, alas, I can assure you that scamming for gift cards is alive and well, and worked in this instance. Those most vulnerable to these scams include older persons: when they see a request for help, even if it’s from a casual friend. the instinct is to help rather than be suspicious.

The compromised email account was used to send out request with subject line– A Quick Favor–and the body asked if anyone had an Amazon account. The scammer likely compromised the email password via some other compromised site, and, using that name, traced down the victim zero’s email provider and account. The password was re-used.

How the scam worked

The scammer did two things: 1) they set a forward on the compromised email account to forward all incoming email to a special account created just for this individual scam: they used the same email name with an underscore at the end, and created the scam email at Outlook.com. Hence, the domain of the scammer’s account was different versus the compromised account, but the email looked very similar at a glance.

2) The scammer set up a filtering rule to forward any responses with the subject “A Quick Favor” to Trash. Hence, responses (including alerts) back to victim zero’s email went unnoticed.

The original scam email came from the compromised account, but all responses were forwarded to the scam look-a-like account. The look-a-alike account was then used to carry-on the subsequent conversation with the collateral victims. Apparently the theory was that if someone would actually fall for the bait, that they would not notice the subtle difference in subsequent email addresses. In this instance: that worked.

Lessons Learned

Lesson #1: don’t re-use passwords. That is easier said that done: the only realistic way to not re-use passwords is to use something like LastPass to generate and save them. Maybe that should be our birthday gift to parents and grandparents: a year subscription to a password manager.

Lesson #2 : if anyone, anywhere, anytime asks you to buy gift cards either as a favor, to pay off a debt, for any reason–it’s a scam. Relaying that simple advice to our users–obvious as it seems–remains useful.

Lesson #3: if anyone you know has this happen, they need to be advised to immediately change passwords and then to go into their email settings and check for forwards and filters. The scenarios can be confusing with the original victim sometimes believing that scam emails were simply forged rather than actually coming from their account. Remember that the attacker deletes responses automatically. Victim zero must immediately change passwords then look for evidence: including filters, sent mail, deleted mail, and forwards.

Lesson #4: if you receive such a scam request, alert the contact by means other than email. Text or call them immediately to notify them that there is a serious problem with their account that must be attended to via Lesson #3.