Attackers are ganging up on you in your email

Email from a spy giving you a malicious link to a fake post

Phishing email in which the attackers cc others attackers to make the attack seem more real. Image: Proofpoint

BY KERRY TOMLINSON, AMPERE NEWS

November 1, 2022

What's better than an attacker sending you a poisoned email? A group of attackers sending you a poisoned email --- at least that's the strategy of one set of cyber crooks on a spying mission.

They're trying out group emails where other people listed in the message are undercover spies as well, as we show you in our latest episode of Cyber Tricks Revealed, where we uncover cyber crooks’ sneaky tactics.

Here’s how it works.

Watch here:

Digital Shills

As a researcher, you might feel quite honored to get this email from Harald Ott, a prominent surgeon, asking you to collaborate on his work on regenerating organs.

"I think it would be best if I could have a talk to chat with you," the email says.

The sender includes a list of other people with important-sounding jobs on the email, like Claire Muñoz Parry with the Global Health Programme at the think tank Chatham house, and Andrew Marshall, formerly chief editor of the journal Nature Biotechnology.

But the email is fake. It's from a cyber spy pretending to be Ott, said security company Proofpoint in its report on this attack.

The trick here is that fake Harald isn't the only spy. The people behind Muñoz Parry's and Marshall's accounts on this email are spies, too, using their names to trick you.

 It’s kind of like plants in an audience at a magic show. If they participate in the scheme, it can feel more authentic to the rest of the crowd.

Ganging Up

If you reply, fake Harald will send you a poisonous link that can end up secretly stealing your data, Proofpoint said.

Let's say instead of replying, you hesitate. Fake Andrew will jump in to coax you into responding, saying, "Thanks for your time. Eagerly looking forward to hearing from you."

With another voice asking for your input, it can seem more real.

Strategic Moves

The targets in this attack have special information and research that that attackers want. After all, not everyone is a researcher on organ regeneration.

But if these kinds of attacks are successful, cyber crooks will use the same tactics for other targets, too.

Mix of fact & fiction

Sometimes the attackers include a real person in their group message, not just impersonators.

In an email supposedly from Carroll Doherty, director of political research at the Pew Research Center, he asks you to read an article he wrote.

Fake Carroll cc's what appears to be professors and authors, like Daniel Krcmaric at Northwestern University, Sharan Grewal at the College of William and Mary, and Aaron Stein, formerly of the Foreign Policy research Institute and now with the platform War on the Rocks.

Once again, these are secret agents taking on the personas of Doherty, Krcmaric, Grewal and Stein.

But also on the group email is a real person, another target. If you know their name, if you work with them, if you contact them to verify, you might be more convinced that it’s authentic.

Echo Attack

The link to the article is malicious, researchers said. Click and you'll lose sensitive data to the cyber spies.

If you don't answer, you get group pushback, first from fake Carroll himself, urging you to read the article and re-sending the link and password.

Then fake Aaron joins in, sending the link and password again and thanking you for your time. This kind of mob attack may pull you in and wear you down.

What to Do

 Ampere News contacted the people whose names the attackers used in their scheme.

 "I am very glad you are running the story and raising awareness about this!" Grewal said.

The real Aaron Stein, now with War on the Rocks, said, "My first instinct was that somehow my email had been hacked and that somebody was sending emails from my account. I quickly realized in about 30 to 60 seconds that wasn't the case."

Instead, attackers made their own email address with his name. Proofpoint says these attackers are claiming to be from well-known institutions but use generic addresses like Gmail and Outlook.

It's a good reminder to check not just the name of the sender, but their actual email address as well.

"It's quite clear it wasn't from my email address if you hovered over it," Stein told Ampere News. "You need to be diligent and use your brain when you get emails that don't sound like they come from that person."

The Pew Research Center responded on behalf of Carroll Doherty. "The spoofed email messages impersonating our staff are not associated with Pew Research Center. Anyone who receives email messages purportedly from Pew Research Center staff that feel suspicious can email info@pewresearch.org to inquire about their veracity."

One More Clue

In some cases, these attackers first send a blank email to get around email safety protections. Then, they reply to the blank email, which may get them into your inbox instead of the spam file. 

If you receive a response to a blank email, that can be another sign of attack.

More in Cyber Tricks Revealed:

More from Ampere News

 

 

FEATURED STORIES

Featured
Scammers are stealing people's faces for live video calls
Scammers are stealing people's faces for live video calls
Learn to detect a deepfake voice with an Elon Musk clone
Learn to detect a deepfake voice with an Elon Musk clone
Would you fall for this fake email written by AI?
Would you fall for this fake email written by AI?
Here's how easy it is for scammers to use PayPal to trick you
Here's how easy it is for scammers to use PayPal to trick you
Thieves are running illegal travel agencies with your stolen points
Thieves are running illegal travel agencies with your stolen points
Patrick Miller