Internet weather: targeted email attacks

I originallly wrote this a couple of months ago, and I’ve since had other examples sent to me. It seems to have become something of an epidemic.

I deal with a number of clients in the legal profession, and this morning one of them forwarded me an email which he thought was suspicious. It appeared to be sent from a Rob Moore at a company called Progressive Property, and the body of the mail was this:

Good Afternoon,

I hope you are having a good weekend

I am instructed to deal with your firm for the purchase of a property, we are real estate company acting on behalf my clients .

The Executors appointed were her husband (predeceased) and another firm of solicitors who have renounced. The beneficiaries are the children, Tania Beaumont and Catherine Ried. They are applying for the Grant of Probate as residuary beneficiaries and therefore acting as Executors.

Please can you contact them to give a quote. They are happy to keep this probate sale with us.

Let me know when informations you need, they are looking to market the property around £3.25m.

Please can you copy in Tania’s husband into correspondence, his name is Peter Beaumont and he is very helpful.

A couple of GMail addresses and a plausible looking footer, except there was no From: address (not necessary of course, but generally expected), and a footer which included the logo of Progressive Property and the email rob@progresssiveproperty.com, and a legal disclaimer footer of the type that every legal firm has, except again, on a quick search the company it purported to be from didn’t match anything else and the address didn’t match the company at all

Yes, three s’s. On additional readings the body of the mail looks increasingly like a 419 scam every time you read it, and the domain name returns Cloudflare records and a Microsoft Exchange login page.

It occurred to me to look up Progressive Property and of course there’s a successful UK company called and Rob Moore is one of the founders. Obviously they’re in no way related to this scam but it was increasingly understandable how much trust this could create, and it was clearly aimed at a particular business sector.

Since I wrote this, other payloads have appeared with similar email formats: they originate from very plausible looking origins, frequently well-known businesses, with HTML signatures that have the usual contact details and badges and associations, although not necessarily matching the name in the From field, or indeed the email address. A common pattern also seems to be a payload of a Word document or PDF that includes a disguised link or a QR code that if clicked on will attempt to download malware.
It’s all very well crafted, and while it doesn’t hold up to detailed examination, it will press the right buttons when it drops into an inbox, and a small percentage of people following the trail and clicking on a link, would presumably be enough to infect a device.

If you want help with spam or mail delivery problem, please get in touch via the form


Posted

in

, ,

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *