With some more information about what I was looking for, I managed to find several more.<\/p>\n
There is a great deal of variation between the emails, but we do have enough samples to show you a pattern which looks like this:<\/p>\n Subject: Sad announcement: <First name><Last name><\/p>\n Sometimes the colon is replaced by the word \u201cfrom\u201d.<\/p>\n Then a short sentence to pique the reader\u2019s curiosity, which often references photos. Here are some examples:<\/p>\n \u201cWhen you open them you will see why I actually wanted to share them with you today\u201d<\/p>\n “Never thought I would want to share these images with you, anyways here they are”<\/p>\n “I’m presuming you should remember these two ladies, in that photo”<\/p>\n “When I was looking through some old folders I found these 3 pics”<\/p>\n \u201cit wasn’t initially my plan, but I had to change my mind about it\u201d<\/p>\n “Two pictures that I wanted to share with you. They’re likely to bring a flood of memories to you, as they did to me…”<\/p>\n “Probably should have contacted you a little bit earlier. Anyways just wanted to keep you updated”<\/p>\n<\/blockquote>\n This is then immediately followed by a link. These also follow a certain pattern:<\/p>\n These domains are all registered with NameCheap and are only active for a few days.<\/p>\n To close the emails off, the scammers end with a quote in the format:<\/p>\n “You do not find the happy life. You make it.” – Camilla Eyring Kimball<\/p>\n<\/blockquote>\n The sender addresses are spoofed to look like they were coming from family or friends of the target. The actual sender addresses are compromised accounts from all over the world.<\/p>\n The campaign looks to have targeted mainly the US, but I also found some located in Ireland and the UK and some odd ones in India and Italy.<\/p>\n So, the question is, what are they after? The short-lived domains really made it hard for me to figure that out. It took me quite a bit to find a domain that was still active, but then I knew soon enough what the end-goal of the spammers was.<\/p>\n A short chain of redirects sent me to The Where The website itself probably looks familiar to a lot of readers: A fake online Windows Defender scan.<\/p>\n The fake Windows Defender site shows that your system is infected with loads of threats.<\/p>\n Funny enough the site claims to be Windows Defender, but uses Malwarebytes\u2019 detection names. For example: Microsoft does not detect the Potentially Unwanted Program which Malwarebytes detects as PUP.Optional.RelevantKnowledge.<\/p>\n Anyway, the website quickly takes up the entire screen, so you have to click or hold (depending on your browser) the ESC button to get back the controls that allow you to close the website.<\/p>\n Now that you have seen the patterns in the email, we hope that you will refrain from clicking the links. The redirect chain can be changed and may be different for your location and type of system. So, there may be more serious consequences than an annoying website.<\/p>\n If your browser or mobile device \u201clocks up\u201d, meaning you\u2019re no longer able to navigate away from a virus warning, you\u2019re likely looking at a tech support scam. If something claims to show the files and folders from inside of your browser, this is another signal that you\u2019re on a fake page. Close the browser if possible or restart your device if this doesn\u2019t work.<\/p>\n Despite the occasional arrests and FTC fines for tech support scammers and their henchmen, there are still plenty of cybercriminals active in this field. Scams range from unsolicited calls offering help with your \u201cinfected\u201d computer to fully-fledged websites where you can purchase heavily over-priced versions of legitimate security software.<\/p>\n Unfortunately for some people these warnings may have come too late. So what should you do if you have fallen victim to a tech support scam? Here are a few pointers:<\/p>\n We don\u2019t just report on threats\u2014we remove them<\/strong><\/p>\n Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today<\/a>.<\/p>\n![\"example](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/11\/pattern.jpg\")
<\/figure>\n\n
gjsqr.hytsiysx.com<\/code><\/p>\ntmdlod.vdicedohf.com<\/code><\/p>\ngtfhq.rmldxkff.com<\/code><\/p>\npdbh.ramahteen.com<\/code><\/p>\nowwiu.dexfyerd.com<\/code><\/p>\nroix.unrgagceso.com<\/code><\/p>\nyrlbi.vohdsniuz.com<\/code><\/p>\nuqjk.mbafwnds.com<\/code><\/p>\nvjdbd.hhesdeh.com<\/code><\/p>\nmbjzo.enexoo.com<\/code><\/p>\n<\/p><\/div>\n\n
https:\/\/niceandsafetystore0990.blob.core.windows[.]net\/niceandsafetystore0990\/index.html<\/code><\/a> which is now blocked by Malwarebytes Browser Guard.<\/p>\n![\"Malwarebytes](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/11\/Browser_Guard_block.jpg\")
<\/figure>\nblob.core.windows.net<\/code> subdomains are unique identifiers for Azure Blob Storage accounts. They follow this format:<\/p>\n<storageaccountname>.blob.core.windows.net<\/code><\/p>\n<storageaccountname><\/code> is the name of the specific Azure Storage account. Spammers like using them because the windows.net<\/code> part of the domain makes them look trustworthy.<\/p>\n![\"A](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/11\/TSS_1.jpg\")
<\/figure>\n![\"Fake](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/11\/TSS_2.jpg\")
<\/figure>\nHow to avoid the “sad announcement” scam<\/h2>\n
\n
\n
\n