Spammers Target NI Charities

14 Nov 2018 Ian Kelly    Last updated: 21 Nov 2018

NI Charities and public bodies are being impersonated in order to spread Malware, along with other email extortion tactics in a recent twist to email spam.

2018 has seen no let-up in the number of spam emails despite the tech sector trying it’s utmost to combat each new vector. Spammers are getting more cunning and ruthless and will try any and all means to get you to engage them or relinquish personal information or money.

During the past month we have noticed 2 distinct spam types coming to the fore. Both having a distinctly more personal attribute to them.

Phishing and spoofed emails

We have been receiving a larger than normal quantity of spam emails appearing to originate from local NI charities and public bodies, including some appearing to be from our own NICVA staff members. These emails have all been relating to payment of invoices in some way and will have an attachment containing malware disguised as a Word document or other.

I can only suspect that others within the sector will have received such emails as well. They will all appear with slightly different content, and with a sender address that you will likely recognise or trust. Needless to say, this address is “spoofed”, that is, it does not originate from that person’s account but does appear to be from them. In most cases the person's actual account will not have been ‘hacked’, as in theory anyone can send an email pretending to be from another address. 

Our own systems have been successful in detecting these and removing malicious content and making us aware of the threats (All features of Office365 NonProfit Programme using minimal cost or free services!). We have raised the issue with the PSNI Cyber Crime unit and they are aware of an increase in such behaviour also. Please follow the usual advice listed below and make your staff or colleagues aware that this is happening.

Blackmail threats

The second threat has been of a more darker nature and one which has the potential to affect anyone, and is that of the Blackmail spam. Again, there are variants as to how this is presented, but the email will catch your attention by containing a recognisable, but old, password you have used in the subject line or body of the message. The email will go on to explain how they have “hacked” your account, gained access to your personal details and webcam etc. and threaten to expose footage of you along with other details with false claims of you accessing pornographic sites, unless a fee is paid in Bitcoin to an account they give.

This is the one which has instilled fear in many, due to the personal information that could potentially have been gained, knowing that they have your password. Your email and password would have been part of an old data breach from any number of sources, and is being harnessed in a ‘shotgun’ approach to extortion. There is no targeted method used here at all.

If you would like to see what known breaches any of your email accounts have been a part of, please visit www.haveibeenpwned.com and see for yourself. The best advice here is to make sure you do not use this password in any of your work or personal accounts, and if you haven’t changed your password in a while with any service, make a point of changing them as soon as possible or consider using a password manager (eg. www.lastpass.com)

Our advice:

  1. Check the sender’s email address. Does it reflect the company it claims to be from?
  2. Hover over any links (without clicking) and check that they point to that company. Do not click unless you are 100% certain it is not spam.
  3. Do not open any attachments you are not expecting to receive.
  4. Do not reply to the sender, contact the company using an email listed on their website.
  5. If you do click (even though you shouldn’t!) NEVER give any personal information.
  6. If you can, use a spam filtering service.
  7. If you have ignored all of the above and are now deeply worried that you have done something wrong, contact someone in your IT department asap for advice.

 

For more information, please visit ActionFraud for advice on what additional measures to take or BitcoinAbuse to check any accounts for fraudulent activity.

ian.kelly@nicva.org's picture
by Ian Kelly

Systems Administrator

[email protected]