Author Options:

Beware of the new Email scam! Answered

Recently I noticed that one my Emails accounts got some unwanted attention.
Both in the standard folder as well as in the provided spam folder I started to collect Emails.
And I don't always mean from senders I knew or webistes I am registered with.
My usual approach is to just delete what comes from unkown senders or has a suspicious feeling to it.
So no winner got it all crap, no offers, no invitations...
A few however seemd to originate from some well known "things on the web" - and some of them I am registered with and get ads, offers and such.
Sadly that resulted in some Emails being looked at and then discarded anyways.

I kept deleting those unwanted mails without opening them for a few days.
They they magically changed ;)
Websites I used and especially those that require login details appeared as senders.
Nothing with any vital info in the preview but also no real activity from my end on those websites.
Then I made some impulsive buys on Ebay :(
On top of the usual Emails I also got some "reminders" and "seller offers" added.
Never happened before and certainly not activated in my Ebay account as feature.
And unlike real Emails from Ebay there was my account name missing.
Instead a conviently placed and highlighted shortcut button to "You account login" was provided.
Ok, fake, forwared to Ebays spam team and quickly confirmed as spam.
Moved and only hours later I got more Emails with similar tempting offers as buttons to confirm something that requires me to login.
And now from websites or services I actually logged in to this day.

The wise donkey said: You have something on your computer that shouldn't be there!
Reboot from a CD to have the hard drives checked for malware - negative captain :(
Ok then must be something within Windows, time to use a system restor point for a few weeks ago.
Again nope...
So I used a different browser and quite few websites and services that require my login details.
No new Emails... with those websites.
Kept using this brwoser for a few days and only stuff I already had cam again a few times but overall far less spam mails.
Used the standard browser for a few hours with some login requirements and within a day I had corresponding Emails for a few of them.
Found several bad tracking cookies in my browser.
Bad in terms of redirecting all visited IP addresses to some addresses I can't even find.
Deleted all cookies as well as the browser history.

A closer look at those suspicious Emails revealed that some include a thing similar to the old single pixel tracker.
If you open them and not otherwise prevented it will result in some webservice knowing you actually opened the Email.
Together of course with your Email address.
The headers were good fakes too so the real sender is properly disguised.
Those bottons and links mostly went to websites my browser protection already knows and prevents.
Some however did not.
In a sandboxed browser I was able to get onto some more or less convincing copies or the originals websites login page.
The addressbar always started with originals name but then had a lot of cryptic stuff added to it.
Sandbox blocked all what would otherwise make it throughcame through but the browser was rendered useless in the sandbox after I "logged in".
Did another check and confirmed that all links buttons and such on that "infected" website also cause the same browser crash.
Only difference was that only WITH something typed into the login field the browser tried to establish a new outgoing connection before getting dusted.

The malicious Email provides the IP address used.
Most if not all links within such an Email end on malicious websites.
Some, especially at the beginning don't!!
Instead the links go to websites that use cookies and other stuff normal protection mechanisms overlook.
Somewhere between opening the link and closing it or the browser a change is made.
Either you get a popup windows looking like some advertisement or when you start your browser the next time you see some website added that was not there before.
The spammer now know you actually bothered enough to follow at least of the faked links provided in the Emails.
The added bonus tracker provides ongoing supplies of websites you visit.
A lot still use things in the address bar that identify them as a login page, even if it just starting with HTTPS.
Popular websites and services get faked copies on servers in the dark web or at least outside normal DNS services.
Now the spammer adds more and more Emails faking things you login to when using a browser for it.
Until now nothing too bad or irriversible happend.
But get fooled and actually click on a link in one of the new spam mails and it might be over.
In the "best outcome" you would be locked out of your browser and have to delete it in safe mode or attempt a manual removal of the hijacker.
A bit worse is if your protection started to fail and instead of the hijacke you end up with something manipulating your system.
Really bad would be if you end on faked login website, and safety fails until you are locked out from your own system.
Don't know what Email you might get after that and what demands to fix your system...
However it gets worse: Like the one before but when enter your credentials and hit the login button the website jumps to some random Youtube clip or Goole search page.
In case you wonder: You just gave the spammer your personal login details for said webiste or service....
Most "deadly" would be if you end on more than just one like that.
Every single one give the spammer a new login that you might pay for or that includes even more senstive data.
Having to format and re-install all sudden is a thing of far too late then.
I do not know if there was an Email I clicked on first, an infected advertisement or even some leaked Email addresses including my own on the internet for sale.
All I know for sure is that those tracking options in the malicious Emails correspond to tracking stuff in the browser.
No virus, no real malware until you click on the wrong stuff.

Anything to prevent this from happening?
Whatever you do: Do not use anything that requires the internet! - Just kidding!! Relax...
1: Never click on anything inside mails from sources you don't fully trust!
If in doubt copy and paste the link into an editor and check if it identical to the real address!
Usually you would find some random stuff after the dot of the address name where you would other wise see .COM or .COM.AU.
2. In case you ended on some spam or fake looking website anyways you should delete the cookies and browser history.
The history might not be required though.
3. Best would of course be to only allow known and trusted cookies or to not use any that survive a restart of the browser.
4. Very important!
If you start to get those Email very shortly after using it to create an account for something on the web then please provide the website you registered at with that Email address !!!

5. If you get faked Emails for things you are actually registered with then please consider to imform the admins or support of this website about it.
You might not have clicked on it but some user there might if nobody places a warning ;)

What if all went to a total failure?
I assume why you made that backup of all vital data and kept it updated?
Also how install your operating system, in my case Windows, again.
A hijack is easy, a fully infected or even encrypted system not.


The forums are retiring in 2021 and are now closed for new topics and comments.

1 year ago

Good post, another thing to check is your email account hasn't been harvested or part of a leak, https://haveibeenpwned.com/ is a good resource to check this out, it's run by the Mozilla foundation.