“Sad announcement” email implies your friend has died
Tech support scammers are again stooping low with their email campaigns. This particular one hints that one of your contacts may have met an untimely end.
It all starts with an email titled “Sad announcement” followed by a full name of someone you know. The email may appear to come from the person themselves.
A co-worker who received such an email pointed it out to our team. Looking around, I found the first report about such an email in a tweet dating back to February 5, 2024.
With some more information about what I was looking for, I managed to find several more.
There is a great deal of variation between the emails, but we do have enough samples to show you a pattern which looks like this:
Subject: Sad announcement: <First name><Last name>
Sometimes the colon is replaced by the word “from”.
Then a short sentence to pique the reader’s curiosity, which often references photos. Here are some examples:
“When you open them you will see why I actually wanted to share them with you today”
“Never thought I would want to share these images with you, anyways here they are”
“I’m presuming you should remember these two ladies, in that photo”
“When I was looking through some old folders I found these 3 pics”
“it wasn’t initially my plan, but I had to change my mind about it”
“Two pictures that I wanted to share with you. They’re likely to bring a flood of memories to you, as they did to me…”
“Probably should have contacted you a little bit earlier. Anyways just wanted to keep you updated”
This is then immediately followed by a link. These also follow a certain pattern:
These domains are all registered with NameCheap and are only active for a few days.
To close the emails off, the scammers end with a quote in the format:
“You do not find the happy life. You make it.” – Camilla Eyring Kimball
The sender addresses are spoofed to look like they were coming from family or friends of the target. The actual sender addresses are compromised accounts from all over the world.
The campaign looks to have targeted mainly the US, but I also found some located in Ireland and the UK and some odd ones in India and Italy.
So, the question is, what are they after? The short-lived domains really made it hard for me to figure that out. It took me quite a bit to find a domain that was still active, but then I knew soon enough what the end-goal of the spammers was.
A short chain of redirects sent me to https://niceandsafetystore0990.blob.core.windows[.]net/niceandsafetystore0990/index.html
which is now blocked by Malwarebytes Browser Guard.
The blob.core.windows.net
subdomains are unique identifiers for Azure Blob Storage accounts. They follow this format:
<storageaccountname>.blob.core.windows.net
Where <storageaccountname>
is the name of the specific Azure Storage account. Spammers like using them because the windows.net
part of the domain makes them look trustworthy.
The website itself probably looks familiar to a lot of readers: A fake online Windows Defender scan.
The fake Windows Defender site shows that your system is infected with loads of threats.
Funny enough the site claims to be Windows Defender, but uses Malwarebytes’ detection names. For example: Microsoft does not detect the Potentially Unwanted Program which Malwarebytes detects as PUP.Optional.RelevantKnowledge.
Anyway, the website quickly takes up the entire screen, so you have to click or hold (depending on your browser) the ESC button to get back the controls that allow you to close the website.
Now that you have seen the patterns in the email, we hope that you will refrain from clicking the links. The redirect chain can be changed and may be different for your location and type of system. So, there may be more serious consequences than an annoying website.
If your browser or mobile device “locks up”, meaning you’re no longer able to navigate away from a virus warning, you’re likely looking at a tech support scam. If something claims to show the files and folders from inside of your browser, this is another signal that you’re on a fake page. Close the browser if possible or restart your device if this doesn’t work.
Despite the occasional arrests and FTC fines for tech support scammers and their henchmen, there are still plenty of cybercriminals active in this field. Scams range from unsolicited calls offering help with your “infected” computer to fully-fledged websites where you can purchase heavily over-priced versions of legitimate security software.
Unfortunately for some people these warnings may have come too late. So what should you do if you have fallen victim to a tech support scam? Here are a few pointers:
Contact Epoch Tech Solutions to learn we will protect you from cyber dangers.