Anatomy of a dumb spear-phish: Hitting librarians up for Zelle, CashApp cash

Here’s a clue for would-be Internet financial scammers: do not target librarians. They will catch on fast, and you will have wasted your time.

Yesterday, the outgoing chair of the Young Adult Library Services Association’s Alex Awards Committee (and my wife) Paula Gallagher got a very odd email that purported to be from a colleague within her library system who is a member of YALSA’s board. The email asked, “Are you available to complete an assignment on behalf of the Board, And get reimbursed? Kindly advise.”

There were a few things off about the email. First of all, while the first half of the email address that the message came from matched the email address of her colleague, the domain name was very phishy: Reagan.com, a site that offers “secure private email” to users who want to “keep President Ronald Reagan’s legacy alive.” The purported sender of the message was, to put it mildly, not a big fan of President Reagan’s legacy. (Ars attempted to reach the operators of the Reagan.com site for comment, but they are very privacy-minded.)

Want a trusted domain name to send your spear-phish emails from for just $33 a year? Look no further.
Enlarge / Want a trusted domain name to send your spear-phish emails from for just $33 a year? Look no further.

There were other tells. The email came to the personal mailbox my wife had specifically set up for her committee work (which had been published on YALSA’s website) and not her internal library email address. And the grammar and capitalization—along with the tone of the email—did not match that of her colleague. Plus, she’s married to me, so she can smell a phish from a mile away.

She ignored the message until another member of the committee reached out to her after responding to an identical message. The “assignment” turned out to be a textbook payment scam, and it came from a new email address—”presidentnewboxmailme [at]gmail.com”:

Would you help in paying a Merchant and get reimbursed by [name of the board’s financial chair]? [He] not available today due to health reasons, But promised a swift reimbursement before Friday. It’s imperative and it’s $6,980. I was able to sent out $4000 from my daily savings limit. Get back to me if you can send the remaining $2,980 via Zelle & CashApp. It concerns our YALSA’s 2020 Young Adult Services Symposium.

Knowing that Paula worked with the purported sender of the message, the recipient forwarded the message to her and asked, “Seems sketchy… has he been hacked?” Soon, others chimed in on a group chat that they had received similar suspicious messages.

No one fell for the phish.

Take the money and run

Zelle, CashApp, and other peer-to-peer payment applications have become a new favorite platform for financial scams. Unlike credit card payments, there’s little in the way of fraud prevention on these payment platforms—they’re like cash. Once a payment has been completed, there’s no real way to unwind them.

This attack—targeting members of a non-profit association—is just the latest wrinkle in that trend, borrowing the tactics, if not the precision, of big-dollar targeted attacks against corporations. “Whaling” attacks and similar “spear-phishing” operations target high-level executives or managers, using urgent messages to fool people with access to company funds into making wire transfers to a “vendor” because of some urgent matter or to expose information (such as employee W-2s) that can be used for other financial fraud.

Corporations have increasingly caught on to the scams—through a combination of training, better mail filtering, and controls over financial systems. But associations and other non-profit organizations—which may have both somewhat less money and somewhat less in the way of centralized IT—are now apparently being targeted because of their nature. They have very public websites as part of their mission outreach, filled with the names and email addresses of people willing to do many things for the organization’s mission—including reaching for their own wallets.

Given how much data is available about people’s contacts thanks to organizational websites, like LinkedIn, Facebook, and other public Internet sources, these sorts of scams are likely to gain more popularity as others (such as the romance scams that cost victims over $200 million in 2019, according to the Federal Trade Commission) lose their effectiveness. Until Zelle, CashApp, and other peer-to-peer payment providers offer a way to help spot fraudulent accounts, they’ll continue to be a popular target.

If you need more tips on spotting these kinds of scams… just ask a librarian.



LEAVE A REPLY

Please enter your comment!
Please enter your name here