A large-scale phishing campaign is using an unusual lure to earn at least $900,000 by tricking email recipients into believing they're about to receive a baby grand piano for free.
The campaign, discovered by email security firm Proofpoint, was launched in January 2024 and has distributed over 125,000 emails, mainly targeting North American university students and faculty.
There have been some cases of emails also targeting healthcare and food and beverage service providers.
The phishing emails sent to targets claim to be from a university professor sharing the news that, due to downsizing, a person named Dereck Adams is offering a 2014 Yamaha Baby grand piano for free to those interested.
The message provides an email to arrange inspection and delivery, and if contacted, the threat actors respond with a message purporting to come from the moving firm, 'American Van Lines Movers Services.
That second email contains touches of legitimacy, such as a reference number for the item, dimensions, and weight, and three delivery options.
The email also adds an element of urgency, stating that multiple people have shown interest in receiving the piano and advising that the first person to pay for delivery will receive it.
There are also clear signs of fraud, as the only payment options provided to the recipient are Zelle, Paypal, Apple Pay, Chime, and Cash App, making tracing and reversing the payment much more complicated than in traditional methods.
The cost of delivery ranges between $595 and $915, depending on the option, and while it's substantial, it's much less than the value of the particular piano, estimated to be between $9,000 and $13,000.
Although the tactic employed in these phishing attacks isn't innovative by any means, its earnings indicate it's very effective.
Additional investigation revealed that one of the fraudsters used a Nigerian IP address, making the researchers believe with high confidence that at least part of the operation is based in Nigeria.
Google now blocks spoofed emails for better phishing protection.
Indian man stole $37 million in crypto using fake Coinbase Pro site.
Microsoft spots gift card thieves using cyber-espionage tactics.
Western Sydney University data breach exposed student data.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 29 May 2024 18:15:04 +0000