A malicious email campaign is targeting students, faculty, and other professionals with piano scams. Since January 2024, over 125,000 emails have been sent offering free pianos due to fabricated situations.
Responding to the emails leads to fake shipping companies requesting upfront payment for delivery, while the promised piano is non-existent, which is a classic example of an Advance Fee Fraud (AFF) scam where cybercriminals impersonate legitimate entities to trick victims into sending money.
A social engineering scam targeting college communities uses free piano offers to trick victims into paying for nonexistent delivery fees, where the scammers use various methods like Zelle, Cash App, and cryptocurrency to collect money while simultaneously gathering personal information.
The high volume of transactions and use of a single Bitcoin wallet with over $900,000 suggest multiple actors are running similar scams. The emails originate from freemail accounts with generic names and numbers, and the content varies slightly across campaigns.
Researchers engaged with fraud actors, persuading them to interact with a researcher-controlled redirection service, which captured at least one perpetrator’s IP address and device details.
Through the examination of these data, they came to the conclusion with a high degree of certainty that a few of the fraudulent activities originated in Nigeria.
Advance Fee Fraud (AFF) utilizes social engineering tactics to trick victims into sending upfront payments. Perpetrators, often referred to as threat actors, fabricate scenarios like inheritances or business deals, promising a significant reward in exchange for a small initial fee.
The elaborate stories legitimize the request for the upfront payment, which serves as the sole purpose of the scam, and once the victim sends the money, the perpetrator ceases communication, leaving the victim with financial loss.
An investigation by Proofpoint identified several indicators of compromise (IOCs) potentially linked to a malicious campaign, including sender email addresses used in March 2024, such as KentronPhillipsemail.24hrs@email[.]com, aldo[.]moran97 @anahuac[.]mx , and others.
Additionally, a suspicious Bitcoin wallet address (17kE4HzqAiPxwoC7rqHwJHoPwAk2bV2hKU) and a reference number (ABCITY113) were flagged, which suggest potential phishing attempts or malware distribution campaigns that may have begun in March 2024.
Also Read: