SBN

Spam Roulette: Stimulus-Themed Email Links to Multiple Spam Sites

Each Blox Tale will take a look at a targeted email scam and outline why it made its way into an inbox. In this blog, we’ll focus on an email attack that pretends to share information about an economic stimulus. Clicking the link in the email leads to a landing page that asks Yes/No questions, with each ‘Yes’ answer leading to a different spam site.

**Org mailboxes:** \~25,000

**Email security bypassed:** Exchange Online Protection (EOP), Microsoft Defender for Office 365

**Techniques used:** Social engineering, link redirects

## **The Email**

A few days ago, the Armorblox threat research team observed a stimulus-themed email attack attempt to hit one of our customer environments. This email was titled ‘RE: Stimulus Approval Notice’ and informed victims that they’ve been approved to receive $6,345 in financial assistance. The email directs victims to click a link to claim their stimulus as soon as possible.

A snapshot of the email is given below:

![Img](https://a.storyblok.com/f/52352/769×621/ef982f55c2/stimulus-scam-email-final.png)

**Fig: Email linking to spam sites under the guise of offering stimulus approval**

With millions still in the throes of the economic and social fallout from the coronavirus pandemic, people are eager to grasp at any straws of relief that can marginally improve their lives. By titling the email ‘RE: Stimulus Approval Notice’ and highlighting that readers would receive a non-trivial amount of money, cybercriminals exploit people’s anxiety and increase the likelihood that they will follow through on the call to action. The ‘RE’ in the title is included to make people buy into the email’s  faux legitimacy because a reader might think this is an ongoing email conversation (all our inboxes are full and we tend to make snap judgments like this out of necessity).

The email also induces urgency in readers by stating that they ‘must act quickly to claim aid’ before sharing the link to apparently do so.

## **Spin the Spam Wheel**

Clicking the email link is where the stimulus connection ends for this attack. Rather than following through on the subterfuge to steal money or data from victims, this scam steals employee time by leading to a landing page that branches out into multiple spam sites. The landing page starts off by highlighting the $6,345 economic assistance mentioned in the email. Clicking ‘Yes’ here leads to a spam site that’s not related to the economic stimulus that the email mentioned, but a site about grant programs for people wishing to go back to school.

![Img](https://a.storyblok.com/f/52352/1561×536/013fb6ea23/stimulus-spam-1-final.png)

**Fig: Landing page asking a Yes/No question (clicking ‘Yes’ leads to a spam site)**

However, clicking ‘No’ on the initial landing page keeps loading other questions and claims with the same Yes/No option being presented. These claims range from reducing auto loan premiums to earning thousands sitting at home – a veritable cavalcade of spammy boilerplates, each of them leading to a different site that wastes your time. The GIF below cycles through the different versions of the landing page.

![Img](https://a.storyblok.com/f/52352/1920×868/efa088b3fd/stimulus-scam-roulette.gif)
**Fig: There are many variants of the landing page, with each ‘Yes’ click leading to a different spam site**

Many of these sites ask for your name, email, and ZIP code, but phishing or cybercrime are not the objectives here. More likely, once you enter your details, you’ll get enrolled to receive a flood of new spam emails. Another possible endgame is just to get you to visit these sites – there are agencies tasked with increasing site visits for their clients and end up doing so by crook or by crooker.

![Img](https://a.storyblok.com/f/52352/1922×1078/5a0745921c/spam-roulette-pic.png)
**Fig: The initial landing page leads to a wide range of spam sites**

## **Guidance and Recommendations**

### **1. Augment native email security with additional controls**

This stimulus-themed email got past EOP on multiple user mailboxes, with an assigned Spam Confidence Level (SCL) of 1 or -1, which means either the email skipped past spam filters or EOP determined that it wasn’t spam. For better protection coverage against email attacks (whether they’re phishing, [business email compromise](https://www.armorblox.com/solutions/business-email-compromise/), or ‘smart spam’ emails like this one), organizations should invest in technologies that take a materially different approach to threat detection. Gartner’s [Market Guide for Email Security](https://www.armorblox.com/blog/gartner-releases-2020-market-guide-for-email-security) covers new approaches that vendors brought to market in 2020, and should be a good starting point for your evaluation.

### **2. Watch out for social engineering cues**

Whenever possible, engage with emails related to money and data in a rational and methodical manner. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. *why is an email about economic stimulus being sent to my work account?*).

### **3. Follow 2FA and password management best practices**

The scam highlighted in this blog wasn’t a phishing attack, but the same techniques could have been used in a shopping-themed phishing attack. Since all workplace accounts are so closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to your customers, partners, and loved ones.

If you haven’t already, implement these hygiene best practices:

* Deploy two-factor authentication (2FA) on all possible business and personal accounts.
* Don’t use the same password on multiple sites/accounts.
* Use a password management software to store your account passwords.
* Avoid using passwords that tie into your publicly available information (date of birth, anniversary date etc.).
* Don’t repeat passwords across accounts or use generic passwords such as your birth date, ‘password123’, ‘YourName123’ etc.

For more email security threat research, news, and industry guidance, sign up for email updates from Armorblox below.