• by Ray Schultz , Columnist, February 7, 2020

Let’s say you got an email from Spamhaus Project, the subject line saying, “Urgently Take Action.” You’d be a fool not to open it, given that Spamhaus runs spam block lists that can tie up your email, right?

Don’t do it. This email is part of a brazen new scam that uses the name of Spamhaus to distribute malware.

The scam was discovered by Proofpoint researcher Matthew Mesa, according to a report by Bleeping Computer.

The emails say, “Our software have discovered redirecting of a variety of spam letters of your own email address. Consequently, we have been forced to blacklist your email.”

Of course, any alert person can see through the email. For one thing, it’s ungrammatical, like most messages of its type. For another, it seems to concede that it may not even have your correct email address. 

“In case you pay no attention to this information, we could suppose that this email address doesn’t belong to you and it’s used for trash mailings,” the email says. “This just means, that we will be forced to include your e-mail address to our stop list. Which means that recipients will be unable to receive emails out of this address:  ; your email will be suspended forever.”

Far from being flagged as a spammer, you have yourself been spammed.

Here’s the payoff, however: if you follow the instructions on how to get off the block list, you will end up with Urnif malware, a data-stealing Trojan.   

People who fall for it might well share the lack of awareness documented by Proofpoint. In its study, 2020 State of the Phish, Proofpoint reveals that only 49% of U.S. workers can define phishing, versus a global average o 61%. Worse, nearly 30% think malware is a type of hardware that boosts WiFi signals.

It depends on age — Gen Xers and boomers are more likely to know what phishing is than younger people — but not smishing and vishing.

In another troublesome finding for network administrators most young people blur the line between work and home use on their work devices.

Moreover, 65% of U.S. companies suffered a successful phishing attack last year, and 60% a credential phishing attack — both higher than the global average. This is despite the fact that 95% of firms worldwide train employees on how to spot phishing attacks.

Overall, 86% were hit with Business Email Compromise attacks in 2019. 

Sounds like it has been a busy year for Spamhaus and Proofpoint both.