• by Ray Schultz , July 13, 2022

A new data extortion scam has been polluting inboxes with phony subscription emails for Zoho, MasterClass and Duolingo services. 

A report by Sygnia says that the Luna Moth scammers have been active since March, and has conducted a large-scale campaign over the last three months. Their goal is to deliver remote access tools that enable corporate data theft, according to Bleeping Computer. 

Some intended victims would receive an email that says, “Please be aware that your payment is due.

“Your newest monthly subscription for MasterClass will be considered active in the next we hours. This cooking master class subscription will be processed through automatic system with the bank account details you have stated. 

“If you have any problems with your subscription – please call us from 10 a.m. to 6 p.m. ET. 

Our customer service phone number can be found in the invoice attached. 

Best Regards,

Benito Aguilar

Zoho Master Class Inc Account Assistant

The email address used isL benito.aguilar.zohomasterclass@gmail.com 

“Luna Moth uses email addresses with names that impersonate the brands used in the phishing campaign,” Bleeping Computer writes. “Looking closer, the scam is obvious since the messages come from Gmail accounts.”

The invoices are obviously fake. Recipients who call the phone number reach the scammer, who directs them to install a remote access tool on their system.

“As seen from the modus operandi, Luna Moth is far from a sophisticated threat actor and the tool they use support this theory,” Bleeping Computer writes.

According to Sygnia, “the gang uses commercially available remote desktop solutions such as Atera, AnyDesk, Synchro, and Splashtop.”