“Batesian Mimicry” is a brilliant form of evolution in the animal kingdom in which a harmless species of animal evolves in such a way as to closely resemble a poisonous species. Predators can’t tell them apart and avoid both the harmful and harmless species. A perfect example is the very venomous coral snake and its harmless mimic, the king snake. Another example is the monarch butterfly, poisonous to predators if eaten because of the milkweed plant it feeds off of. However, the viceroy butterfly, which has evolved similar markings to the monarch, is harmless...and is also avoided by predators.
The reason for this lesson in Biology is because we have seen many different kinds of malicious emails in the last couple of weeks that share a similar characteristic. They can best be described as the OPPOSITE of Batesian mimics. These emails, noticeable by their simplicity and few words, look absolutely harmless. And yet, each is 100% malicious as a result of its intent or malicious link. Let’s start with a bit of simple social engineering from “Dominic” using the subject line “for you” and a “laughing til you cry” emoji. “Is this the one that you meant” followed by an oddball link to fxntsxe[.]pro. Once again, 2-letter country codes are important to notice. This email came from a server in Latvia. The link, of course, is malicious and leads to a malware infection.
This next malicious mimic has a brief story behind it. It appeared to be sent by a relative named Lindsay to her uncle. Except that her uncle, a long-time reader of our newsletter, recognized that the email address after her name was not her real email! And that email came from a server in Brazil. “When you get a few minutes check it out. Hopefully you will appreciate it!” says someone pretending to be Lindsay.
The link, once again, is malicious.
This next malicious mimic was actually part of a recent spear-phishing campaign targeting the head of a small independent school in New England. This email, presumably from “Paul” was sent to a former employee and said “I need a favour from you.” But the scammer who sent it thought the recipient was a current employee. (Also, notice the European style of spelling “favour.” The sender was not likely born/raised in the U.S.) The former employee ignored the email after recognizing that it didn’t come from his former boss’ school email address. It came from the generic gmail address “exdirector1005.”
A little more than two weeks later, that same former school employee received another email pretending to be from the same school Head. However, this time the email came from the Gmail address “schoolhead512.” (How original. **said with sarcasm**) We reached out to the Head of the school about these emails. Of course, he didn’t send them and has notified his community to be aware of the attempted fraud. In this fraud, the criminal will ask the victim to make a purchase or wire money in the name of the school.
We’ll leave you with one more malicious mimic that was sent to Doug from a name he recognized, “Howard.” Only it wasn’t Howard’s email address, making the link very suspicious. The link pointed to a domain, rsllope[.]info, that had been registered on the same day this innocent email was sent saying “Something you should see!” Zulu URL Risk Analyzer had no problem identifying the threat waiting at the end of that link.
Beware of these malicious mimic opposites!
Daily Scam Home Page