Malicious email in a legitimate reply chain
Thread poster: Philippe Etienne
Philippe Etienne
Philippe Etienne  Identity Verified
Spain
Local time: 09:53
Member
English to French
Mar 19, 2021

Hello there,

I received an email from a contact name I knew from an agency I knew:
"Good day! Right here you could find all the essential paperwork on the agreement from 15/03: [Link to a ZIP file]
Could you please review and approve all material."

Incidentally, I had worked with that agency for the first time not long ago. I didn't really understand what they were on about, but I didn't really pay attention because BELOW WAS A SERIES OF EXCHANGES WE HAD A M
... See more
Hello there,

I received an email from a contact name I knew from an agency I knew:
"Good day! Right here you could find all the essential paperwork on the agreement from 15/03: [Link to a ZIP file]
Could you please review and approve all material."

Incidentally, I had worked with that agency for the first time not long ago. I didn't really understand what they were on about, but I didn't really pay attention because BELOW WAS A SERIES OF EXCHANGES WE HAD A MONTH EARLIER about the project envisioned.

I therefore clicked the link to see what it was about, but Chrome displayed a page with a lot of red. Only then had I a closer look at the email to find out it was spoofed: the contact name was related to a weird email address, the wording was spam-like, and Indonesian and Iranian servers were in the email header, while the sender should have been from another country.

In fact the originating email account was hacked and email content got in the wild.

Up to now I didn't know that an email reply chain could be suspicious, but now I do.

https://www.webroot.com/blog/2019/04/03/hijacked-email-reply-chains/

Stay safe,
Philippe
Collapse


Elena Feriani
Maria Teresa Borges de Almeida
Barbara Carrara
P.L.F. Persio
Zibow Retailleau
Mervyn Henderson (X)
Dan Lucas
 
Mervyn Henderson (X)
Mervyn Henderson (X)  Identity Verified
Spain
Local time: 09:53
Spanish to English
+ ...
Scary stuff Mar 19, 2021

Scary, Philippe, thanks. I'm so paranoid these days. Sometimes I get phone calls, and nobody says anything, just hangs up. Not a word. I mean, I'd almost prefer the heavy-breathing routine. I used to think it was Tom winding me up, but I'm pretty sure it isn't now. I did a few tests, you see: once I said "Haven't you got nothing better to do all day?", but there was no response to a vile, blatant, in-your-face double negative. On another occasion I said, "Hang on just a minute, will you, I'll be... See more
Scary, Philippe, thanks. I'm so paranoid these days. Sometimes I get phone calls, and nobody says anything, just hangs up. Not a word. I mean, I'd almost prefer the heavy-breathing routine. I used to think it was Tom winding me up, but I'm pretty sure it isn't now. I did a few tests, you see: once I said "Haven't you got nothing better to do all day?", but there was no response to a vile, blatant, in-your-face double negative. On another occasion I said, "Hang on just a minute, will you, I'll be with you momentarily," and nary a correction.Collapse


Barbara Carrara
P.L.F. Persio
Baran Keki
Zibow Retailleau
Christopher Schröder
Philippe Etienne
Peter Shortall
 
Robert Forstag
Robert Forstag  Identity Verified
United States
Local time: 04:53
Spanish to English
+ ...
Variation of a common tactic Mar 19, 2021

Philippe Etienne wrote:

Hello there,

I received an email from a contact name I knew from an agency I knew:
"Good day! Right here you could find all the essential paperwork on the agreement from 15/03: [Link to a ZIP file]
Could you please review and approve all material."

Incidentally, I had worked with that agency for the first time not long ago. I didn't really understand what they were on about, but I didn't really pay attention because BELOW WAS A SERIES OF EXCHANGES WE HAD A MONTH EARLIER about the project envisioned.

I therefore clicked the link to see what it was about, but Chrome displayed a page with a lot of red. Only then had I a closer look at the email to find out it was spoofed: the contact name was related to a weird email address, the wording was spam-like, and Indonesian and Iranian servers were in the email header, while the sender should have been from another country.

In fact the originating email account was hacked and email content got in the wild.

Up to now I didn't know that an email reply chain could be suspicious, but now I do.

https://www.webroot.com/blog/2019/04/03/hijacked-email-reply-chains/

Stay safe,
Philippe


This is basically a variation on phishing via coopting a company name and logo.

One such instance of this (which I've received numerous times):

E-mail seemingly from PayPal containing official PayPal logo informing me that my account has been blocked, and instructing me to click on a link within the e-mail in order to update my account information. Superficially, it looks like a legitimate e-mail from PayPal. But when I look at the e-mail address, it is not from the "paypal.com" domain, but rather some long gobbledygook, like [email protected].

The lesson: Be wary of any e-mail informing you of bad news and requiring you to take immediate action.


P.L.F. Persio
Barbara Carrara
Mervyn Henderson (X)
expressisverbis
Zibow Retailleau
Beatriz Ramírez de Haro
Liviu-Lee Roth
 
Mervyn Henderson (X)
Mervyn Henderson (X)  Identity Verified
Spain
Local time: 09:53
Spanish to English
+ ...
Just us? Mar 19, 2021

There seem to be so many scams reported here that I'm beginning to wonder if we're a soft touch. Did all these scammers get together at scammer board meetings and decide to target translators as a strategic objective because we're infinitely more gullible than, say, graphic designers?

Barbara Carrara
P.L.F. Persio
expressisverbis
Zibow Retailleau
 
Barbara Carrara
Barbara Carrara  Identity Verified
Italy
Local time: 09:53
Member (2008)
English to Italian
+ ...
Mervyn Mar 19, 2021

Mervyn Henderson wrote:
I'm so paranoid these days. Sometimes I get phone calls, and nobody says anything, just hangs up. Not a word.


DO NOT ANSWER! NEVER, NEVER ANSWER!
(Think I'm showing an early-onset TiLitis. At this stage, I don't know yet whether it's curable or chronic.)

On a more serious note, I've been receiving calls from unknown numbers on a daily basis for quite a while. I simply ignore them, and suggest you do the same. That'll save you some headache, should they try to trick you out of your money and into their scamming schemes.

Did all these scammers get together at scammer board meetings and decide to target translators as a strategic objective because we're infinitely more gullible than, say, graphic designers?


Grrr...grrraphic designers, you said? Considering that one of them has just moved extremely fast up the ladder from getting 100USD a piece to selling his 'crypto-art' (huh!?) for nearly 70 million USD, I think we're in the wrong trade.

What's hilarious – to a point – about all this crypto-s**te is the vocab that is rapidly growing around it, like the name of the company that bought the 'thing' (I refuse to call that artwork), which is called Metapurse. One of the crypto-business partners' pseudonym is Metakovan, and it is their intention to now build a virtual museum, to make 'that thing' and other similar 'things' available in the Metaverse.
I find this whole thing not only scary, but extremely unsettling.
Brain. Is. Shutting. Down.
Brain. Refuses. To. Process.


P.L.F. Persio
Mervyn Henderson (X)
Christopher Schröder
Matthias Brombach
expressisverbis
Zibow Retailleau
Maria Teresa Borges de Almeida
 
Matthias Brombach
Matthias Brombach  Identity Verified
Germany
Local time: 09:53
Member (2007)
Dutch to German
+ ...
"Suffering of... Mar 19, 2021

...TiLitis" (quote). Yes, but that doesn't involve receiving unknown phone calls. These are mostly the result of the so-called grandparent scam one may be affected of when receiving a certain age and when you have a quite old fashioned surname* assuming, that you already may have reached an age, where you are prone to give all your savings to relatives who are suffering an emergency (i.e. when they suddenly need a new Porsche and have not enough cash money at the car seller's counter). That's wh... See more
...TiLitis" (quote). Yes, but that doesn't involve receiving unknown phone calls. These are mostly the result of the so-called grandparent scam one may be affected of when receiving a certain age and when you have a quite old fashioned surname* assuming, that you already may have reached an age, where you are prone to give all your savings to relatives who are suffering an emergency (i.e. when they suddenly need a new Porsche and have not enough cash money at the car seller's counter). That's why I don't think it's always Tom, who calls you, *Mervyn.Collapse


expressisverbis
Mervyn Henderson (X)
Barbara Carrara
P.L.F. Persio
Jessica Noyes
Maria Teresa Borges de Almeida
 
gayd (X)
gayd (X)
Be careful Mar 19, 2021

Philippe Etienne wrote:

Hello there,

I received an email from a contact name I knew from an agency I knew:
"Good day! Right here you could find all the essential paperwork on the agreement from 15/03: [Link to a ZIP file]
Could you please review and approve all material."

Incidentally, I had worked with that agency for the first time not long ago. I didn't really understand what they were on about, but I didn't really pay attention because BELOW WAS A SERIES OF EXCHANGES WE HAD A MONTH EARLIER about the project envisioned.

I therefore clicked the link to see what it was about, but Chrome displayed a page with a lot of red. Only then had I a closer look at the email to find out it was spoofed: the contact name was related to a weird email address, the wording was spam-like, and Indonesian and Iranian servers were in the email header, while the sender should have been from another country.

In fact the originating email account was hacked and email content got in the wild.

Up to now I didn't know that an email reply chain could be suspicious, but now I do.

https://www.webroot.com/blog/2019/04/03/hijacked-email-reply-chains/

Stay safe,
Philippe


the attached file may contain a virus or a trojan horse. You shouldn't have opened it


Josephine Cassar
 
Adieu
Adieu  Identity Verified
Ukrainian to English
+ ...
Yes Mar 27, 2021

They might try to hijack any banking info or logins with saved payment information.... or just steal your social media logins to use bots to run up likes for youtube videos, post conspiracy crap, or troll the opposition of some less-than-democratic country.

 
Philippe Etienne
Philippe Etienne  Identity Verified
Spain
Local time: 09:53
Member
English to French
TOPIC STARTER
Paranoid enough Apr 20, 2021

Thanks all for your replies.

Three weeks ago, I had the opposite experience and nearly ignored a legitimate request: somebody contacted me through WhatsApp during the weekend, and I replied that I'd be back Monday. Come Monday, I searched and found the profile here (15+ years old), then sent them a message through proz.com. Although the phone number differs, it was actually them! I'd never been approached for work by WhatsApp, and I would have bet both my hands the request was fake.
... See more
Thanks all for your replies.

Three weeks ago, I had the opposite experience and nearly ignored a legitimate request: somebody contacted me through WhatsApp during the weekend, and I replied that I'd be back Monday. Come Monday, I searched and found the profile here (15+ years old), then sent them a message through proz.com. Although the phone number differs, it was actually them! I'd never been approached for work by WhatsApp, and I would have bet both my hands the request was fake.

Earlier that week, Nancy (IP from Senegal), with a profile created the same day here, asked me to contact her through a gmail address to discuss something. I reported it to proz.com support and found out that the profile was squashed. My profile was then visited by someone from Senegal.

Robert Forstag wrote:
...This is basically a variation on phishing via coopting a company name and logo...

I've also received phishing e-mails mimicking banking layout, but always totally unrelated to a previous exchange. The noticeable difference that caught me off-guard was reading my own blurb below the message, as if the discussion continued. I'd likely have exercised more caution if my eyes hadn't been busy browsing the discussion to refresh my mind.
David GAY wrote:
the attached file may contain a virus or a trojan horse. You shouldn't have opened it

Opening a file may have put me in real trouble, but I didn't get as far as the payload just clicking the link. According to literature, the zip contained Office docs with macros. Anyway, Google Chrome warned me before anything went off that that Iranian site was awfully unsafe and that proceeding was not recommended. From there I looked at the e-mail more closely.

Philippe
Collapse


Liviu-Lee Roth
 


To report site rules violations or get help, contact a site moderator:

Moderator(s) of this forum
Lucia Leszinsky[Call to this topic]

You can also contact site staff by submitting a support request »

Malicious email in a legitimate reply chain







CafeTran Espresso
You've never met a CAT tool this clever!

Translate faster & easier, using a sophisticated CAT tool built by a translator / developer. Accept jobs from clients who use Trados, MemoQ, Wordfast & major CAT tools. Download and start using CafeTran Espresso -- for free

Buy now! »
TM-Town
Manage your TMs and Terms ... and boost your translation business

Are you ready for something fresh in the industry? TM-Town is a unique new site for you -- the freelance translator -- to store, manage and share translation memories (TMs) and glossaries...and potentially meet new clients on the basis of your prior work.

More info »