New “Sad Announcement” Email Scam Pretends to Be Tech Support to Compromise Systems

• Security researchers have identified a novel tech support scam campaign that uses emails as a distribution vector.
• The emails have spoofed sender addresses that impersonate contacts known to the target and use curiosity-provoking titles.
• Clicking through leads to short-lived websites that pretend the visitors’ machines are infected and allegedly need cleanup.

A new phishing campaign designed to exploit emotional vulnerabilities. Dubbed the "Sad Announcement" email scam, this campaign lures victims by suggesting their personal contacts have faced tragic circumstances, according to the newest security report from Malwarebytes.

It begins with an email titled "Sad announcement," followed by the full name of someone the victim knows. Often, the sender's address is spoofed, making it appear as though the email was sent by a family member, friend, or co-worker. The body contains a short, curiosity-provoking sentence referring to photos and includes a link that each victim is encouraged to click.

The email subject line may read “Sad announcement: [First name][Last name],” sometimes using "from" instead of a colon. The email links redirect victims through several domains, typically hosted on short-lived domains registered with NameCheap, making them difficult to investigate.

Much of the campaign appears to target the U.S., with activity also reported in Ireland, the UK, India, and Italy.

After clicking the link, victims are led through a series of redirects that terminate at malicious domains hosted on Azure Blob Storage. These domains emulate fake Windows Defender virus warnings, leveraging Malwarebytes’ detection names to suggest the victim’s system is inundated with security threats.

At this point, victims are subjected to a classic tech support scam. The scheme locks browsers or mobile devices to coerce victims into interacting further. 

Signs of such fake pages include fake virus alerts claiming severe infections, simulated file or folder views that appear to access system contents via the browser, and a lack of exit options, forcing user reliance on system restarts to regain control.

Users are advised to avoid clicking suspicious links in emails, even if they appear to come from trusted contacts, and verify sender authenticity by directly contacting the individual using a different communication method. 

If your browser freezes or displays fake virus alerts, exit the browser using task manager tools and do not engage with any prompts on the scam page. Restart the device if exiting the browser fails.

In other news, Google advertisements impersonating accounting software QuickBooks are still displayed. The Google Ads posts trick people into calling a fake phone number and back a backdoor with the genuine QuickBooks software.