Threat Research

Security Brief: Piano Scam Unveiled

Proofpoint

Proofpoint uncovered a cluster of advance-fee fraud campaigns that lure recipients with piano-themed offers, active since January 2024 and targeting colleges, universities in North America, and other sectors. The schemes use fake shipping companies, upfront shipping payments, and multiple payment methods, including cryptocurrency, with a Bitcoin wallet handling substantial sums. #PianoScam #AdvanceFeeFraud #Nigeria #419 #Proofpoint #BitcoinWallet

Keypoints

  • Proofpoint traces a cluster of advance-fee fraud (AFF) campaigns using piano-themed messages, active since January 2024 with at least 125,000 messages observed this year.
  • Primary targets include students and faculty at colleges/universities in North America; other sectors such as healthcare and food & beverages are also affected.
  • Lure revolves around a “free piano”; victims are instructed to contact a fake shipping company to arrange delivery.
  • The shipping company demands upfront money for shipping, with payments requested via Zelle, Cash App, PayPal, Apple Pay, or cryptocurrency.
  • The campaigns seek to collect personal data (PII) such as names, addresses, and phone numbers; at least one Bitcoin wallet address has accumulated over $900,000 in transactions.
  • Attribution indicates at least one perpetrator’s IP address and device information, with high confidence of Nigerian-based activity.

MITRE Techniques

  • [T1566] Phishing – The actor uses lure emails offering a “free piano” to entice responses. “Lure email purporting to be giving away a ‘free’ piano.”
  • [T1566.003] Spearphishing via Service – Freemail accounts and multiple email content variations are used to deliver the phishing. “Most of the campaigns include multiple variations on the email content and contact addresses.”

Indicators of Compromise

  • [Email Address] Sender Email – hamj6842@gmail[.]com, kentronphillipsemail.24hrs@email[.]com, brireedmoversse@outlook[.]com, dereckadamsprivatemail21@mail[.]com, kentronphillipsemail[.]24hrs@email[.]com, aldo[.]moran97@anahuac[.]mx, verocaress@gmail[.]com – Sender emails observed in March 2024
  • [BTC Wallet] Bitcoin wallet – 17kE4HzqAiPxwoC7rqHwJHoPwAk2bV2hKU, ABCITY113 – Active March 2024 with over $900,000 in transactions

Read more: https://www.proofpoint.com/us/blog/threat-insight/security-brief-sing-us-song-youre-piano-scam

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint