The NJCCIC recently received reports of a phishing campaign that was also identified by Proofpoint. The campaign involves malicious emails using piano or musical instrument-themed messages to lure people into advance fee fraud (AFF) scams. At least 125,000 messages associated with a piano scam campaigns have been identified since January, primarily targeting students and faculty at North American educational facilities. Proofpoint noted that some healthcare and food and beverage organizations were also targeted.

The phishing emails claim that a staff member is giving away a piano and other musical instruments for free due to downsizing or moving. When a target replies, the threat actor instructs them to arrange delivery by contacting a shipping company via a fraudulent email address managed by the threat actors. The “shipping company” then claims they will send the piano if the recipient sends the money for shipping first.

Proofpoint reported that a single Bitcoin wallet address linked to this campaign currently holds over $900,000, although it is unknown if all funds were accumulated from the “free piano” lure. Analysts assess that multiple threat actors are likely conducting different types of scams simultaneously using the same wallet address due to the volume of transactions, variation in transaction prices, and the overall amount of money associated with the account. Proofpoint analysis also revealed that one of the cybercriminals used a Nigerian IP address, suggesting that at least part of the operation is based in Nigeria.

Recommendations

• Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails.
• Use strong, unique passwords and enable multi-factor authentication (MFA), choosing authentication apps or hardware tokens over SMS text-based codes.
• Reduce your digital footprint to reduce the likelihood of becoming a target for malicious actors.
• The Proofpoint blog post and the Better Business Bureau Scam Alert contain red flag indicators, additional recommendations, and technical analysis.
• Further recommendations to avoid victimization can be found in the NJCCIC products Don’t Take the Bait! Phishing and Other Social Engineering Attacks and Spotting a Spoofing.

For any further questions, contact us here at Cyber Command.