Proofpoint exposes AFF scammers’ piano gambit

A phishing campaign targeting, of all things, people who might be interested in buying a second-hand piano, may have netted the scam operation behind it over $900,000, according to researchers at email security specialist Proofpoint.

The email campaign seems to have started in January 2024, and is ongoing. It forms the precursor to an advance fee fraud (AFF) scam, a type of fraud usually targeting private individuals, rather than organisations, in which victims are offered money, products or services, offered the opportunity to take advantage of an incredible deal that never materialises, or asked for help retrieving funds from another country.

Generally, victims will be baited with elaborate stories into making a small payment – or advance fee – to receive the promised goods or services. Needless to say, once the victim has paid up, nothing ever materialises.

They are generally run by financially motivated cyber criminals, and due to the fact so many of them seem to originate from Nigeria, are often known as 419 scams, after the relevant section of Nigerian law that deals with such matters.

They often exploit current concerns and events, which at first glance makes the use of such a specific lure somewhat unusual. However, wrote the Proofpoint team, comprising Tim Kromphardt and Selena Larson, there may be some specific targeting at play.

“Most of the messages target students and faculty at colleges and universities in North America, however other targeting of industries including healthcare and food and beverage services was also observed,” they wrote. “Proofpoint observed at least 125,000 messages so far this year associated with the piano scam campaigns cluster.

“In the campaigns, the threat actor purports to offer up a free piano, often due to alleged circumstances like a death in the family,” they continued. “When a target replies, the actor instructs them to contact a shipping company to arrange delivery. That contact address will also be a fake email managed by the same threat actor. The ‘shipping company’ then claims they will send the piano if the recipient sends them the money for shipping first.”

The criminals request payment via multiple options, including the likes of Apple Pay, Cash App, PayPal or Zelle, or in cryptocurrency, and also try to collect the victim’s personal data, such as their mailing address or mobile phone number.

Kromphardt and Larson said they had identified at least one Bitcoin wallet used in the campaign by the scammers, which contained close to a million dollars, although they pointed out that the wallet is likely being used in the pursuit of more than one scam.

The original emails tend to comprise similar text with small variations each time, and originate from free webmail accounts, such as Google Mail.

The researchers were able to trick one of the criminals into interacting with a redirect service they controlled, and during the course of the conversation were able to identify both their IP address and device information, as well as firm up links with cyber criminals operating in Nigeria.

“Proofpoint has previously published research on AFF campaigns using a variety of different themes to entice recipients to engage with them, including employment opportunities targeting university students and cryptocurrency fraud,” wrote Kromphardt and Larson.

“In all cases, AFF relies on elaborate social engineering and the use of multiple different payment platforms. People should be aware of the common techniques used by threat actors and remember that if an unsolicited email sounds too good to be true, it probably is.”