WARNING: Phishing attempt targeted at substack users
Read and learn this attack vector. You could be next
Please read and share the following information about phishing hack attempts directed at substack users and writers.
ACTIONS
Please comment/reply if you have received or know of others who have received the same or similar hack attempt. The hackers are likely to be working for one of a few possible individuals or groups.
Please tell substack if you have been attacked like this.
Mark the email as spam and report it as spam/phishing to your email provider and any security suite or service you use for them to analyse.
Don't open the attachment. If your email scanner has identified the type of payload, please comment. If it has not, please comment.
Phishing Email
Hackers are targeting substack users with a specific, deliberate email-delivered hack that is based on substack and Twitter.
This method is likely to have been employed against other substack users or writers. Most likely, the attack is directed at substack writers who have ended up on the radar of whomever the hackers work for, as a result of their writing/interaction via Twitter or other social media.
Email Format
The name of the sender is “accountspayable@substack.com”. This makes that address appear in your list view of emails, as if it were the sender’s name, like “Edward Slavsquat”.
The sender's email address in this attack was “accountpayables@prog-survey.jp”. This resolves to the https://prog-survey.jp/ domain which currently hosts a home page in Japanese with strange info about artificially inseminated people.
The email subject was “Proof of Payment Due Remittance Overseas payment-ZA9823165OT99960 Ref#32108 - July 26, 2023”.
The email’s body only reads:
NOTICE: The information contained in this message is proprietary and/or confidential and may be privileged. If you are not the intended recipient of this communication, you are hereby notified to: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. -------------------------------------------------------------------------
The email has an attachment with the Subject line as a long filename, making the whole filename incompletely readable when viewed in an email client. The file was a .bin file.
Possible sources of attack
Originating via Twitter activity/interactions.
Pro-Ukrainian groups including Ukrainian government agents and/or a NAFO group who broadcast on Twitter.
Agents connected to EcoHealth Alliance.