Android Trojan gets an update

Spam serves up health service legal disclaimers…and job offer

Here’s a peculiar set of emails with an origin point tracing back at least 9 years. These missives claim to be from well known health organisations / services / global pharmaceutical companies, while trying to sign random recipients up to…something entirely unrelated to health or pharmaceuticals, as it turns out.

Let’s take a look at a recently received mail, which claims be from someone working for the UK’s NHS (National Health Service):

There’s no email body content – just a boilerplate legal disclaimer notice, the kind of thing you’d normally expect to find at the end of an organisation’s email. The actual content, so to speak, is directly placed into the subject line:

Com. Agent needed reply via wlm(dot)parker40ATgmail(dot)com for details

A touch enigmatic, but we do have one other example from 2015. As with the above, the health angle is at play – the mail claims to be from Hospira and is another boilerplate disclaimer in the body with this in the subject line:

FW: Serialization of proposal send email to : wlm(dot)parker22ATgmail(dot)com with your fullnames,phone no.,postal address for info call:+44[snip]

Quite the random mystery, then. Although the Gmail address doesn’t glean any useful information,  we obtained a response from the wlm address for your perusal:

You want *what*?

Thank you for your interest to learn more about the position of Credit Collection Representative for our company. We are into sales of chandeliers, lighting and lamps, our products are sold to more than 50 countries and regions. Our products enjoy high reputation in the world for its high quality and competitive price. The Credit Collection job is a job from home and a part-time job where you will responsible for collection of past due accounts from customers any where in Europe. As a Credit Collection representative to our company, you will be on a straight monthly salary of €2,000.00 and a 10% commission for each payment received on behalf of our company in Europe. If you are interested with the Job, forward to us your details below so we can send it to our legal department to prepare the Contract / Memorandum of Understanding between you and the company.

Full Names: Full Address: Date of Birth: Nationality: Company Name: Present Occupation: Position: Mobile Phone: Tel:

Thank you.

William Parker Marketing director Teikoku Trading Ltd

…lamps? That’s not exactly the health service related experience I was expecting. Snippets of the second email text lead us to a thread going way back to 2007. For whatever reason, it seems scammers are really fond of misusing the name of this Teikoku company – here’s 7 examples of free webmail services being used alongside their company name. At some point, the focus has shifted from oil to lighting / fixture sales with 4 examples from 2014 in the comments section of that blog post, and another Teikoku Tradings mail from 2015. Additionally, one of them claims to be based in Hong Kong.

We’re not quite sure of the logic behind starting off with health service legal disclaimers and moving onto furniture sales, but either way this is definitely something recipients should avoid getting tangled up in. It sounds very similar to a classic money mule scam, where the victim is used as the so-called “middleman” to send money from and to various groups of scammers. They vanish into the night and the victim is liable to get into all sorts of legal trouble – not good!

It appears that at least some of these emails are being flagged as spam by various mail providers, so with any luck there’s a low chance of you seeing one of these in your day to day activities. Even so, one may slip through the net and that’s where a little bit of advance knowledge – and a large “Delete Now” button – will come in extremely handy.

Christopher Boyd

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.