Emails with the subject line “Private Message” invite recipients to click a link to read a private message supposedly sent from the email address of one of their contacts.
The emails are scams designed to steal webmail login details as well as trick users into participating in online survey scams and visiting websites that contain malware. The stolen information is used to hijack email accounts. The hijacked accounts are then used to send further “Private Message” scam emails to people on the account holder’s address list.
Subject: Private message
[Email address removed] sent you a private message.
Private message [Link removed]
This deceptively simple scam campaign tries to draw in potential victims by claiming that they have received a private message. The scam emails consist of nothing more than a brief message claiming that a specified email address has sent a private message. The emails include a link that recipients can click to access and read their private message.
However, the link does not open a private message. Instead, it opens a fake webmail login page that asks users to sign in with their User ID and Password. The information submitted on the fake sign in form will be sent to scammers and may later be used to hijack the victim’s real email account.
Submissions indicate that, once people have fallen for the ruse and submitted their login details, their email accounts are then used to send the same “Private Message” scam emails to all of the people on their contact lists.
After users have signed in via the fake page, they are next taken to another website that tries to entice them into participating in various surveys or offers in exchange for “free” prizes such as iPads or laptop computers. Many of the bogus “survey” pages claim that users must provide personal information including name, address and contact details before they are eligible to receive any prizes.
Others will claim that users must submit their mobile phone number before they can claim any gifts or enter any prize draws. However, many users may not realize that by providing their mobile phone number they are actually subscribing to a very expensive SMS “service” charged at several dollars per message received.
No matter how many offers or surveys they complete, or what services they subscribe to, victims will never receive their promised free gift or even a genuine competition entry. The scammers who create these bogus promotions will earn commissions via suspect affiliate marketing schemes each and every time a victim completes an offer or participates in a survey. Victims may also be faced with large phone bills for unwanted mobile phone services and, because they have provided name and contact details, they may be inundated with unwanted promotional emails, phone calls and junk mail.
In some cases, the victims may also be directed to compromised websites that harbour various types of malware.
The scam campaign although seemingly simple in execution may actually be quite effective. Many online services do send automatic “Private Message” notifications via email. People who have received legitimate private message emails in the past may, therefore, be more inclined to click the bogus link in the scam message without due caution. Moreover, because the scammers use previously hijacked accounts to send their messages, recipients may genuinely believe that the “Private Message” email was sent by someone they know and trust.
This campaign is very similar to another phishing attack that I reported on in April 2012. The earlier campaign consisted of emails containing only a link asking people to click to view attached photographs, videos or messages. Again, those who clicked the links were taken to a fake webmail login page and then redirected to survey scam and malware websites.
If you receive one of these emails, do not click on any links that it may contain.