Email indicating that someone you know has died; tech support scam possible

Its time to go through the newsletter of Malwarebytes, and this is the first story I have read.

In this story, instead of telling you to click on links to view a supposed funeral, they’re sending pictures and very interesting web pages which when i read the names sounded very suspicious.

Apparently, this has been going around since at least February, as a Tweet which was linked tipped off the author to how long it was going on.

The pattern of the Sad announcement email

The image is a screenshot of an email. It shows an exchange with date and time details, sender’s and recipient’s names obscured. The subject is “Re: Sad announcement from [L…].” The body mentions a hyperlink and a quote by Anatole France: “To imagine is everything, to know is nothing at all.”
The subject may be: Sad announcement:

The colon could be replaced with the word from in some cases.

Remember when I referenced the fact they may send photos? They actually don’t attach them, they will send you to a web page to supposedly share the photos with you. They may also get you with the fake tech support scam here too, and that’s just known in this industry as scareware.

An email make look like what’s quoted below.

“When you open them you will see why I actually wanted to share them with you today”

“Never thought I would want to share these images with you, anyways here they are”

“I’m presuming you should remember these two ladies, in that photo”

“When I was looking through some old folders I found these 3 pics”

“it wasn’t initially my plan, but I had to change my mind about it”

“Two pictures that I wanted to share with you. They’re likely to bring a flood of memories to you, as they did to me…”

“Probably should have contacted you a little bit earlier. Anyways just wanted to keep you updated”

The links are following some sort of pattern, but it does include a link attached to the message.

They may look like the following:

  • gjsqr.hytsiysx.com
  • tmdlod.vdicedohf.com
  • gtfhq.rmldxkff.com
  • pdbh.ramahteen.com
  • owwiu.dexfyerd.com
  • roix.unrgagceso.com
  • yrlbi.vohdsniuz.com
  • uqjk.mbafwnds.com
  • vjdbd.hhesdeh.com
  • mbjzo.enexoo.com

The bad part about this is that the domains may only be active for days at a time. And if my suspicion is correct even before I read it, it would do some redirecting.

First of all, I would never click on a link that told me that you were sharing photographs of someone who apparently died with me. I know that the sighted community is more visual, and this is their target, but I would be very suspicious of the link. These domains sound to me using access technology as gibberish, and I’m not interested personally to go and find out what the hell you’re trying to get me to click on.

Per typical fassion, the scammers name could be of someone you know, but the address does not belong to them, but is spoofed. So if Nick as the example were to send me such a note, it’d have his name, and a different address than the one I have on file. example Nicholas Jackson with the address as the example.

As writtemn by the author:

Malwarebytes Browser Guard blocks trhe Tech Support scammers site

If you use Malwarebytes, this domain has been blocked. Here’s what that looks like by the browser.

Malwarebytes Browser Guard blocks trhe Tech Support scammers site

For those who read by text, the basic thing you need to understand is that the browser will tell you its blocked the page and that you could enter data on it. There’s a continue, go back and an option not to see the alert anymore. Only! proceed if you are curious with the understanding that you’re looking around. You can always back out by closing the browser without getting yourself in trouble.

The article continues:

The blob.core.windows.net subdomains are unique identifiers for Azure Blob Storage accounts. They follow this format:

.blob.core.windows.net

Where is the name of the specific Azure Storage account. Spammers like using them because the windows.net part of the domain makes them look trustworthy.

If you go to windows.net, it riedirects you to this web page which talks about building with the .net framework for various operating systems like Windows, Mac and others. This is why the domain may be taken seriously by users and of course, with the domains redirected wherever the scammer wants, this makes it very enticing to just click.

Fake Threat Scan results using Malwarebytes detection names

This could make it much more credible.

A website showing a fake Quick Scan of your system showing Threats found

Remember these? These particulars could in fact lock you out of using the machine, although ctrl+shft+esc should bring up the task manager where you can in fact kill the browser.

Funny enough the site claims to be Windows Defender, but uses Malwarebytes’ detection names. For example: Microsoft does not detect the Potentially Unwanted Program which Malwarebytes detects as PUP.Optional.RelevantKnowledge.

Anyway, the website quickly takes up the entire screen, so you have to click or hold (depending on your browser) the ESC button to get back the controls that allow you to close the website.

What should you end up doing about it?

There’s plenty. First, if you know a telephone number or a way to reach out to the person being targeted with the message saying they’re gone, reach out to them. Also, I would compare the address being used and the address that you have on file.

Always run the link through a service like Expand URL and Virus Total. These services will tell you about redirections, where they go, and virus total will tell you how many scanners find it problematic.

If you run an Antivirus program and its as up to date as possible, then it could alert you if something is not right, but as we recently heard, don’t! use Windows Defender unless that’s all you have. I understand if you don’t.

While the article bulleted these, I’m writing this out as something I’d do. The third and fourth items are going to be combined and talks about not calling the phone number in email or web communication. I talked about that, and I want to raise this point home. Always contact the person through channels you have. That’s the fourth item within this section.

There’s moore to this article that you should read including what to do if you’ve paid the scammers, and things I’ve talked about including getting out of the web page.

The article is titled “Sad announcement” email implies your friend has died and it is one of multiple articles we’re going to cover from this Malwarebytes newsletter we’ve recently gotten for Monday,, November 25, 2024.

Please stay safe!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.