“Love You” Phishing Emails Arrive in Time for Valentine’s Day

Curiosity kills the spam email recipient. Promises of wealth or romance written into a subject line can be difficult to ignore, simply out of curiosity. “Maybe Citibank did find some money that they owed me.” “Maybe those Russian women really do want to meet me.” Sure. The current spam email that is building its curiosity attack arrives with a variety of subject lines, which, according to researchers, include the following.

love subject

The email itself has no text. It only contains an attachment which has the following pattern.

Love_You_ (string of 6 to 8 numbers)-2019-txt.zip

The scammers seem to want the receiver to think this is a zipped text file. In fact, it is a zipped JavaScript file. The attachment will be around 43kb, and here’s what will happen if your curiosity takes you to the next step.

Opening the infected file releases malware which sends out requests for more malware from a variety of http websites. Among the malware downloaded will be one that enslaves your device to mine Monero cryptocurrency. This will, in effect, slow your computer to a crawl, but it doesn’t end there.

The worse malware infection will come from the dangerous GandCrab Ransomware, which I have previously written about. In short, this malware can encrypt all of your files and then demand a ransom payment in Bitcoins. You will be guided as to how to install the Tor Browser in order to visit the following information page.

tor info

Interestingly, the malware in the Love You scam, according to the example given in a report from the Internet Storm Center, was programmed to seek out a USB drive to install itself on. This would enable it to spread to any other devices the USB may subsequently be connected to.

In addition to the above, the Love You malware installs the Phorpiex Botnet. This botnet often works as a GandCrab distributor, so any infected device will be used to distribute the malware to whatever is connected to its network. Recently, GandCrab has been given the added ability to seek out corporate networks through endpoints, yet another reason for strong endpoint security. It also appears that the operators of the botnet are targeting large enterprises in wealthy nations to maximize their profits.

In my opinion, this malspam attack, which was first discovered in late November, 2018 is still in the development phase. It is just too primitive in its current form, relying, as it does, only on a provocative subject line and an appropriately named attachment. Here are possible improvements to look for in the future.

As it now stands, the email sender’s name is not known to the recipient. This alone gives it a phishy aura. Imagine, however, if this came from someone the victim knows, such as a friend on Facebook. Wouldn’t any normal person be curious about a purported love letter from someone that they knew? It would certainly increase the possibility of the attachment being opened.

Another problem with the email is that it has no message and only has an attachment. This is probably due to the inability of the scammers to write decent English; a problem that undermines most, but not all, phishing emails. Last year about this time, criminals using the Necurs botnet sent love-themed phishing emails containing pictures of attractive Russian women who claimed to be living in the U.S. In such a case, the victims would overlook any bad English, after all, they were not native speakers and they looked good besides. Keep in mind that the believability of the sender increases in proportion to their physical attractiveness. That said, the English in these emails was quite acceptable. In addition, in this attack, the criminals set up fake Facebook pages with a little more information on these lonely Russian women, such as the one below.


The sheer volume of emails sent by botnets makes it possible for them to fool enough curious individuals to make money. The Necurs botnet sent out over 200 million spam emails before Valentine’s Day last year. Here is a graph of these spam emails as uncovered by IBM X-Force.

necurs spam

An additional weak point in the current campaign is the attachment. As a JavaScript file, it will have a .js extension which might make people wary of opening it. The unique character of the .js file, however, is that the victim does not need to open it to release its payload. Simply downloading it might be enough.

Last year’s attack probably tried to use an extortion technique to get money. The criminals likely asked for compromising photos from the victims and then told them these photos would be made public unless they were paid.

My guess would be that the current Love You campaign may take some guidance from last year’s playbook, especially if the current ploy is not netting them enough victims. For the moment, the Love You campaign is not attacking Gmail addresses, but that could change. If you have an email account from the following services, however, be careful. The number indicates the number of compromised accounts.

attack domains

I’m not sure if these emails are making into inboxes. They may just be directed into your spam folder. But, that doesn’t really matter. The point is to get you interested in the subject line, abandon normal caution, and open the inviting attachment. Sadly, you will find no love there.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s