The IT Nerd

For years, I’ve been covering extortion phishing emails where they have a rather predictable pattern.

• Some “hacker” claims to have bypassed your security
• They have caught you watching “adult content”
• They have proof that they will send to your friends and family unless you pay them in Bitcoin

Today I am going to detail something a bit different. My honeypot captured this email early this morning:

Now this kind of fits the pattern of other extortion emails that I have reported on. But what makes this different is the use of Grafana in the email. This is a company that does visualization and analysis of metrics, logs, traces, profiles, and beyond. Which means that if you are using their products, you can spot problems easier because those problems can be surface easier.

This is the first time that I have seen something like this. Which means other threat actors might try the same thing What I am thinking is that the threat actors are using Grafana’s name to try and give themselves some legitimacy. I guess I kind of stuffed that by going public with this. And I am going to stuff it some more by alerting the company to the fact that their name is being used like this.

Other than that, this your typical extortion email. There’s nothing new or different here. If it were not for the fact that the threat actors used the name of Grafana, it would almost not be worth reporting on. But it illustrates how far threat actors will go to steal your money.

My advice when it comes to these emails goes something like this:

• You’ll note that you’re never named by your actual name in emails like this, that should be a big hint that this is a scam.
• Never reply to the email as it will either result in telling the threat actor that your email is live, or the email might bounce.
• f you see this or any email like it hit your inbox, delete and go on with your life.
• If you are the least bit paranoid about a threat actor getting into your computer, have a computer professional check your computer over. They likely won’t find anything, but at least you will be able to sleep better at night.

Happy Friday!

A reader of this blog sent me an email over the weekend that made me burst out laughing because of how laughably bad it was. Let me show you the email so that you can see for yourself:

First of all, the email that is sent from is clearly not from the FBI:

That alone should make you delete it the second that it hits your inbox. But the rest of the email should make you delete it instantly as there is no way that Kash Patel who runs the FBI is going to email you directly asking for your details to them. If this were from the FBI, they would already have your details. Which likely explains why the recipient of this email isn’t named explicitly.

What this email is attempting to do is to get people to hand over their details for use in some sort of identity theft scam. I am also guessing that it attempting to try and get someone who has fallen for a scam in the past as those people tend to be re-victimized about 40% of the time from what I’ve read. Regardless, this is pretty lame and laughable. Not as lame and laughable as this scam involving former Canadian Prime Minister Stephen Harper from many years ago. But still lame and laughable.

Anyway, this is a bit of a laugh to start your Monday morning.

Now many readers would assume that because my wife hears about yours truly having to deal with clients who almost get scammed or do get scammed, that my wife would be well equipped to avoid scams. And to be fair, she’s likely better equipped than most. The fact that she was led to the discovery of a new 407 ETR scam that is clearly active.

Last night my wife asked me if I had taken the 407 ETR recently. Now for those who don’t live in Ontario. The 407 ETR is a toll road that runs across the greater Toronto area from Burlington in the west to Clarington in the east. I sometimes take it if I want to avoid traffic on Highway 401 and if it is convenient to do so. But it isn’t an everyday occurrence. Now when I do take it, I try to dump some money into our 407 account to make sure that she doesn’t have to pay for anything. But I will admit that I am not consistent about doing that. Which is likely why she asked about this.

Now when she told me the dollar amount that was owing, that was a red flag for me. It was $9.95. There’s only two or three clients that I would contemplate using the 407 ETR to get to or from their location. And any of those locations would be $20 or more in tolls and associated fees. That’s when I asked her to show me the email and I saw this:

Now this is a very, very convincing email that would make you think that this was legitimate. But it isn’t. Here’s why:

1. There is no mention of my wife’s name or account number. That’s a #fail because companies who send you bills will always refer to you by name or account number.
2. Looking closely at the sent address and recipient address, I see this:

The to address was sent directly to my wife’s email account. But the reply to didn’t come from the organization that runs the 407 ETR as that would have ended in @407etr.com. Next, if you look at the “from” field, you see this.

This is clearly not from the organization that runs the 407 ETR. Plus, if you look at the link that is referenced in the email, you get this:

The real 407 ETR website is http://www.407etr.com. Thus highlighting that this is a scam email.

Now my wife did not click on any links, but as a precaution we changed the password that’s associated with the account to keep the account safe. But I did go to the link and found a page which was clearly created to steal your credit card details. And on top of that, it looks like the same threat actors sent her two additional emails with different dollar amounts over the last two weeks. I find that interesting because this campaign seems hyper targeted. Perhaps it is related to this data breach from 2020? Who knows. But my wife took the right actions and avoided falling for this scam. Which are not to click anything and question everything. And I am doing my part by putting this story out there so you don’t fall for this scam either seeing as it is clearly an active campaign.

The FBI has warned that cyber criminals are impersonating staff at financial institutions to steal money or information in Account Takeover (ATO) fraud schemes. Since January 2025, the FBI Internet Crime Complaint Center (IC3) received more than 5,100 complaints reporting ATO fraud, with losses exceeding $262 million.

Details can be found here: https://www.ic3.gov/PSA/2025/PSA251125

Jim Routh, Chief Trust Officer at Saviynt, commented:

“The large majority of ATO accounts referenced in the FBI announcement occur through compromised credentials used by threat actors intimately familiar with the internal processes and workflows for money movement within financial institutions. The most effective controls to prevent these attacks are manual (phone calls for verification) and SMS messages for approval. The root cause continues to be the accepted use of credentials for cloud accounts despite having passwordless options available.”

If you want to protect yourself from a scam like this, this link will help: Learn about the phony bank investigator scam

 An ongoing phishing campaign impersonating E-ZPass and other toll agencies has surged recently, with recipients receiving multiple iMessage and SMS texts to steal personal and credit card information. This scam is not new, with the FBI warning about it in April 2024, and Highway 407 warning about it it March. 

Commenting on this is James McQuiggan, Security Awareness Advocate at KnowBe4:

“Mobile phishing campaigns are becoming more common, as cybercriminals are impersonating companies like E-ZPass in a very believable way by telling people that they have unpaid tolls. Cybercriminals prey on a person’s heightened emotions to encourage behaviors that can be harmful if acted upon. Whenever a text message seems urgent and arrives unexpectedly, it is important to always remember to verify the validity of the message before taking any requested action. Instead of clicking on the link provided in the text message, instead go to the known valid website of the sender first and double check that the information provided is accurate. Always stop and think before acting, especially if the message seems urgent.”

My advice is if you get one of these texts, don’t click on anything. Then stop, take a pause, and think about it. Keep in mind that it is highly unlikely that you will receive a text like this without you being identified by name. Furthermore, it is also highly unlikely that any organization will reach out to you in this manner. If you do that, it is highly unlikely that you will be victimized.

I was at a wedding in Niagara On The Lake with my wife last weekend when I got a series of iMessages from a client of mine. He first said that his email inbox was being flooded with all sorts of garbage email. As in hundreds of them. He asked if he could stop them from coming in and I texted back discreetly that no he couldn’t and that I would call him later.

Fast forward about two hours and I get another series of iMessages from the same client saying that he got a phone call from one of Canada’s “big three” telcos that his account had an issue and they would have to take his cell phone offline for 24 hours to resolve it. That immediately got my attention as that is not any of Canada’s cell phone providers, “big three” or otherwise behave. Since the actual ceremony was over, I texted a friend who is married to a person who holds a significant position in the telco in question to confirm that I wasn’t delusional. Which that person did. At the same time, I noted that the iMessages were coming from his iCloud account as opposed to his cell phone number. That confirmed that he was the victim of a SIM Swap Attack.

Now I went down the rabbit hole of what a SIM Swap Attack is here. But here’s the TL:DR:

SIM stands for Subscriber Identity Module. That’s telco speak for the chip that goes inside your phone to allow you to get cell phone service. Your cell phone number is associated with that SIM and what the threat actor is going to try and do is to either trick a telco employee into moving your number to a SIM that they control, or have an accomplice inside the telco who will help them move your number to a SIM that they control.

And:

So in short, a SIM swap attack is a means for a threat actor to take control of your number to get access to two factor authentication codes that allow the threat actor to take control of anything from social media accounts, to bank accounts, to crypto wallets. That’s because two factor authentication codes are often sent by text message. And since the threat actor is unlikely to get direct access to your phone, taking over your SIM is the next best option.

I told the client to phone the telco and confirm that they didn’t make the phone call, and then have them take action to regain his phone number and account. Which he did. I also told him to start phoning his banks and credit card companies to try and get ahead of whatever this threat actor was up to, as well as change all his passwords. Which mirrors this advice from the article that I linked to. Now I didn’t have my MacBook Pro with me, so I wasn’t able to investigate this until the next day via a remote session with the client. But my belief was the email issue and the SIM Swap were connected. And it didn’t take long for me to prove that.

What the threat actor had done is used some sort of automated process to sign my client up to hundreds of email based distribution lists. That in turn sent hundreds of emails to my client flood his inbox. Now you’re likely wondering why they would do that. The answer is that they were trying to cover up what they were really up to. Once I cleared out all that “noise”, I found that they were trying to attack his Zoom accounts. Why I do not know. But I also noticed that someone had also applied for a credit card with a $20,000 credit limit with Canadian Tire which is a big retailer in Canada. Finally, the threat actors changed the password on his telco’s online account. I knew that because the notification about the password change showed up via email. I changed his password to a new one and looked through his account because I was thinking that the threat actors might have tried to order a phone to ship it to an address that they could get the phone and ship it elsewhere for resale. Thus I advised him to phone his telco to confirm that this had not happened.

My advice to him at the time was to call Canadian Tire’s financial services and stop that credit card from being issued, and to continue to change password for any and all online accounts. Finally, I advised him to sign up for credit monitoring and report this to the Canadian Anti-Fraud Centre. I then made an appointment with him to see him the next day.

I followed up with him and he had taken the following action:

• Signed up for credit monitoring
• Reported this to the Canadian Anti-Fraud Centre
• Reported this to his bank and credit card company. Of interest, the credit card company cancelled his credit cards and issued new ones. The bank took no action as they didn’t see anything suspicious.
• He had phoned his telco and confirmed that no account changes had been made and nothing had been ordered via his account.
• Interestingly, Canadian Tire Financial Services phoned him to say that someone had tried to sign up to a credit card in one of their stores, and then tried to buy thousands of dollars worth of product. He shut that down immediately. But it implies that the goal of this SIM Swap Attack was identity theft followed by retail theft.

Now while I was there, I helped my client to not only change his banking password as he was having difficulty doing that, but enable push notification based two factor authentication. I did that because a SIM Swap Attack relies on the target having two factor authentication codes coming over text message. If they come via push notification, then a SIM Swap Attack would be totally ineffective as those notifications are not connected to the SIM. In fact, I encourage anyone who reads this to see if you can move any two factor authentication codes to push notifications as a means to mitigate an attack like this should it happen to you.

Now you might be noticing that I am not naming the Canadian telco in question. That’s because after he reported this to the Canadian Anti-Fraud Center, I got a number of calls from them, and then a police agency that I will also not name. In short, this situation is now part of a larger investigation into a SIM Swap gang that seems to be operating inside a couple of provinces in Canada. And the police agency also told me that there might be insiders that work for the telco that he deals with. If that’s true, I’ve seen this before here. And that caught my attention because my first thought was that they might have asked him to provide them with access to his online telco account via the PIN number that gets emailed every time you try to log in or reset the password. But when I looked for that in his email, I did not see any evidence that he received such an email. The only thing that I saw was the email that said that his password was reset. The other odd thing that caught my attention was that he reported that when he got the call from the threat actor pretending to the an employee of the telco in question, the woman at the other end of the line knew him by name and phoned his cell phone directly. Now I have experienced this personally here with a threat actor pretending to be Rogers who knew my wife’s name and who was trying to get me to sign on to a great deal with a free phone. Which I knew to be a scam immediately. So it doesn’t surprise me that this might be the case with the telco in this incident. I do have a follow up with him in the next day or two, so I will see if I can try again to confirm that he played no part in the SIM Swap Attack by providing any information that helped the threat actors.

This is likely not going to be the last that I am writing about this incident. Thus I would suggest that you stay tuned for updates if and when they come. And just to make it clear, there are things that I can’t talk about regarding this, so please understand if I cannot answer all your questions. But if you do have questions, I will answer them as best as I can.