Fraudulent Social Security Statements Exploit Users to Deploy Remote Access Tools

Fake emails impersonating the U.S. Social Security Administration (SSA) are being used in a campaign to trick victims into installing ScreenConnect, a remote access tool.

This operation has been identified and analyzed by our research and customer support teams.

ScreenConnect, previously known as ConnectWise Control, serves as a remote support platform widely adopted by businesses for IT support and troubleshooting purposes. Through this software, technicians can remotely access users’ computers to perform essential tasks such as software installations, system configurations, and issue resolutions.

The inherent capabilities of ScreenConnect enable a user with unauthorized access to control your computer as if they were present. This includes executing commands, transferring files, and potentially installing malware—all without your awareness.

Consequently, in the hands of cybercriminals, ScreenConnect poses a significant threat. A phishing collective named Molatori exploits this tool by enticing victims into downloading the ScreenConnect client through emails masquerading as communications from the SSA:

“Your Social Security Statement is now available. Thank you for choosing to receive your statements electronically. Your document is now ready for download:

– Please download the attachment and follow the provided instructions.

– NOTE: Statements & Documents are only compatible with PC/Windows systems.”

Variations of this email have been identified, but they all exhibit a facade of authenticity.

The link included in the email directs the recipient to a malicious executable file disguised under various misleading names like PLACEHOLDERf1aa0f7e09683d13 or PLACEHOLDERda5578dbc1b81dfa.

Once cybercriminals successfully install the client on the target’s device, they gain immediate access to exfiltrate sensitive information such as banking details, personal identification numbers, and confidential documents. This stolen data can facilitate identity theft and financial fraud—acts identified as the primary interest of the Molatori group.

There are several factors that complicate the detection of this campaign:

– The phishing emails are dispatched from compromised WordPress sites, rendering their domain registrations appear legitimate.
– Email content is frequently delivered in image format, thereby circumventing conventional email filtering mechanisms.
– ScreenConnect is a legitimate tool that is misused due to its functionality.

Recommended Precautions

When receiving unsolicited emails, consider the following precautions to avoid falling victim to phishing scams:

– Confirm the email’s source through independent validation.
– Refrain from clicking on links until their safety is verified.
– Avoid opening downloaded files or attachments until their legitimacy is established.
– Use a current and effective anti-malware solution.
– If you suspect an email to be fraudulent, extract a name or text from the message and perform a search to identify any associated phishing reports.

Protection for Users

Our systems will recognize suspicious instances of the ScreenConnect client as RiskWare.ConnectWise.CST.

Additionally, we block connections to related domains, including:

– atmolatori[.]icu
– gomolatori[.]cyou
– molatoriby[.]cyou
– molatorier[.]cyou
– molatorier[.]icu
– molatoriist[.]cyou
– molatorila[.]cyou
– molatoriora[.]cyou
– molatoriora[.]icu
– molatoripro[.]cyou
– molatoripro[.]icu
– molatorisy[.]cyou
– molatorisy[.]icu
– onmolatori[.]icu
– promolatori[.]icu
– samolatori[.]cyou
– samolatori[.]icu
– umolatori[.]icu

Cybersecurity is not merely a matter of awareness but a proactive strategy we support by providing tools and services to protect personal information actively. Through our Personal Data Remover, you can discover which sites may be exposing your personal information and take steps to have that sensitive data removed from the internet.