Google Pay scam emails
What are Google Pay scam emails
“Google Pay scam emails” refers to a spam email campaign used to distribute malware. Emails part of this spam campaign are disguised as emails from Google informing you about a purchase made via Google Pay. Google Pay is a digital wallet that allows users to add a card and pay with their phones. The emails inform users that Google Pay was used somewhere for payment, display an alarmingly large sum, and claim the invoice is attached. Users see the sum they were supposedly charged, get alarmed, open the attachment, and end up accidentally infecting their computers with serious malware. Though in order to launch the malware, users need to open the file and then enable macros. Once the macros are enabled, the malware, in this case Taurus stealer, will download and initiate.
The malware distributed in this particular Google Pay scam email campaign is Taurus stealer trojan, which aims to extract personal and financial information from infected computers. Since it’s a data stealing trojan, it would stay in the background and silently try to steal data. This makes spam campaigns like this one particularly dangerous, as users would likely not even notice that they infected their computers with malware when they opened the email attachment.
How to spot a malicious email
Unless spam emails are targeting someone specific, they are not particularly sophisticated. As long as users know what to look for, they should be able to differentiate between spam and legitimate emails. One of the most obvious signs is grammar and spelling mistakes. Spam email is often disguised as some kind of official correspondence but when the email is full of mistakes, it immediately becomes obvious that something’s not right. That’s the first thing that users should look for when dealing with unsolicited emails with attachments or links. Another big sign is the sender’s email address. Users can disregard the email immediately if the sender has a nonsense email address made up of random letters and numbers. Even if the email looks legitimate, it should still be carefully inspected, as scammers use various tactics to make the email addresses look legit. For example, the letter ‘m’ may be replaced with ‘rn’.
The Google Pay scam emails are fairly obvious. They have a “Payment Confirmation” title, and contain a preview of a receipt that shows how much money was paid and where exactly. The full receipt is supposedly attached to the email. Despite containing very little text and being sent from legitimate looking email addresses, these emails ring alarm bells immediately.
In general, when dealing with unsolicited emails with attachments, it’s always recommended to scan them with anti-virus software or VirusTotal before opening. A scan of the file with VirusTotal immediately shows that a trojan is hiding inside.
Google Pay scam emails carry malware
Malicious spam emails like this Google Pay scam either carry malware or want to phish login credentials. This particular email is carrying Taurus stealer trojan. In order to execute it, users need to open the attached file and then enable macros. Once users have done that, the malware downloads and starts to silently perform its malicious activities. This is a data stealing trojan, meaning it will silently spy on what users are doing, trying to steal personal information and login credentials. It may be able to extract information from browsers, emails, cryptocurrency wallets, programs, etc. If Taurus trojan succeeds in stealing information, it then transfers it to its operators. The stolen data would either be used to steal money, access accounts, etc., by its operators, or it would be sold on the dark web.
In addition to being a stealer trojan, Taurus may also download additional malware onto the computer. Worst case scenario, it would be ransomware that encrypts files and demands money in exchange for their decryption.
Google Pay scam emails removal
Users should immediately remove Google Pay scam emails if one lands in their inbox. For users who have opened the attached file and enabled macros, scanning the computer with anti-malware software is a must. If the malware was able to initiate, it’s likely that the computer is not protected with anti-malware software, as it would have stopped the malware otherwise.