Post

Fake Social Security Statement Emails Trick

Posted
By 10alert
3 min read 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

---
title: "Fake Social Security Emails Deploy Remote Access Tool"
categories: [Cybersecurity & Data Protection, Scam Protection]
author: Tom
date: 2025-04-30
tags: [cybersecurity, remote access, social security]
---

## TL;DR
A sophisticated phishing campaign uses fake Social Security Administration (SSA) emails to trick users into installing ScreenConnect, a remote access tool. This campaign, attributed to the Molatori group, aims to gain unauthorized access to victims' computers for data exfiltration and financial fraud. Users are advised to verify email sources and use up-to-date anti-malware solutions to protect themselves.

## Main Content

Fake emails purporting to be from the US Social Security Administration (SSA) are circulating, attempting to deceive recipients into installing ScreenConnect, a remote access tool. This campaign, investigated by the Malwarebytes Customer Support and Research teams, poses a significant threat to users' cybersecurity.

ScreenConnect, formerly known as ConnectWise Control, is a widely used remote support and access platform. It allows technicians to remotely connect to users' computers for tasks such as software installation, system configuration, and troubleshooting. However, its full remote control capabilities make it a dangerous tool in the hands of cybercriminals, who can operate victims' computers as if they were physically present, potentially without the user's knowledge.

A phishing group dubbed Molatori has been identified as the perpetrator behind this campaign. The group sends emails that appear to come from the SSA, luring targets into installing the ScreenConnect client. These emails often include convincing details, such as:

> “Your Social Security Statement is now available. Thank you for choosing to receive your statements electronically. Your document is now ready for download:
> - Please download the attachment and follow the provided instructions.
> - NOTE: Statements & Documents are only compatible with PC/Windows systems.”

The link in the email leads to the ScreenConnect support client, disguised under various names like `ReceiptApril2025Pdfc.exe` and `SSAstatement11April.exe`. Once installed, cybercriminals can remotely connect to the victim's computer and begin malicious activities, such as accessing and exfiltrating sensitive information like banking details and personal identification numbers. Financial fraud has been identified as the primary objective of the Molatori group[^1].

Several factors make this campaign hard to detect:
- The phishing emails are sent from compromised WordPress sites, making the domains appear legitimate.
- The email content is often embedded as an image, preventing effective scanning by email filters.
- ScreenConnect is a legitimate application, making it less likely to be flagged by traditional security measures.

## What We Can Do

To protect against such phishing attempts, consider the following precautions:
- Verify the source of unsolicited emails through independent means.
- Avoid clicking on links or opening attachments until their safety is confirmed.
- Use an up-to-date and active [anti-malware solution](https://www.malwarebytes.com/premium).
- Search for known phishing attempts using text or names from suspicious emails.

## Malwarebytes Users Are Protected

Malwarebytes detects suspicious instances of the ScreenConnect client as `RiskWare.ConnectWise.CST` and blocks connections to associated domains, including:
- `atmolatori[.]icu`
- `gomolatori[.]cyou`
- `molatoriby[.]cyou`
- `molatorier[.]cyou`
- `molatorier[.]icu`
- `molatoriist[.]cyou`
- `molatorila[.]cyou`
- `molatoriora[.]cyou`
- `molatoriora[.]icu`
- `molatoripro[.]cyou`
- `molatoripro[.]icu`
- `molatorisy[.]cyou`
- `molatorisy[.]icu`
- `onmolatori[.]icu`
- `promolatori[.]icu`
- `samolatori[.]cyou`
- `samolatori[.]icu`
- `umolatori[.]icu`

## Conclusion

Cybersecurity risks should never spread beyond a headline. With [Malwarebytes Personal Data Remover](https://www.malwarebytes.com/personal-data-remover), users can scan for and delete sensitive personal information from the internet, ensuring their data privacy is maintained.

For more details, visit the full article: [source](https://www.malwarebytes.com/blog/news/2025/04/fake-social-security-statement-emails-trick-users-into-installing-remote-tool)

## References
[^1]: [Experts have identified](https://x.com/pancak3lullz/status/1877080477510549779)
This post is licensed under CC BY 4.0 by the author.