Phishing Email That Knows Your Address (bbc.com)

← Back to Stories (view on slashdot.org)

Phishing Email That Knows Your Address (bbc.com)

Posted by msmash on Wednesday April 6, 2016 @05:30AM from the evolution-of-phishing-emails dept.

An anonymous reader writes: BBC is reporting about a new type of phishing email that includes the recipient's home address. The publication, citing sources, claims that thousands of people have already received such malicious emails. Clicking on the email apparently installs malware such as Cryptlocker ransomware on the recipient's computing device. From the report, "Members of the BBC Radio 4's You and Yours team were among those who received the scam emails, claiming they owed hundreds of pounds to UK firms. The firms involved have been inundated with phone calls from worried members of the public. 'The email has good spelling and grammar and my exact home address...when I say exact I mean, not the way my address is written by those autofill sections on web pages, but the way I write my address.'"

108 comments

Min score:

Reason:

Sort:

Oh, come on, now! by kheldan · 2016-04-06 05:33 · Score: 5, Insightful

Any truly important, official communication from a government agency, or from any company demaning payment of any sort, is going to send it in a printed letter, not an email.

--
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
1. Re:Oh, come on, now! by Nunya666 · 2016-04-06 05:56 · Score: 5, Interesting
  
  Any truly important, official communication from a government agency, or from any company demaning payment of any sort, is going to send it in a printed letter, not an email.
  The average user does not know that. Perhaps they just don't care, or they're too ignorant to know better. Unfortunately, that "fact of life" is exactly why phishing emails work.
  
  My wife is a perfect example. She is intelligent, but not technically savvy. She once asked me if she should click/touch something on her Android phone. It was an advertisement, disguised to look like a "you've got mail" alert. I told her to ignore it, since it's just an ad. "But it says I have mail, shouldn't I click on it?" No, honey, anything that appears in that area of the screen (in that particular app) is just an advertisement. Ignore it. "But it looks so real!"
  
  We even had a successful phishing attack at work recently. The email said it came from the IT department, and that you needed to click on the link to validate your domain credentials. It didn't look like any of our official communications, and the "click here" link was a shortened URL. It was pretty obvious to me that it was a phishing attempt, but several users clicked on the link anyway, and keyed in their domain credentials into the web form. Thankfully, it didn't install a cryptovirus, or spread to the network.
2. Re:Oh, come on, now! by gstoddart · 2016-04-06 05:58 · Score: 4, Insightful
  
  But the more convincing it looks, and the more information is has about you, the more likely people will fall for this.
  By the time you're talking about phishing crafted to this level of detail, it has more than enough information in it to make you think "holy crap, this shit looks real".
  The problem is the level of paranoia internet safety seems to require would almost be a clinical condition in meatspace ... and that isn't something normal people have.
  I mean, it's definitely not a normal state to consider everything anybody says to you to likely to be a conspiracy to defraud you. But increasingly email, and even incoming telephone calls, require a level of paranoia, distrust, and misanthropy as to make you crazy by more normal standards. The world IS full of assholes who ARE out to get you and ARE actively lying to you.
  To your average person who just wants some email and access to the intertubes, doing that would require a level of cognitive dissonance which would cause you to never leave your house.
  Fortunately, many of us here already exhibit these traits naturally, and already don't leave the house, so we can adjust to it. But for more normal people, it really is a big leap.
  I mean, picture trying to get your grandmother to exhibit as much paranoia as avoiding this stuff would require. Next time you went to visit she'd meet you with a shotgun and refuse to let you in.
  
  --
  Lost at C:>. Found at C.
3. Re:Oh, come on, now! by Anonymous Coward · 2016-04-06 06:20 · Score: 0
  
  The average user does not know that.
  How do you not know that you've never received such a communication before? And then, even if you assume it's new, how do you decide not to check?
  People are idiots. Stop blaming innocent ignorance.
4. Re:Oh, come on, now! by Pascoea · 2016-04-06 06:21 · Score: 1
  
  The email said it came from the IT department, and that you needed to click on the link to validate your domain credentials...It was pretty obvious to me that it was a phishing attempt, but several users clicked on the link anyway, and keyed in their domain credentials into the web form. Thankfully, it didn't install a cryptovirus, or spread to the network.
  Yup, we got the same one. The next day the whole company started getting spam from an internal e-mail address.
  What shocks me, more than that someone will click on a random e-mail link without knowing where it goes, is that people actually respond to spam e-mails. (the increase your penis size, low low price Viagra, or hot teens want to screw, type spam) You know people are clicking on them, because people/groups wouldn't be expending so much effort to send spam it it wasn't an effective "advertising" method.
5. Re:Oh, come on, now! by Anonymous Coward · 2016-04-06 06:25 · Score: 3, Informative
  
  Any truly important, official communication from a government agency, or from any company demaning payment of any sort, is going to send it in a printed letter, not an email.
  False. I get my vehicle registration renewal notices via email.
  
  "Anecdote != evidence!"
  
  You are implying that such communications will never be sent via email. As such, I need find but a single example to prove you wrong.
6. Re:Oh, come on, now! by gstoddart · 2016-04-06 06:28 · Score: 5, Insightful
  
  The problem is it takes only about a 1-2% success rate to make spam effective. Probably far far less when it's this targeted.
  Say you're in an organization of 1000 people ... the security of your network is determined by the 10-20 most gullible people in your organization ... at least 5 of which will be in management. Think about the dumbest 1-2% of your organization, and think "dear god, are we really depending on them for our overall security?"
  And, really, "effort" is a relative term when it's a computer doing all the heavy lifting. It's not like someone has to individually type all of those messages.
  It clearly works, or it would have stopped on its won by now.
  
  --
  Lost at C:>. Found at C.
7. Re:Oh, come on, now! by Pascoea · 2016-04-06 06:29 · Score: 2
  
  But increasingly email, and even incoming telephone calls, require a level of paranoia, distrust, and misanthropy as to make you crazy by more normal standards
  You're not kidding. I consider myself pretty vigilant about e-mail and clicking links. I recently got a nearly perfectly crafted e-mail from "Amazon" about a "recent order", I buy A LOT of shit of Amazon, so I didn't think anything of it. The only reason I didn't get zapped by it is I never click on the tracking/order links from them, I always go to their site manually. Thinking to myself "I don't remember ordering anything in the last couple days" I went to Amazon's site, thinking my username got stolen and someone was buying shit, and couldn't find an order. Going back to my e-mail I see that it was sending me to some random site. Sneaky bastards.
  Point being, the Phishers are getting better and better.
8. Re:Oh, come on, now! by Anonymous Coward · 2016-04-06 06:31 · Score: 0
  
  It's cultural.
  Go to a country that barters on a regular basis, such as India, which has prices for locals and prices for visitors/tourists.
  The moment prices become negotiable, the population can choose to become savvy to negotiate a reasonable price, or they become suckers and pay above the market.
  So what I'm saying, is that I'm somewhat refuting your claim. In many countrys:
  "The world IS full of assholes who ARE out to get you and ARE actively lying to you."
  Is 100% correct, and one must adjust one's behavior accordingly.
9. Re:Oh, come on, now! by Geoffrey.landis · 2016-04-06 06:35 · Score: 2
  
  We even had a successful phishing attack at work recently. The email said it came from the IT department, and that you needed to click on the link to validate your domain credentials. It didn't look like any of our official communications, and the "click here" link was a shortened URL. It was pretty obvious to me that it was a phishing attempt, but several users clicked on the link anyway, and keyed in their domain credentials into the web form. Thankfully, it didn't install a cryptovirus, or spread to the network.
  Well, on an average day most users will probably be suspicious of a link like that. The phishers count on the fact that, on any given day, some percentage of the recipients will have just finished leaving a message with tech support saying "I can't access the server, could you reset my account?"
  Since they're expecting an email with exactly that text, their defenses will be down.
  
  --
  http://www.geoffreylandis.com
10. Re:Oh, come on, now! by gstoddart · 2016-04-06 06:36 · Score: 1
  
  You're not kidding
  Of course I'm not kidding.
  As much as it sounds like I'm flippantly describing a level of hyper-vigilance and paranoia which sounds absurd, anything less than that is going to sooner or later bite you on the ass.
  Everybody keeps saying "stupid users, it's their own fault". And, really, it's increasingly hard to say that.
  You literally have to act like a paranoid nut job around incoming emails these days. It's anything but a normal state for humans. People just don't consistently maintain this level of distrust over a long period of time.
  
  --
  Lost at C:>. Found at C.
11. Re:Oh, come on, now! by Anonymous+Brave+Guy · 2016-04-06 06:52 · Score: 2
  
  Any truly important, official communication from a government agency, or from any company demaning payment of any sort, is going to send it in a printed letter, not an email.
  On what planet? My companies routinely send invoices to customers/clients by e-mail. We routinely get invoices from suppliers and service providers by e-mail, too. For things like signed contracts with serious amounts of money involved, sure, we'd send registered letters, but day-to-day has been mostly electronic for a long time here.
  An unfortunate consequence of this is that since e-mail in general is not secure and in particular is not tamper-proof or reliably authenticated, it is open to this kind of abuse. I know some businesses we deal with have had some horrible incidents that cost them a lot of money because their in-house procedures weren't robust against an attacker who had enough inside information to look plausible.
  A particularly devastating technique I've come across recently for attacking smaller and less formal businesses is based on identifying who normally pays invoices, someone more senior who they report to, and a pattern of where new suppliers might be and what sorts of amounts they'd be invoicing for. It's often pretty easy to guess this sort of information with minimal actual content, if say the company web site provides a couple of key names and contact details that legitimate business associates might actually need.
  However, given that information, a malicious third party can then easily impersonate the e-mail of the senior person and send something asking the invoice-payer to settle a realistic bill for a new supplier. Thanks to the wonders of services like Google Mail, it will probably even arrive in their work inbox with the senior person's usual picture right there next to their name and e-mail address, looking all official and normal. Time it so the senior person is out at a meeting or on holiday or otherwise not there to answer a quick phone call, add a credible note that, say, you're trying to build a good long-term relationship with this new supplier to please try to settle up promptly to make a good impression, and it's easy to see how even though everyone is well meaning, they can be fooled simply because they didn't understand that the fake ID aspect was possible and as far as they knew it was all official communication using their normal work e-mail system.
  
  --
  If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
12. Re:Oh, come on, now! by Anonymous Coward · 2016-04-06 07:03 · Score: 0
  
  Point being, the Phishers are getting better and better.
  It must be something with me, but I see those 'phishers' as a bunch of losers. They have zero chances with me. Try phishing me and I will go after you, I will find you and I will make you eat shit.
13. Re:Oh, come on, now! by Anonymous Coward · 2016-04-06 07:09 · Score: 0
  
  "countrys"? There is no such word. But then, you are AMERICAN, aren't you. Idiot.
14. Re:Oh, come on, now! by Anonymous Coward · 2016-04-06 07:14 · Score: 0
  
  Sure, simple typo.
  For those who don't know better, the correct spelling is "countries".
  Silly me.
15. Re:Oh, come on, now! by edtice1559 · 2016-04-06 07:42 · Score: 1
  
  If Amazon were subject to an open redirect or an XSS, the link could have actually gone to an Amazon server!
16. Re: Oh, come on, now! by Anonymous Coward · 2016-04-06 07:42 · Score: 0
  
  No you won't.
17. Re:Oh, come on, now! by Anonymous Coward · 2016-04-06 07:57 · Score: 2
  
  Some of my company's internal IT emails actually look like spam.
18. Re:Oh, come on, now! by kheldan · 2016-04-06 08:47 · Score: 1
  
  Friend, if I had to include every single exception possible to every statement I ever made, I'd never be done typing them all out. How about we just make a general assumption that those exceptions exist, OK? ;-)
  
  --
  Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
19. Re:Oh, come on, now! by Anonymous Coward · 2016-04-06 10:14 · Score: 0
  
  I got a copy of this one. It's the best fishing attempt I've seen so far. Spelling and grammar are all good, it has the feel of being written by a British business person. The URL doesn't look that shady considering I've bought development tools in the past from companies with names like that. The address is an old one for me, I moved out in May 2011 so the dataset used for the merge is quite old.
  I downloaded the linked file, it was a zip file containing a .scr file (Executable screensaver), looking like an invoice PDF including my name.
  Ran it through VirusTotal, only 5 engines picked it up as a virus, and only with updates from the last 24 hours.
  Email content including headers below, sanitised. Note, this passed SPF, and made it into my Gmail inbox and got presorted as Finance, not filtered into spam.
  Delivered-To: %emailaddress%@gmail.com
  Received: by 10.25.37.65 with SMTP id l62csp777839lfl;
  Mon, 4 Apr 2016 02:11:15 -0700 (PDT)
  X-Received: by 10.28.170.137 with SMTP id t131mr11158528wme.74.1459761075444;
  Mon, 04 Apr 2016 02:11:15 -0700 (PDT)
  Return-Path:
  Received: from web-srv02.alb.nl.weservit.nl (web-srv02.alb.nl.weservit.nl. [176.56.224.42])
  by mx.google.com with ESMTPS id w8si30241665wjz.7.2016.04.04.02.11.15
  for
  (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
  Mon, 04 Apr 2016 02:11:15 -0700 (PDT)
  Received-SPF: pass (google.com: best guess record for domain of client733@web-srv02.alb.nl.weservit.nl designates 176.56.224.42 as permitted sender) client-ip=176.56.224.42;
  Authentication-Results: mx.google.com;
  spf=pass (google.com: best guess record for domain of client733@web-srv02.alb.nl.weservit.nl designates 176.56.224.42 as permitted sender) smtp.mailfrom=client733@web-srv02.alb.nl.weservit.nl
  Received: from client733 by web-srv02.alb.nl.weservit.nl with local (Exim 4.86_1)
  (envelope-from )
  id 1an0XS-003nCc-Mv
  for %emailaddress%@gmail.com; Mon, 04 Apr 2016 11:11:14 +0200
  To: %Firstname% %Lastname%
  Subject: %Firstname% %Lastname%
  X-PHP-Script: itconsulent.net/tg2/mail.php for 112.221.190.197, 112.221.190.197
  From: jfuller@haveringcab.org.uk
  Message-Id:
  Date: Mon, 04 Apr 2016 11:11:14 +0200
  X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
  X-AntiAbuse: Primary Hostname - web-srv02.alb.nl.weservit.nl
  X-AntiAbuse: Original Domain - gmail.com
  X-AntiAbuse: Originator/Caller UID/GID - [611 622] / [47 12]
  X-AntiAbuse: Sender Address Domain - web-srv02.alb.nl.weservit.nl
  X-Get-Message-Sender-Via: web-srv02.alb.nl.weservit.nl: authenticated_id: client733/only user confirmed/virtual account not confirmed
  X-Authenticated-Sender: web-srv02.alb.nl.weservit.nl: client733
  Dear %FirstName% %LastName%,
  Regarding the amount due 1189.94 GBP, we act on behalf of Cecil Instruments Ltd in order to collect the outstanding account value of your debt.
  We would like to remind you that the amount above was due for payment on 29.03.16 but as no payment has been received, your invoice is now considered as overdue. Please find a printable version of your invoice at the following link:
  http://www.littlebigdev.net/index.php?u=XXXXXXXXXX&za=XXXXXX
  Original invoice will be sent out to:
  %FirstName% %LastName%
  %Postal address%
  In order to avoid further costs, please forward the payment to us and transfer the amount due not later than 12.04.16
  Kindest regards,
  Jeffery Fuller
20. Re:Oh, come on, now! by Anonymous Coward · 2016-04-06 10:26 · Score: 0
  
  No. I have received official government emails (business name rego in Australia, if you must know) that, on checking (ie contact through direct official channels not sourced from said email) turned out to be legit. I was not impressed to say the least.
21. Re:Oh, come on, now! by Anonymous+Brave+Guy · 2016-04-06 10:29 · Score: 3
  
  Sure, but my point is that it is not an exception in this case. Sending and receiving invoices and other payment-related documentation by e-mail has been the norm for a lot of organisations for a long time. That's why this sort of scam is, regrettably, so effective.
  
  --
  If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
22. Re:Oh, come on, now! by MrL0G1C · 2016-04-06 11:34 · Score: 1
  
  Nope, When dealing with a ticket, it was mostly via web and email, there was 1 letter initially which gave the web address and the rest was digital (UK).
  
  --
  Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
23. Re:Oh, come on, now! by MrL0G1C · 2016-04-06 11:42 · Score: 1
  
  My webmail (1&1 / mail.com) provider makes it difficult to see whether links are legitimate or not by rewriting all links to go via it's servers. Doesn't help.
  
  --
  Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
24. Re:Oh, come on, now! by KGIII · 2016-04-06 11:53 · Score: 2
  
  For starters, don't be stupid and read your fucking email in plain text.
  Don't take it personal... I've been giving that same lecture since about 1998. Stop reading the shit in HTML format. There are not that many rose graphics as backgrounds that are worth the risk. Plain text folks... Simple HTML works but, for the love of fuck, open a browser and paste in the copied address before visiting.
  Know what the damned button does before you fucking click it!
  Err... Yeah... Sorry, like I said, since about 1998... I'm kind of tired of telling people how to practice safe hex. They don't listen.
  
  --
  "So long and thanks for all the fish."
25. Re:Oh, come on, now! by KGIII · 2016-04-06 12:01 · Score: 1
  
  And now you know why I write novellas.
  Actually, this might just be my shortest post, ever.
  
  --
  "So long and thanks for all the fish."
26. Re: Oh, come on, now! by Anonymous Coward · 2016-04-06 18:43 · Score: 0
  
  Change provider then, or host your own. Don't forget to tell them why you're cancelling your contract with them - if the USPS opened your letters and altered the text in them you'd be pretty pissed. Why should it be different for email?
27. Re: Oh, come on, now! by Anonymous Coward · 2016-04-07 12:34 · Score: 0
  
  Yep, cultural differences... Middle eastern countries are very much like this. It means i never trust my local mechanics for my car, i'll go to the mechanics 3 suburbs away with a WASP running the place. Sounds racist to some people... but i've given enough chances and paid thru the nose for hopeless work that needed to be done again (and again), and unnecessary work, its almost as if they were ripping me off cos i'm not a mechanic.
28. Re: Oh, come on, now! by computererds · 2016-04-07 13:41 · Score: 1
  
  That is one of the things I told 1&1 when I stopped using them a couple years ago. I guess that feedback didn't change anything.
29. Re:Oh, come on, now! by WorBlux · 2016-04-07 17:44 · Score: 1
  
  PGP could foil all that crap, but who has the time?
30. Re:Oh, come on, now! by Anonymous+Brave+Guy · 2016-04-08 00:22 · Score: 1
  
  It is kind of amazing that in 2016 we still haven't solved encrypted and authenticated messaging. I'm not sure how easy it would be to explain to non-technical users how the signing mechanics work or at least why they need to install a digital signature on every new system that will send mail from a certain account, though.
  
  --
  If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
31. Re:Oh, come on, now! by Anonymous Coward · 2016-04-08 10:06 · Score: 0
  
  No. The success rate of a campaign has little to do with how well it has worked in the past, because just as there are always new suckers being born, there is also a constant stream of new scammers coming along to recycle the same old scam campaigns. The old scammers say "this method works great, I will sell it to you for only $1000" and the new fresh scammers buy it. Doesn't matter how well it works, they just made $1000.
alternate email address by kennethmci · 2016-04-06 05:36 · Score: 4, Interesting

I remember a while back I read about an interesting way to identify where this info is coming from. If you have your own domain, there are people out there who will append the site name to their email address when they sign up.... e.g. kenneth.facebook@yourdomain.com - then as you receive spam you can see where it orignated from...due to them sharing your email ( or if it was stolen ). Would be interesting to know if anyone has done this and identified the original source of the data.
1. Re:alternate email address by SQLGuru · 2016-04-06 05:48 · Score: 4, Insightful
  
  You can do something similar with GMail using a + instead of a .
  Periods are ignored completely, so kenneth.facebook is the same as ken.neth.face.book.
  Plusses make everything past the plus be ignored. So kenneth+facebook is the same as kenneth.
2. Re:alternate email address by jmcwork · 2016-04-06 05:57 · Score: 2
  
  I have my own domain and any email address that does not have a dedicated mailbox gets sent to the admin 'catch-all' mailbox. If I sign up for something anything that wants an email address I usually use businessname@mydomain.com for the address. I get a lot of funny looks when I feed back an email address with their name in it (even had a few people accuse me of attempting to hack their system by doing this!). I just let my email reader filter things to different folders based on the incoming email address. If I see a bunch of spam in one I can send it right back to the business and tell them why I am now blocking their email. I used to do the same thing with my snail mail by modifying the spelling of my street name. If I started getting junk mail to that version, I would take out all the personal info, jam the rest into their pre-paid envelopes and send it back to them.
3. Re:alternate email address by Anonymous Coward · 2016-04-06 05:59 · Score: 1
  
  So then spammers just go through their lists of gmails, remove the + and you're right back where you started.
4. Re:alternate email address by Holi · 2016-04-06 06:02 · Score: 1
  
  It also makes it very easy to get around, Run the email addys through a script that removes everything from the + to the @ and it completely bypasses your system, it is also very simple to accomplish. With the kennethmci's way you don't have this issue.
  
  --
  Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
5. Re:alternate email address by eam · 2016-04-06 06:03 · Score: 1
  
  Am I the only person still using spamgourmet.com?
6. Re: alternate email address by Anonymous Coward · 2016-04-06 06:06 · Score: 0
  
  That is a neat trick, but I've noticed many websites filter out + as a nonstandard character, particularly e-commerce sites which seem to use a lot of the same backends. Also of note, those sites are the ones I'd most like to use that trick, in case my info is somehow compromised, I have a sort of spam-canary.
  So, for that purpose, I also have resorted to just use my own domain, where any mail matching anything.user@domain.tld everything gets dumped in my mailbox.
7. Re:alternate email address by Anonymous Coward · 2016-04-06 06:23 · Score: 1
  
  What's real fun is when you run into a business like Bank of America. They'll happily take your name+blah@gmail.com in their signup forms, but then when the barrage of mortgage spam starts you find out that their unsubscribe page will not accept email addresses with a "+" character. Have fun explaining that to the Indian call center tech.
8. Re:alternate email address by rhazz · 2016-04-06 06:30 · Score: 1
  
  It's not about preventing spam really, it's more about inbox management. With Gmail's "+" syntax the email is still delivered to your main inbox - there is no registering of allowed + values. It shows the full handle it was sent to though, so at best maybe you can filter it by the handle, assuming the spammer didn't remove the + value. A relative of mine runs a series of twitter accounts spewing weather stats and uses the + syntax on his personal email address to route messages.
  
  I recall Rogers used to allow you to generate temporary emails with a random id at the end of your base email address, and mail would be delivered to your normal inbox. That actually allowed you to manage spam because it looked like a regular address and you could deactivate it - unfortunately the ID was long and you'd never remember it.
9. Re:alternate email address by Zocalo · 2016-04-06 06:30 · Score: 1
  
  I've been doing just this for years - unique email for every online account. So far I've only had a few instances of spam arriving on one of the addresses, all from smaller specialist retailers who most probably got their customer DB pwned since the spam was definite junk (pills and porn) rather than the kind of targetted marketing emails you'd expect from a sold-on customer list. I reported the possible compromise each time, but I never received any form of acknowlegement or apology from the companies concerned so I simply disabled the email addresses, kept a close eye on my credit card bills for the next few months... and went elsewhere next time I made a purchase. It works very well as a "compromise canary", but unless you are prepared to accept all email sent to "yourdomain.com" (which will result in a *lot* of spam) you'll need to have a simple way of defining new aliases and removing them when required.
  
  --
  UNIX? They're not even circumcised! Savages!
10. Re:alternate email address by mrbester · 2016-04-06 06:39 · Score: 1
  
  Which is why I have my own domain that has unlimited email addresses that redirect to my GMail address with a specific string after the + (usually the site I used it on or generic description). As I don't ever give out my raw GMail address, anything that comes to that one is automatically considered dubious, tagged and archived for later leisurely perusal by use of filters, just like all the rest.
  Plus I can migrate to a different storage provider by just changing the redirects making it easier than informing everybody of address changes.
  
  --
  "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
11. Re:alternate email address by Anonymous Coward · 2016-04-06 07:06 · Score: 1
  
  Yahoo! Mail has real aliases. You choose a prefix, and then create your aliases under that prefix. You can't remove the suffixes and expect things to still work, and there's no direct correspondence between the aliases and your actual email address. With Google did that, especially since there are too many sites out there that just reject the plus sign as invalid, even if their mailing systems work just fine with it. And then there are those sites that don't bother to URLencode your address when they send it back to you, so you end up with a space in a link.
12. Re:alternate email address by tlhIngan · 2016-04-06 07:44 · Score: 1
  
  I remember a while back I read about an interesting way to identify where this info is coming from. If you have your own domain, there are people out there who will append the site name to their email address when they sign up.... e.g. kenneth.facebook@yourdomain.com - then as you receive spam you can see where it orignated from...due to them sharing your email ( or if it was stolen ). Would be interesting to know if anyone has done this and identified the original source of the data.
  I do this, but the spam I get comes from a completely made up address I've never used. Even more interesting is apparently some scrapers have bugs because the address gets chopped. For example, I never used example@example.com, but then I get a lot of spam to it. Then I notice spam gets sent to "xample@example.com" and "ample@example.com".
  I've gotten actual business correspondence too - some guy signed up for BT telephone and ADSL account, some other guy has a USBank card, etc. Funny thing is, I can't ever log in using that email. Even the "forget password" link doesn't claim it's valid. These are real emails to the real location, too.
13. Re:alternate email address by Builder · 2016-04-06 07:59 · Score: 1
  
  You can use + notation. Then you can deal with all the companies that accepted your address using that at one point, then changed a load of their code and no longer accept it. Or some companies where one part of their organisation will accept a + in your address, but another part of the same org won't - Microsoft was an example of this until recently.
  I've found it to be more trouble than it's worth in the long run.
14. Re:alternate email address by dsmatthews9379 · 2016-04-06 09:05 · Score: 1
  
  This is a built in feature of gmail, just add +whatever before the @ in the email address. https://gmail.googleblog.com/2...
15. Re: alternate email address by Anonymous Coward · 2016-04-06 09:37 · Score: 0
  
  I do currently do this (got the idea from a /. comment!) and it has come in handy a couple of times. Dropbox, for instance, lost my email address somehow and didn't even have the balls to tell me about it. I realized when I started getting spam.
16. Re:alternate email address by nukenerd · 2016-04-06 10:17 · Score: 1
  
  If you have your own domain, there are people out there who will append the site name to their email address when they sign up.... ..... then as you receive spam you can see where it orignated from...due to them sharing your email ( or if it was stolen ). Would be interesting to know if anyone has done this and identified the original source of the data.
  I do that, and I received one of these scam emails yesterday. The address is the one I use for ebay, and only for ebay. I receive other spam with my ebay address too.
  
  When I read this story I had just been in the process of trying to complain to ebay about spammers getting my address. I looks though that it is practically impossible to compalin to ebay. Their "Contact Us" link only leads to a FAQ of some typical problems (not spamming problems though), and ultimately round in a circle.
17. Re:alternate email address by nukenerd · 2016-04-06 10:22 · Score: 1
  
  Am I the only person still using spamgourmet.com?
  Hi there, I do too. It's brilliant. I just worry that too many people will use it as the guy who runs it (for free) could probably not afford too much traffic.
18. Re:alternate email address by nukenerd · 2016-04-06 10:40 · Score: 1
  
  If I sign up for something anything that wants an email address I usually use businessname@mydomain.com for the address. I get a lot of funny looks when I feed back an email address with their name in it (even had a few people accuse me of attempting to hack their system by doing this!).
  It's not a good idea to use the business's own name as it is likely to be rejected either automatically or by some person as you say (unless you enjoy the wind-up). I use some word that helps reminds me of the business, like "mike" for Misco (a UK computer supplier). In fact I keep a table to relate the email name to the company.
19. Re:alternate email address by Ark42 · 2016-04-06 12:39 · Score: 1
  
  I do this with my own domain, and I don't do it in a way that makes it obvious (such as including .facebook for facebook's email address).
  I manually edit /etc/mail/virtualusertable and make a random alias and leave myself a comment about what it's for, every time I'm about to sign up for something on a new site. So far, I've had to disable aliases for Mozilla's Bugzilla, Invisible Fence, 1-800 Contacts, and Hansons, along with a few other really obscure places. The amount of spam that went to those aliases was very high, and a lot of it was Christian Newsletters. I even emailed a few of them and they replied from their personal yahoo address and *insisted* that I must have signed up on their site, because they would never send spam. So far, I have not received this phishing email, but I suspect I might not get it. My server rejects email with lower than default spamassassin scores because I can train it solely with my own personal email.
  
  --
  Morphing Software
20. Re:alternate email address by Ark42 · 2016-04-06 12:41 · Score: 1
  
  Manually editing /etc/mail/virtualusertable works for me. You never want to accept all email of course. The last line should always be "@domain.tld error:5.7.0:550 Address invalid"
  
  --
  Morphing Software
21. Re:alternate email address by Anonymous Coward · 2016-04-06 13:14 · Score: 0
  
  Don't do this. It breaks so many things at random times it's crazy. I used to do this. Now I'm subscribed to a bunch of things I can't unsubscribe from. At least its easy to create filters to delete the emails, but there's no way for me to stop getting them.
22. Re:alternate email address by Solandri · 2016-04-06 19:03 · Score: 1
  
  I've been doing this for about 10 years now. Most of the spam-producers have been small or little-known sites. The two big exceptions are Microsoft and Adobe. Both either sold or lost my email address. With Adobe I suspect it was theft because it only happened once (I started getting spam all at once, and it gradually tapered off after about a year) shortly after they publicly notified me their customer database had been hacked. Microsoft was more continuous, coming as a wave every couple years. The last one was about 3-4 years ago though, so maybe they've stopped.
  
  The flip side is that the vast majority of companies I sign up for or correspond with do seem to abide by their privacy policy and keep your email address private. A bigger problem has been people I email getting malware which steals their address book, or unwittingly agreeing to let a site spam everyone in their address book (e.g. Linkedin). I don't try to spoof my "From" address, so people I send emails to get my real email address. But I arranged my aliases as a double-alias specifically to handle this possibility. So instead of microsoft@mydomain.com and adobe@mydomain.com forwarding to myrealemail@mydomain.com, they forward to pointer@mydomain.com. pointer@mydomain.com is what forwards to myrealemail@mydomain.com. If spam sent directly to myrealemail@mydomain.com ever gets bad, I can just retire it, create mynewrealemail@mydomain.com, and change pointer@mydomain.com to forward to mynewrealemail@mydomain.com. I just need to change that one line and all my aliases now forward to my new real email address.
23. Re:alternate email address by bazorg · 2016-04-06 20:09 · Score: 1
  
  True, but if you *always* append a unique name when you sign up for a new service, every company that emails you without a unique code is suspicious. Worth automating, IMHO.
24. Re:alternate email address by Anonymous Coward · 2016-04-06 20:43 · Score: 0
  
  Depends on how the filter is set up. If my mail provider allowed the same, I would be using a whitelist, with the addresses being removed as they start receiving spam.
  Removing the + would take you off the whitelist.
25. Re:alternate email address by Anonymous Coward · 2016-04-06 21:25 · Score: 0
  
  Yes, I received it too and also an eBay only address. Mine was an older eBay address so it wasn't a recent hack.
  Don't forget though that the address is shared with anyone you have purchased from on eBay so it's likely to be one of those companies rather than eBay itself.
  Time to start comparing eBay purchases :)
26. Re:alternate email address by Anonymous Coward · 2016-04-06 22:08 · Score: 0
  
  And it's just as easy for the spammers to strip periods and \+\w* from all gmail addresses. For this to be useful it would need to be an alias that is automatically created as soon as you use it as a Reply-to, and that is deleted after a timeout period, or manually, or when you mark a message to that alias as junk.
27. Re: alternate email address by Anonymous Coward · 2016-04-07 01:32 · Score: 0
  
  If an email that purports to be from Amazon doesn't go to the extension address I've assigned them, it's very obvious that Amazon didn't send it.
28. Re:alternate email address by JazzLad · 2016-04-07 03:27 · Score: 1
  
  I have done this for the better part of a decade, but I don't do appending - the company gets something like 'amazon@[mydomain]' - it used to be far more effective than it is now for determining who shared my address (looking at you, dropbox), but now it's great for phishing emails as amazon won't email me anywhere but amazon@... & I can see who they emailed.
  
  --
  "If you have nothing to hide, you have nothing to fear." - Every fascist, ever
29. Re:alternate email address by toddestan · 2016-04-08 12:28 · Score: 1
  
  Any spammer with some smarts (granted, that'll weed out a fair number of them) would just go through their list and remove the + and whatever came after it, therefore spamming the 'base' address and you'd have no idea where they got your email from.
30. Re:alternate email address by bazorg · 2016-04-08 18:43 · Score: 1
  
  Here's a more complete explanation:
  1) use an email service for correspondence with friends and family: address1@whatever
  2) use another address for everything else that requires subscribing to: ilikespam@whatever2
  3) use suffixes to identify which service sends you email:
  ilikespam+electricbill@whatever2
  ilikespam+netflix@whatever2 ...
  Normal brainless spam will be picked up by your providers filters, with an assortment of false positives and false negatives, but the spear phishing people would need a much bigger effort to get to your real account and not be noticed as phishy.
Troll 'em by wkwilley2 · 2016-04-06 05:37 · Score: 2

I just like to troll the spammers.
Anything that makes it past my spam filter is fair game.

--
Have you ever fallen asleep at the keybhanusdiog?
1. Re:Troll 'em by nukenerd · 2016-04-06 10:31 · Score: 2
  
  I just like to troll the spammers. Anything that makes it past my spam filter is fair game.
  So do I. I am currently getting spam from geof.gibbons@stampwood.co.uk who is not just a spammer, it's even worse - his company is a spam consultancy. They call it "Automated Marketing".
Come on slashdot by Zedrick · 2016-04-06 05:38 · Score: 3, Insightful

"Clicking on the email apparently installs malware"

Stuff like this is common in dead tree media, but here, on Slashdot? What email client? Allright:

What do you mean by "clicking" the email? Selecting it, opening it in a separate window or allowing html crap in it to be rendered?
1. Re:Come on slashdot by Anonymous Coward · 2016-04-06 05:45 · Score: 0
  
  Probably clicking the MalwareInstaller.exe attachment.
2. Re:Come on slashdot by Anonymous Coward · 2016-04-06 05:58 · Score: 0
  
  Per the article (yea, I know) there's a link in the email you need to click on to install the ransomware.
3. Re:Come on slashdot by Pfhorrest · 2016-04-06 07:17 · Score: 1
  
  What kind of broken browser / operating system allows clicking a link to install new software?
  Download an installer (or just the app itself for sane operating systems that don't need "installers"), sure, but run it?
  In any software environment that's not pants-on-head retarded, the steps required to get infected this way would have to be:
  - User opens email.
  - User clicks link in email.
  - User runs program that link downloads.
  At which point it's the damn user's own fault; you can't protect a computer from errors between keyboard and chair.
  But if merely viewing a message or document can execute code, then the error is in the software somewhere.
  
  --
  -Forrest Cameranesi, Geek of all Trades
  "I am Sam. Sam I am. I do not like trolls, flames, or spam."
Data Collection by Anonymous Coward · 2016-04-06 05:38 · Score: 0

I just don't understand those darn users demanding privacy and personal data security. Why don't they want to give us their real email address when signing up for things?
Spear-phishing by redelm · 2016-04-06 05:46 · Score: 2, Insightful

Ho, hum, the Beeb is dumb!
This sort of phishing including personal details is properly called spear-phishing. Most likely, some UK retailer/service provider "lost" parts of the customer database, including email addys and physical adress, but [interestingly] not including customer names.
If their DB included the [I hope] standard bogus "trap" entries, they should have been hit and the DB owner know of the loss. More interesting will be if they own up.
1. Re:Spear-phishing by phorm · 2016-04-06 05:50 · Score: 1
  
  Or various people signed up for some "contest" online, joined a facebook group/app, etc
2. Re:Spear-phishing by Anonymous Coward · 2016-04-06 06:58 · Score: 0
  
  I received such an email. It had my correct name and correct address. There was no 'Dear Customer', it was properly addressed to myself. It was the most convincing phisihing email I have received to date. It stated that they would be posting me an invoice. Presumably that would be to lul me into a sense that this was something legitimate that would be followed up. By the time the 'invoice' fails to arrive I would have clicked the malware link or been scammed out of a payment.
  The only things that were odd were:
  1. I had not purchased anything from the company that I purportedly owed money to.
  2. Given that the email purportedly came from a firm collecting the debt they did not have a credible email address (after googling).
  3. The url for the 'invoice' did not look credible
  4. Both the company in 1 and the organization in 2 appear to exist and are most likely legitimate organizations having liberties taken with their good names.
  If I had been a business that could have credibly made a purchase from the alleged creditor then this would have been harder to spot.
  I get the impression that if getting people to click malware links is not the aim then the aim is to get harried accounts clerks in small and medium sized businesses with loose financial practices to pay fake invoices.
3. Re:Spear-phishing by Builder · 2016-04-06 08:01 · Score: 1
  
  It has names. My mother in-law got two of these a few days ago. They had her name with correct honorific, home address and e-mail address. It was the most real phishing attack I've ever seen.
4. Re:Spear-phishing by Anonymous Coward · 2016-04-06 08:30 · Score: 0
  
  Just a point to add. The tone of the email was carefully chosen. It implied that there was an outstanding debt that needed dealing with efficiently, but the ante had not been upped with immediate threats of legal action for unrealistic amounts of money. It was implied that there was no need to panic, just something that if dealt with in good time would be resolved simply and go away.
Did we forget about "mail merge"? by xxxJonBoyxxx · 2016-04-06 05:50 · Score: 1

"Knows your address" made me laugh. Of course, there are lists that have email addresses and physical addresses in different columns. Good phishing emails already insert variables like your name (if known) in the right places - it's trivial to also put in an address too.
1. Re:Did we forget about "mail merge"? by Anonymous Coward · 2016-04-06 08:35 · Score: 2
  
  The point here is that this appears to be spear phishing attack on a mass scale. It is not about how easy or difficult it is to create a fraudulent email.
Affected operating systems? by Dadoo · 2016-04-06 05:53 · Score: 1

It would also be nice if the source article could tell us which operating systems it affects. Do I have to worry about my Linux machines and my parents' Macs, or does this just affect Windows?

--
Sit, Ubuntu, sit. Good dog.
I've had a couple of these now by richy+freeway · 2016-04-06 05:53 · Score: 2

ehardy@cc-systems.org.uk
4 Apr (2 days ago)
Reply
to me
Dear xxxxxxx xxxx,
Regarding the amount due 561.45 GBP, we act on behalf of Bondline Electronics Ltd in order to collect the outstanding account value of your debt.
We would like to remind you that the amount above was due for payment on 29.03.16 but as no payment has been received, your invoice is now considered as overdue. Please find a printable version of your invoice at the following link:
http://kojomaindustries.com/in...
Original invoice will be sent out to:
xxxxxx xxxxx
15 xxxx xxxxx
Cxxxxx, xxxxxx xHxxxF
In order to avoid further costs, please forward the payment to us and transfer the amount due not later than 13.04.16
Yours sincerely,
Ernest Hardy
Address was indeed written exactly as I do and the original link went to a page with my name, but spelt incorrectly asking for a captcha to be entered. I didn't enter so no idea what was beyond it, nothing good I'd wager.
1. Re:I've had a couple of these now by Anonymous Coward · 2016-04-06 10:48 · Score: 0
  
  Me too. They are hosting the malware on hacked websites that serve up a file sharing interface only when provided with specific parameters in the request.
  The interesting thing is that the request parameters are short and do not contain the real name of the target whereas the response displays the target's name. As such the hacked site must contain a map of parameters to target's names. This is quite disconcerting and more advanced than I've seen before. The contents of this map could contain a lot of names if it really is "big net" spear phishing.
  The malware interface serves up a .zip containing a .scr. ClamAV didn't make anything of it so it's obviously not something common. It tracks all requests using a legitimate analytics tool based in Germany passing firstname and surname onto their system. The interface itself contains almost nothing you can search on, making googling it very difficult.
2. Re:I've had a couple of these now by MrL0G1C · 2016-04-06 11:49 · Score: 1
  
  The incorrect spelling is the clue that could show who got compromised / leaked your data. It also suggests that a company that interacted with you by phone or by written form leaked the data, again the manner of the mis-spelling could indicate which method of communication it was.
  
  --
  Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
3. Re:I've had a couple of these now by richy+freeway · 2016-04-06 18:11 · Score: 1
  
  The spelling in the original email was perfect, it was only when I clicked the link did the incorrect spelling appear.
  They got my surname wrong by one vowel.
4. Re:I've had a couple of these now by Anonymous Coward · 2016-04-06 21:28 · Score: 0
  
  Which suggests the database on the website is manually populated with the names... seems like an arduous task for such a widespread attack.
5. Re:I've had a couple of these now by Anonymous Coward · 2016-04-06 21:33 · Score: 0
  
  One clear failing is using dots in the DMY dates. No one does that in the UK. Furthermore, any official letter will probably be use full names for the month as well as ordinals for the day number.
6. Re:I've had a couple of these now by Anonymous Coward · 2016-04-06 22:13 · Score: 0
  
  Or maybe they fuzz their database entries to make it harder to track where the data leaked from? Or to make it harder for people to find themselves in publicized leaked databases?
7. Re:I've had a couple of these now by Anonymous Coward · 2016-04-06 22:39 · Score: 0
  
  Yes that's a good point. It seems like an odd thing to do though, send out an email with all the right details in and then link to a website that is serving a fuzzed name.
  Here's an example that would support your fuzzing theory:
  http://phishcheck.me/6768/details
  s/o/a/ I'm guessing.
Next gen spearphishing will use AI by presidenteloco · 2016-04-06 06:18 · Score: 4, Insightful

Having constructed a profile of you by mining your online activities via tracking networks, it will guess with uncanny accuracy what scam is going to seem plausible to you and seem specifically consistent with your recent activities and interests.
Then it will send you an email or text or tweet seemingly from a close associate of some business or personal connection/contact you have, and the invitation for you to act will be convincingly specific to your life and recent interests.

--

Where are we going and why are we in a handbasket?
Interesting change in strategy by ZorinLynx · 2016-04-06 06:21 · Score: 1

I've read that scammers tend to write their E-mails using bad grammar and spelling on purpose, because they only want the most dimwitted people out there falling for their scam; idiots tend to part with their money and private information a lot more easily.
These guys seem to be going in the other direction, making the E-mails look as legitimate and official as possible, thus going after more savvy individuals too.
I guess maybe they're running out of suckers?
1. Re:Interesting change in strategy by Anonymous Coward · 2016-04-06 10:55 · Score: 0
  
  Scammers want suckers because a savvy person won't provide the payoff. Extortionists want anyone, because anyone infected by ransomware is a potential payoff no matter how smart they are.
2. Re:Interesting change in strategy by Anonymous Coward · 2016-04-06 22:27 · Score: 0
  
  Disagree.
  Extortionists want suckers, because they are likely to pay. The rest of us would simply restore from backup.
  - "But what if I don't have a recent backup?"
  - "Sucker".
3. Re:Interesting change in strategy by GuB-42 · 2016-04-07 03:18 · Score: 1
  
  But... I had "backup" written right there in my todo list...
whois by short · 2016-04-06 06:25 · Score: 1

What's interesting on that? Just run whois on each recipient's domain.
My company is a "victim" of this by BellyJelly · 2016-04-06 07:02 · Score: 1

There have been loads of targeted emails like this sent out pretending to be from debt collection agencies acting on our behalf. Our switchboard and generic company email address were swamped by calls from the recipients. Some were quite nasty and threatened violence....
"Clicking on the email" by Anonymous Coward · 2016-04-06 07:06 · Score: 0

Clicking WHAT, exactly, on the e-mail, installs malware? Could they be a bit more descriptive? HOW does it install malware? By reading the text of an e-mail? How?
1. Re:"Clicking on the email" by Anonymous Coward · 2016-04-06 08:40 · Score: 0
  
  The email contained a url.
Clicking installs malware by Pfhorrest · 2016-04-06 07:12 · Score: 1

Clicking on the email apparently installs malware...
What the hell kind of broken mail client executes random code just because the user asked to view a message?
Oh right, Outlook. Well, there's your problem.

--
-Forrest Cameranesi, Geek of all Trades
"I am Sam. Sam I am. I do not like trolls, flames, or spam."
Worried when e-mails know I'm an Anonymous Coward by Anonymous Coward · 2016-04-06 07:25 · Score: 0

I'll be worried when a phising email arrives and tells me that I am posting on slashdot as an Anonymous Coward.
lol manish.... by Anonymous Coward · 2016-04-06 07:28 · Score: 0

lol manish.... welcome to the early 2000s... say hello to the BBC as well
The big question here is by al0ha · 2016-04-06 07:48 · Score: 1

Where are the miscreants getting such good data? I certainly don't believe they are scraping it off the web; more likely criminal organizations are legitimately purchasing this data from Alexa, TRD, Facebook, Google and others whose primary business is selling data about you to third parties. Big business cares very little about whom they are actually doing business with, as long as the money is good, the sale is made.

--
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
1. Re:The big question here is by nukenerd · 2016-04-06 10:44 · Score: 2
  
  Where are the miscreants getting such good data?
  They got mine from ebay or PayPal. I got one of these via an address that I only use for those organisations.
2. Re:The big question here is by Anonymous Coward · 2016-04-06 11:21 · Score: 1
  
  http://info.rippleshot.com/blog/ebay
  Year and a half ago, 128 million ebay records breached, including addresses. So that would be why. Guess some UK cyber crooks found a good way to exploit the info and bought the data from someone.
I'm curious about the "Dell" phone calls by Anonymous Coward · 2016-04-06 12:15 · Score: 0

Where they know the specific model of computer that I have.
The most secure thing you can do at this point by OrangeTide · 2016-04-06 12:55 · Score: 1

Is to delete your email client and forget your gmail password. Stop reading email if scams are so sophisticated that you cannot detect a con.

--
“Common sense is not so common.” — Voltaire
Phishing email attacks computing device :) by khz6955 · 2016-04-06 16:18 · Score: 1

Slashdot: "Clicking on the email apparently installs malware such as Cryptlocker ransomware on the recipient's computing device"

Original article: "clicking on the link would install malware such as Cryptolocker, which is a form of ransomware that will encrypt files on Windows-based computers."
--

This place is getting worse than the Register for free Adverts for Microsoft and managing to not mention W*****S in relation to the malware plague currently infesting "computers" everywhere.
Emails, phone calls, even letters! by DNX+Blandy · 2016-04-06 19:41 · Score: 1

Well, what can I say about the sorry state spammers and scammers have left todays digital and manual communication systems. The phishing emails are getting better but IT savvy techs are not fooled, but I cannot say the same for the average Joe or Jane Bloggs. It's all a complete mess :(
Current email, but very old address by Catmeat · 2016-04-06 20:27 · Score: 1

I got one two days ago - it had my email but an address that was current as of ten years ago. I googled some of the phrases in the email and got some early reports of others getting it and reporting the same thing -current email and old postal address. I've got a feeling it's a ebay seller that got hacked.
Dangerous and quite convincing by simonwalton · 2016-04-07 00:00 · Score: 1

I have to admit, I received such an email and for a few seconds I was quite concerned. I've never had one of these attempts not only pass my spam filter, but also provide my home address. I can imagine many people falling for this one. Ideally contact your family members to advise them never to click anything in such an email.