Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing Email That Knows Your Address (bbc.com)

Posted by msmash on from the evolution-of-phishing-emails dept.

An anonymous reader writes: BBC is reporting about a new type of phishing email that includes the recipient's home address. The publication, citing sources, claims that thousands of people have already received such malicious emails. Clicking on the email apparently installs malware such as Cryptlocker ransomware on the recipient's computing device. From the report, "Members of the BBC Radio 4's You and Yours team were among those who received the scam emails, claiming they owed hundreds of pounds to UK firms. The firms involved have been inundated with phone calls from worried members of the public. 'The email has good spelling and grammar and my exact home address...when I say exact I mean, not the way my address is written by those autofill sections on web pages, but the way I write my address.'"

7 of 108 comments (clear)

  1. Oh, come on, now! by kheldan · · Score: 5, Insightful

    Any truly important, official communication from a government agency, or from any company demaning payment of any sort, is going to send it in a printed letter, not an email.

    --
    Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
    1. Re:Oh, come on, now! by gstoddart · · Score: 4, Insightful

      But the more convincing it looks, and the more information is has about you, the more likely people will fall for this.

      By the time you're talking about phishing crafted to this level of detail, it has more than enough information in it to make you think "holy crap, this shit looks real".

      The problem is the level of paranoia internet safety seems to require would almost be a clinical condition in meatspace ... and that isn't something normal people have.

      I mean, it's definitely not a normal state to consider everything anybody says to you to likely to be a conspiracy to defraud you. But increasingly email, and even incoming telephone calls, require a level of paranoia, distrust, and misanthropy as to make you crazy by more normal standards. The world IS full of assholes who ARE out to get you and ARE actively lying to you.

      To your average person who just wants some email and access to the intertubes, doing that would require a level of cognitive dissonance which would cause you to never leave your house.

      Fortunately, many of us here already exhibit these traits naturally, and already don't leave the house, so we can adjust to it. But for more normal people, it really is a big leap.

      I mean, picture trying to get your grandmother to exhibit as much paranoia as avoiding this stuff would require. Next time you went to visit she'd meet you with a shotgun and refuse to let you in.

      --
      Lost at C:>. Found at C.
    2. Re:Oh, come on, now! by gstoddart · · Score: 5, Insightful

      The problem is it takes only about a 1-2% success rate to make spam effective. Probably far far less when it's this targeted.

      Say you're in an organization of 1000 people ... the security of your network is determined by the 10-20 most gullible people in your organization ... at least 5 of which will be in management. Think about the dumbest 1-2% of your organization, and think "dear god, are we really depending on them for our overall security?"

      And, really, "effort" is a relative term when it's a computer doing all the heavy lifting. It's not like someone has to individually type all of those messages.

      It clearly works, or it would have stopped on its won by now.

      --
      Lost at C:>. Found at C.
  2. Come on slashdot by Zedrick · · Score: 3, Insightful

    "Clicking on the email apparently installs malware"

    Stuff like this is common in dead tree media, but here, on Slashdot? What email client? Allright:

    What do you mean by "clicking" the email? Selecting it, opening it in a separate window or allowing html crap in it to be rendered?

  3. Spear-phishing by redelm · · Score: 2, Insightful

    Ho, hum, the Beeb is dumb!

    This sort of phishing including personal details is properly called spear-phishing. Most likely, some UK retailer/service provider "lost" parts of the customer database, including email addys and physical adress, but [interestingly] not including customer names.

    If their DB included the [I hope] standard bogus "trap" entries, they should have been hit and the DB owner know of the loss. More interesting will be if they own up.

  4. Re:alternate email address by SQLGuru · · Score: 4, Insightful

    You can do something similar with GMail using a + instead of a .

    Periods are ignored completely, so kenneth.facebook is the same as ken.neth.face.book.

    Plusses make everything past the plus be ignored. So kenneth+facebook is the same as kenneth.

  5. Next gen spearphishing will use AI by presidenteloco · · Score: 4, Insightful

    Having constructed a profile of you by mining your online activities via tracking networks, it will guess with uncanny accuracy what scam is going to seem plausible to you and seem specifically consistent with your recent activities and interests.

    Then it will send you an email or text or tweet seemingly from a close associate of some business or personal connection/contact you have, and the invitation for you to act will be convincingly specific to your life and recent interests.

    --

    Where are we going and why are we in a handbasket?