Phishing Email That Knows Your Address

An anonymous reader writes: BBC is reporting about a new type of phishing email that includes the recipient's home address. The publication, citing sources, claims that thousands of people have already received such malicious emails. Clicking on the email apparently installs malware such as Cryptlocker ransomware on the recipient's computing device. From the report, "Members of the BBC Radio 4's You and Yours team were among those who received the scam emails, claiming they owed hundreds of pounds to UK firms. The firms involved have been inundated with phone calls from worried members of the public. 'The email has good spelling and grammar and my exact home address...when I say exact I mean, not the way my address is written by those autofill sections on web pages, but the way I write my address.'"

Oh, come on, now!

[kheldan]

Any truly important, official communication from a government agency, or from any company demaning payment of any sort, is going to send it in a printed letter, not an email.

Re:Oh, come on, now!

[Nunya666]

Any truly important, official communication from a government agency, or from any company demaning payment of any sort, is going to send it in a printed letter, not an email.

The average user does not know that. Perhaps they just don't care, or they're too ignorant to know better. Unfortunately, that "fact of life" is exactly why phishing emails work.

My wife is a perfect example. She is intelligent, but not technically savvy. She once asked me if she should click/touch something on her Android phone. It was an advertisement, disguised to look like a "you've got mail" alert. I told her to ignore it, since it's just an ad. "But it says I have mail, shouldn't I click on it?" No, honey, anything that appears in that area of the screen (in that particular app) is just an advertisement. Ignore it. "But it looks so real!"

We even had a successful phishing attack at work recently. The email said it came from the IT department, and that you needed to click on the link to validate your domain credentials. It didn't look like any of our official communications, and the "click here" link was a shortened URL. It was pretty obvious to me that it was a phishing attempt, but several users clicked on the link anyway, and keyed in their domain credentials into the web form. Thankfully, it didn't install a cryptovirus, or spread to the network.

Re:Oh, come on, now!

[gstoddart]

But the more convincing it looks, and the more information is has about you, the more likely people will fall for this.

By the time you're talking about phishing crafted to this level of detail, it has more than enough information in it to make you think "holy crap, this shit looks real".

The problem is the level of paranoia internet safety seems to require would almost be a clinical condition in meatspace ... and that isn't something normal people have.

I mean, it's definitely not a normal state to consider everything anybody says to you to likely to be a conspiracy to defraud you. But increasingly email, and even incoming telephone calls, require a level of paranoia, distrust, and misanthropy as to make you crazy by more normal standards. The world IS full of assholes who ARE out to get you and ARE actively lying to you.

To your average person who just wants some email and access to the intertubes, doing that would require a level of cognitive dissonance which would cause you to never leave your house.

Fortunately, many of us here already exhibit these traits naturally, and already don't leave the house, so we can adjust to it. But for more normal people, it really is a big leap.

I mean, picture trying to get your grandmother to exhibit as much paranoia as avoiding this stuff would require. Next time you went to visit she'd meet you with a shotgun and refuse to let you in.

Re:Oh, come on, now!

Any truly important, official communication from a government agency, or from any company demaning payment of any sort, is going to send it in a printed letter, not an email.

False. I get my vehicle registration renewal notices via email.

"Anecdote != evidence!"

You are implying that such communications will never be sent via email. As such, I need find but a single example to prove you wrong.

Re:Oh, come on, now!

[gstoddart]

The problem is it takes only about a 1-2% success rate to make spam effective. Probably far far less when it's this targeted.

Say you're in an organization of 1000 people ... the security of your network is determined by the 10-20 most gullible people in your organization ... at least 5 of which will be in management. Think about the dumbest 1-2% of your organization, and think "dear god, are we really depending on them for our overall security?"

And, really, "effort" is a relative term when it's a computer doing all the heavy lifting. It's not like someone has to individually type all of those messages.

It clearly works, or it would have stopped on its won by now.

Re:Oh, come on, now!

[Pascoea]

But increasingly email, and even incoming telephone calls, require a level of paranoia, distrust, and misanthropy as to make you crazy by more normal standards

You're not kidding. I consider myself pretty vigilant about e-mail and clicking links. I recently got a nearly perfectly crafted e-mail from "Amazon" about a "recent order", I buy A LOT of shit of Amazon, so I didn't think anything of it. The only reason I didn't get zapped by it is I never click on the tracking/order links from them, I always go to their site manually. Thinking to myself "I don't remember ordering anything in the last couple days" I went to Amazon's site, thinking my username got stolen and someone was buying shit, and couldn't find an order. Going back to my e-mail I see that it was sending me to some random site. Sneaky bastards.

Point being, the Phishers are getting better and better.

Re:Oh, come on, now!

[Geoffrey.landis]

We even had a successful phishing attack at work recently. The email said it came from the IT department, and that you needed to click on the link to validate your domain credentials. It didn't look like any of our official communications, and the "click here" link was a shortened URL. It was pretty obvious to me that it was a phishing attempt, but several users clicked on the link anyway, and keyed in their domain credentials into the web form. Thankfully, it didn't install a cryptovirus, or spread to the network.

Well, on an average day most users will probably be suspicious of a link like that. The phishers count on the fact that, on any given day, some percentage of the recipients will have just finished leaving a message with tech support saying "I can't access the server, could you reset my account?"

Since they're expecting an email with exactly that text, their defenses will be down.

Re:Oh, come on, now!

[Anonymous+Brave+Guy]

Any truly important, official communication from a government agency, or from any company demaning payment of any sort, is going to send it in a printed letter, not an email.

On what planet? My companies routinely send invoices to customers/clients by e-mail. We routinely get invoices from suppliers and service providers by e-mail, too. For things like signed contracts with serious amounts of money involved, sure, we'd send registered letters, but day-to-day has been mostly electronic for a long time here.

An unfortunate consequence of this is that since e-mail in general is not secure and in particular is not tamper-proof or reliably authenticated, it is open to this kind of abuse. I know some businesses we deal with have had some horrible incidents that cost them a lot of money because their in-house procedures weren't robust against an attacker who had enough inside information to look plausible.

A particularly devastating technique I've come across recently for attacking smaller and less formal businesses is based on identifying who normally pays invoices, someone more senior who they report to, and a pattern of where new suppliers might be and what sorts of amounts they'd be invoicing for. It's often pretty easy to guess this sort of information with minimal actual content, if say the company web site provides a couple of key names and contact details that legitimate business associates might actually need.

However, given that information, a malicious third party can then easily impersonate the e-mail of the senior person and send something asking the invoice-payer to settle a realistic bill for a new supplier. Thanks to the wonders of services like Google Mail, it will probably even arrive in their work inbox with the senior person's usual picture right there next to their name and e-mail address, looking all official and normal. Time it so the senior person is out at a meeting or on holiday or otherwise not there to answer a quick phone call, add a credible note that, say, you're trying to build a good long-term relationship with this new supplier to please try to settle up promptly to make a good impression, and it's easy to see how even though everyone is well meaning, they can be fooled simply because they didn't understand that the fake ID aspect was possible and as far as they knew it was all official communication using their normal work e-mail system.

Re:Oh, come on, now!

Some of my company's internal IT emails actually look like spam.

Re:Oh, come on, now!

[Anonymous+Brave+Guy]

Sure, but my point is that it is not an exception in this case. Sending and receiving invoices and other payment-related documentation by e-mail has been the norm for a lot of organisations for a long time. That's why this sort of scam is, regrettably, so effective.

Re:Oh, come on, now!

[KGIII]

For starters, don't be stupid and read your fucking email in plain text.

Don't take it personal... I've been giving that same lecture since about 1998. Stop reading the shit in HTML format. There are not that many rose graphics as backgrounds that are worth the risk. Plain text folks... Simple HTML works but, for the love of fuck, open a browser and paste in the copied address before visiting.

Know what the damned button does before you fucking click it!

Err... Yeah... Sorry, like I said, since about 1998... I'm kind of tired of telling people how to practice safe hex. They don't listen.

alternate email address

[kennethmci]

I remember a while back I read about an interesting way to identify where this info is coming from. If you have your own domain, there are people out there who will append the site name to their email address when they sign up.... e.g. kenneth.facebook@yourdomain.com - then as you receive spam you can see where it orignated from...due to them sharing your email ( or if it was stolen ). Would be interesting to know if anyone has done this and identified the original source of the data.

Re:alternate email address

[SQLGuru]

You can do something similar with GMail using a + instead of a .

Periods are ignored completely, so kenneth.facebook is the same as ken.neth.face.book.

Plusses make everything past the plus be ignored. So kenneth+facebook is the same as kenneth.

Re:alternate email address

[jmcwork]

I have my own domain and any email address that does not have a dedicated mailbox gets sent to the admin 'catch-all' mailbox. If I sign up for something anything that wants an email address I usually use businessname@mydomain.com for the address. I get a lot of funny looks when I feed back an email address with their name in it (even had a few people accuse me of attempting to hack their system by doing this!). I just let my email reader filter things to different folders based on the incoming email address. If I see a bunch of spam in one I can send it right back to the business and tell them why I am now blocking their email. I used to do the same thing with my snail mail by modifying the spelling of my street name. If I started getting junk mail to that version, I would take out all the personal info, jam the rest into their pre-paid envelopes and send it back to them.

Troll 'em

[wkwilley2]

I just like to troll the spammers.

Anything that makes it past my spam filter is fair game.

Re:Troll 'em

[nukenerd]

I just like to troll the spammers. Anything that makes it past my spam filter is fair game.

So do I. I am currently getting spam from geof.gibbons@stampwood.co.uk who is not just a spammer, it's even worse - his company is a spam consultancy. They call it "Automated Marketing".

Come on slashdot

[Zedrick]

"Clicking on the email apparently installs malware"

Stuff like this is common in dead tree media, but here, on Slashdot? What email client? Allright:

What do you mean by "clicking" the email? Selecting it, opening it in a separate window or allowing html crap in it to be rendered?

Spear-phishing

[redelm]

Ho, hum, the Beeb is dumb!

This sort of phishing including personal details is properly called spear-phishing. Most likely, some UK retailer/service provider "lost" parts of the customer database, including email addys and physical adress, but [interestingly] not including customer names.

If their DB included the [I hope] standard bogus "trap" entries, they should have been hit and the DB owner know of the loss. More interesting will be if they own up.

I've had a couple of these now

[richy+freeway]

ehardy@cc-systems.org.uk
4 Apr (2 days ago)
Reply
to me
Dear xxxxxxx xxxx,

Regarding the amount due 561.45 GBP, we act on behalf of Bondline Electronics Ltd in order to collect the outstanding account value of your debt.

We would like to remind you that the amount above was due for payment on 29.03.16 but as no payment has been received, your invoice is now considered as overdue. Please find a printable version of your invoice at the following link:
http://kojomaindustries.com/in...

Original invoice will be sent out to:
xxxxxx xxxxx
15 xxxx xxxxx
Cxxxxx, xxxxxx xHxxxF

In order to avoid further costs, please forward the payment to us and transfer the amount due not later than 13.04.16

Yours sincerely,
Ernest Hardy

Address was indeed written exactly as I do and the original link went to a page with my name, but spelt incorrectly asking for a captcha to be entered. I didn't enter so no idea what was beyond it, nothing good I'd wager.

Next gen spearphishing will use AI

[presidenteloco]

Having constructed a profile of you by mining your online activities via tracking networks, it will guess with uncanny accuracy what scam is going to seem plausible to you and seem specifically consistent with your recent activities and interests.

Then it will send you an email or text or tweet seemingly from a close associate of some business or personal connection/contact you have, and the invitation for you to act will be convincingly specific to your life and recent interests.

Re:Did we forget about "mail merge"?

The point here is that this appears to be spear phishing attack on a mass scale. It is not about how easy or difficult it is to create a fraudulent email.

Re:The big question here is

[nukenerd]

Where are the miscreants getting such good data?

They got mine from ebay or PayPal. I got one of these via an address that I only use for those organisations.