Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing Email That Knows Your Address (bbc.com)

Posted by msmash on from the evolution-of-phishing-emails dept.

An anonymous reader writes: BBC is reporting about a new type of phishing email that includes the recipient's home address. The publication, citing sources, claims that thousands of people have already received such malicious emails. Clicking on the email apparently installs malware such as Cryptlocker ransomware on the recipient's computing device. From the report, "Members of the BBC Radio 4's You and Yours team were among those who received the scam emails, claiming they owed hundreds of pounds to UK firms. The firms involved have been inundated with phone calls from worried members of the public. 'The email has good spelling and grammar and my exact home address...when I say exact I mean, not the way my address is written by those autofill sections on web pages, but the way I write my address.'"

10 of 108 comments (clear)

  1. Oh, come on, now! by kheldan · · Score: 5, Insightful

    Any truly important, official communication from a government agency, or from any company demaning payment of any sort, is going to send it in a printed letter, not an email.

    --
    Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
    1. Re:Oh, come on, now! by Nunya666 · · Score: 5, Interesting

      Any truly important, official communication from a government agency, or from any company demaning payment of any sort, is going to send it in a printed letter, not an email.

      The average user does not know that. Perhaps they just don't care, or they're too ignorant to know better. Unfortunately, that "fact of life" is exactly why phishing emails work.

      My wife is a perfect example. She is intelligent, but not technically savvy. She once asked me if she should click/touch something on her Android phone. It was an advertisement, disguised to look like a "you've got mail" alert. I told her to ignore it, since it's just an ad. "But it says I have mail, shouldn't I click on it?" No, honey, anything that appears in that area of the screen (in that particular app) is just an advertisement. Ignore it. "But it looks so real!"

      We even had a successful phishing attack at work recently. The email said it came from the IT department, and that you needed to click on the link to validate your domain credentials. It didn't look like any of our official communications, and the "click here" link was a shortened URL. It was pretty obvious to me that it was a phishing attempt, but several users clicked on the link anyway, and keyed in their domain credentials into the web form. Thankfully, it didn't install a cryptovirus, or spread to the network.

    2. Re:Oh, come on, now! by gstoddart · · Score: 4, Insightful

      But the more convincing it looks, and the more information is has about you, the more likely people will fall for this.

      By the time you're talking about phishing crafted to this level of detail, it has more than enough information in it to make you think "holy crap, this shit looks real".

      The problem is the level of paranoia internet safety seems to require would almost be a clinical condition in meatspace ... and that isn't something normal people have.

      I mean, it's definitely not a normal state to consider everything anybody says to you to likely to be a conspiracy to defraud you. But increasingly email, and even incoming telephone calls, require a level of paranoia, distrust, and misanthropy as to make you crazy by more normal standards. The world IS full of assholes who ARE out to get you and ARE actively lying to you.

      To your average person who just wants some email and access to the intertubes, doing that would require a level of cognitive dissonance which would cause you to never leave your house.

      Fortunately, many of us here already exhibit these traits naturally, and already don't leave the house, so we can adjust to it. But for more normal people, it really is a big leap.

      I mean, picture trying to get your grandmother to exhibit as much paranoia as avoiding this stuff would require. Next time you went to visit she'd meet you with a shotgun and refuse to let you in.

      --
      Lost at C:>. Found at C.
    3. Re:Oh, come on, now! by Anonymous Coward · · Score: 3, Informative

      Any truly important, official communication from a government agency, or from any company demaning payment of any sort, is going to send it in a printed letter, not an email.

      False. I get my vehicle registration renewal notices via email.

      "Anecdote != evidence!"

      You are implying that such communications will never be sent via email. As such, I need find but a single example to prove you wrong.

    4. Re:Oh, come on, now! by gstoddart · · Score: 5, Insightful

      The problem is it takes only about a 1-2% success rate to make spam effective. Probably far far less when it's this targeted.

      Say you're in an organization of 1000 people ... the security of your network is determined by the 10-20 most gullible people in your organization ... at least 5 of which will be in management. Think about the dumbest 1-2% of your organization, and think "dear god, are we really depending on them for our overall security?"

      And, really, "effort" is a relative term when it's a computer doing all the heavy lifting. It's not like someone has to individually type all of those messages.

      It clearly works, or it would have stopped on its won by now.

      --
      Lost at C:>. Found at C.
    5. Re:Oh, come on, now! by Anonymous+Brave+Guy · · Score: 3

      Sure, but my point is that it is not an exception in this case. Sending and receiving invoices and other payment-related documentation by e-mail has been the norm for a lot of organisations for a long time. That's why this sort of scam is, regrettably, so effective.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  2. alternate email address by kennethmci · · Score: 4, Interesting

    I remember a while back I read about an interesting way to identify where this info is coming from. If you have your own domain, there are people out there who will append the site name to their email address when they sign up.... e.g. kenneth.facebook@yourdomain.com - then as you receive spam you can see where it orignated from...due to them sharing your email ( or if it was stolen ). Would be interesting to know if anyone has done this and identified the original source of the data.

    1. Re:alternate email address by SQLGuru · · Score: 4, Insightful

      You can do something similar with GMail using a + instead of a .

      Periods are ignored completely, so kenneth.facebook is the same as ken.neth.face.book.

      Plusses make everything past the plus be ignored. So kenneth+facebook is the same as kenneth.

  3. Come on slashdot by Zedrick · · Score: 3, Insightful

    "Clicking on the email apparently installs malware"

    Stuff like this is common in dead tree media, but here, on Slashdot? What email client? Allright:

    What do you mean by "clicking" the email? Selecting it, opening it in a separate window or allowing html crap in it to be rendered?

  4. Next gen spearphishing will use AI by presidenteloco · · Score: 4, Insightful

    Having constructed a profile of you by mining your online activities via tracking networks, it will guess with uncanny accuracy what scam is going to seem plausible to you and seem specifically consistent with your recent activities and interests.

    Then it will send you an email or text or tweet seemingly from a close associate of some business or personal connection/contact you have, and the invitation for you to act will be convincingly specific to your life and recent interests.

    --

    Where are we going and why are we in a handbasket?