Phishing Email That Knows Your Address

An anonymous reader writes: BBC is reporting about a new type of phishing email that includes the recipient's home address. The publication, citing sources, claims that thousands of people have already received such malicious emails. Clicking on the email apparently installs malware such as Cryptlocker ransomware on the recipient's computing device. From the report, "Members of the BBC Radio 4's You and Yours team were among those who received the scam emails, claiming they owed hundreds of pounds to UK firms. The firms involved have been inundated with phone calls from worried members of the public. 'The email has good spelling and grammar and my exact home address...when I say exact I mean, not the way my address is written by those autofill sections on web pages, but the way I write my address.'"

Oh, come on, now!

[kheldan]

Any truly important, official communication from a government agency, or from any company demaning payment of any sort, is going to send it in a printed letter, not an email.

Re:Oh, come on, now!

[Nunya666]

Any truly important, official communication from a government agency, or from any company demaning payment of any sort, is going to send it in a printed letter, not an email.

The average user does not know that. Perhaps they just don't care, or they're too ignorant to know better. Unfortunately, that "fact of life" is exactly why phishing emails work.

My wife is a perfect example. She is intelligent, but not technically savvy. She once asked me if she should click/touch something on her Android phone. It was an advertisement, disguised to look like a "you've got mail" alert. I told her to ignore it, since it's just an ad. "But it says I have mail, shouldn't I click on it?" No, honey, anything that appears in that area of the screen (in that particular app) is just an advertisement. Ignore it. "But it looks so real!"

We even had a successful phishing attack at work recently. The email said it came from the IT department, and that you needed to click on the link to validate your domain credentials. It didn't look like any of our official communications, and the "click here" link was a shortened URL. It was pretty obvious to me that it was a phishing attempt, but several users clicked on the link anyway, and keyed in their domain credentials into the web form. Thankfully, it didn't install a cryptovirus, or spread to the network.

Re:

[KGIII]

For starters, don't be stupid and read your fucking email in plain text.

Don't take it personal... I've been giving that same lecture since about 1998. Stop reading the shit in HTML format. There are not that many rose graphics as backgrounds that are worth the risk. Plain text folks... Simple HTML works but, for the love of fuck, open a browser and paste in the copied address before visiting.

Know what the damned button does before you fucking click it!

Err... Yeah... Sorry, like I said, since about 1998... I

Re:

[Pascoea]

The email said it came from the IT department, and that you needed to click on the link to validate your domain credentials...It was pretty obvious to me that it was a phishing attempt, but several users clicked on the link anyway, and keyed in their domain credentials into the web form. Thankfully, it didn't install a cryptovirus, or spread to the network.

Yup, we got the same one. The next day the whole company started getting spam from an internal e-mail address.

What shocks me, more than that someone will click on a random e-mail link without knowing where it goes, is that people actually respond to spam e-mails. (the increase your penis size, low low price Viagra, or hot teens want to screw, type spam) You know people are clicking on them, because people/groups wouldn't be expending so much effort to send spam it it wasn't an effective "advertising" met

Re:Oh, come on, now!

[gstoddart]

The problem is it takes only about a 1-2% success rate to make spam effective. Probably far far less when it's this targeted.

Say you're in an organization of 1000 people ... the security of your network is determined by the 10-20 most gullible people in your organization ... at least 5 of which will be in management. Think about the dumbest 1-2% of your organization, and think "dear god, are we really depending on them for our overall security?"

And, really, "effort" is a relative term when it's a computer doing all the heavy lifting. It's not like someone has to individually type all of those messages.

It clearly works, or it would have stopped on its won by now.

Re:

[Geoffrey.landis]

We even had a successful phishing attack at work recently. The email said it came from the IT department, and that you needed to click on the link to validate your domain credentials. It didn't look like any of our official communications, and the "click here" link was a shortened URL. It was pretty obvious to me that it was a phishing attempt, but several users clicked on the link anyway, and keyed in their domain credentials into the web form. Thankfully, it didn't install a cryptovirus, or spread to the network.

Well, on an average day most users will probably be suspicious of a link like that. The phishers count on the fact that, on any given day, some percentage of the recipients will have just finished leaving a message with tech support saying "I can't access the server, could you reset my account?"

Since they're expecting an email with exactly that text, their defenses will be down.

Re:

[Anonymous Coward]

Some of my company's internal IT emails actually look like spam.

Re:Oh, come on, now!

[gstoddart]

But the more convincing it looks, and the more information is has about you, the more likely people will fall for this.

By the time you're talking about phishing crafted to this level of detail, it has more than enough information in it to make you think "holy crap, this shit looks real".

The problem is the level of paranoia internet safety seems to require would almost be a clinical condition in meatspace ... and that isn't something normal people have.

I mean, it's definitely not a normal state to consider everything anybody says to you to likely to be a conspiracy to defraud you. But increasingly email, and even incoming telephone calls, require a level of paranoia, distrust, and misanthropy as to make you crazy by more normal standards. The world IS full of assholes who ARE out to get you and ARE actively lying to you.

To your average person who just wants some email and access to the intertubes, doing that would require a level of cognitive dissonance which would cause you to never leave your house.

Fortunately, many of us here already exhibit these traits naturally, and already don't leave the house, so we can adjust to it. But for more normal people, it really is a big leap.

I mean, picture trying to get your grandmother to exhibit as much paranoia as avoiding this stuff would require. Next time you went to visit she'd meet you with a shotgun and refuse to let you in.

Re:

[Pascoea]

But increasingly email, and even incoming telephone calls, require a level of paranoia, distrust, and misanthropy as to make you crazy by more normal standards

You're not kidding. I consider myself pretty vigilant about e-mail and clicking links. I recently got a nearly perfectly crafted e-mail from "Amazon" about a "recent order", I buy A LOT of shit of Amazon, so I didn't think anything of it. The only reason I didn't get zapped by it is I never click on the tracking/order links from them, I always go to their site manually. Thinking to myself "I don't remember ordering anything in the last couple days" I went to Amazon's site, thinking my username got stole

Re:

[gstoddart]

You're not kidding

Of course I'm not kidding.

As much as it sounds like I'm flippantly describing a level of hyper-vigilance and paranoia which sounds absurd, anything less than that is going to sooner or later bite you on the ass.

Everybody keeps saying "stupid users, it's their own fault". And, really, it's increasingly hard to say that.

You literally have to act like a paranoid nut job around incoming emails these days. It's anything but a normal state for humans. People just don't consistently maintain t

Re:

[Ed Tice]

If Amazon were subject to an open redirect or an XSS, the link could have actually gone to an Amazon server!

Re:

[MrL0G1C]

My webmail (1&1 / mail.com) provider makes it difficult to see whether links are legitimate or not by rewriting all links to go via it's servers. Doesn't help.

Re:

[computererds]

That is one of the things I told 1&1 when I stopped using them a couple years ago. I guess that feedback didn't change anything.

Re:

[Anonymous Coward]

Any truly important, official communication from a government agency, or from any company demaning payment of any sort, is going to send it in a printed letter, not an email.

False. I get my vehicle registration renewal notices via email.

"Anecdote != evidence!"

You are implying that such communications will never be sent via email. As such, I need find but a single example to prove you wrong.

Re:

[Anonymous Brave Guy]

Any truly important, official communication from a government agency, or from any company demaning payment of any sort, is going to send it in a printed letter, not an email.

On what planet? My companies routinely send invoices to customers/clients by e-mail. We routinely get invoices from suppliers and service providers by e-mail, too. For things like signed contracts with serious amounts of money involved, sure, we'd send registered letters, but day-to-day has been mostly electronic for a long time here.

An unfortunate consequence of this is that since e-mail in general is not secure and in particular is not tamper-proof or reliably authenticated, it is open to this kind of abu

Re:

[kheldan]

Friend, if I had to include every single exception possible to every statement I ever made, I'd never be done typing them all out. How about we just make a general assumption that those exceptions exist, OK? ;-)

Re:Oh, come on, now!

[Anonymous Brave Guy]

Sure, but my point is that it is not an exception in this case. Sending and receiving invoices and other payment-related documentation by e-mail has been the norm for a lot of organisations for a long time. That's why this sort of scam is, regrettably, so effective.

Re:

[KGIII]

And now you know why I write novellas.

Actually, this might just be my shortest post, ever.

Re:

[WorBlux]

PGP could foil all that crap, but who has the time?

Re:

[Anonymous Brave Guy]

It is kind of amazing that in 2016 we still haven't solved encrypted and authenticated messaging. I'm not sure how easy it would be to explain to non-technical users how the signing mechanics work or at least why they need to install a digital signature on every new system that will send mail from a certain account, though.

Re:

[MrL0G1C]

Nope, When dealing with a ticket, it was mostly via web and email, there was 1 letter initially which gave the web address and the rest was digital (UK).

alternate email address

[kennethmci]

I remember a while back I read about an interesting way to identify where this info is coming from. If you have your own domain, there are people out there who will append the site name to their email address when they sign up.... e.g. kenneth.facebook@yourdomain.com - then as you receive spam you can see where it orignated from...due to them sharing your email ( or if it was stolen ). Would be interesting to know if anyone has done this and identified the original source of the data.

Re:alternate email address

[SQLGuru]

You can do something similar with GMail using a + instead of a .

Periods are ignored completely, so kenneth.facebook is the same as ken.neth.face.book.

Plusses make everything past the plus be ignored. So kenneth+facebook is the same as kenneth.

Re:

[Anonymous Coward]

So then spammers just go through their lists of gmails, remove the + and you're right back where you started.

Re:

[rhazz]

It's not about preventing spam really, it's more about inbox management. With Gmail's "+" syntax the email is still delivered to your main inbox - there is no registering of allowed + values. It shows the full handle it was sent to though, so at best maybe you can filter it by the handle, assuming the spammer didn't remove the + value. A relative of mine runs a series of twitter accounts spewing weather stats and uses the + syntax on his personal email address to route messages.

I recall Rogers used to allo

Re:

[bazorg]

True, but if you *always* append a unique name when you sign up for a new service, every company that emails you without a unique code is suspicious. Worth automating, IMHO.

Re:

[toddestan]

Any spammer with some smarts (granted, that'll weed out a fair number of them) would just go through their list and remove the + and whatever came after it, therefore spamming the 'base' address and you'd have no idea where they got your email from.

Re:

[bazorg]

Here's a more complete explanation:
1) use an email service for correspondence with friends and family: address1@whatever
2) use another address for everything else that requires subscribing to: ilikespam@whatever2
3) use suffixes to identify which service sends you email:
ilikespam+electricbill@whatever2
ilikespam+netflix@whatever2 ...

Normal brainless spam will be picked up by your providers filters, with an assortment of false positives and false negatives, but the spear phishing people would need a much bigge

Re:

[Holi]

It also makes it very easy to get around, Run the email addys through a script that removes everything from the + to the @ and it completely bypasses your system, it is also very simple to accomplish. With the kennethmci's way you don't have this issue.

Re:

[mrbester]

Which is why I have my own domain that has unlimited email addresses that redirect to my GMail address with a specific string after the + (usually the site I used it on or generic description). As I don't ever give out my raw GMail address, anything that comes to that one is automatically considered dubious, tagged and archived for later leisurely perusal by use of filters, just like all the rest.

Plus I can migrate to a different storage provider by just changing the redirects making it easier than informin

Re:

[Anonymous Coward]

What's real fun is when you run into a business like Bank of America. They'll happily take your name+blah@gmail.com in their signup forms, but then when the barrage of mortgage spam starts you find out that their unsubscribe page will not accept email addresses with a "+" character. Have fun explaining that to the Indian call center tech.

Re:

[Anonymous Coward]

Yahoo! Mail has real aliases. You choose a prefix, and then create your aliases under that prefix. You can't remove the suffixes and expect things to still work, and there's no direct correspondence between the aliases and your actual email address. With Google did that, especially since there are too many sites out there that just reject the plus sign as invalid, even if their mailing systems work just fine with it. And then there are those sites that don't bother to URLencode your address when they send i

Re:

[Builder]

You can use + notation. Then you can deal with all the companies that accepted your address using that at one point, then changed a load of their code and no longer accept it. Or some companies where one part of their organisation will accept a + in your address, but another part of the same org won't - Microsoft was an example of this until recently.

I've found it to be more trouble than it's worth in the long run.

Re:

[jmcwork]

I have my own domain and any email address that does not have a dedicated mailbox gets sent to the admin 'catch-all' mailbox. If I sign up for something anything that wants an email address I usually use businessname@mydomain.com for the address. I get a lot of funny looks when I feed back an email address with their name in it (even had a few people accuse me of attempting to hack their system by doing this!). I just let my email reader filter things to different folders based on the incoming email addr

Re:

[eam]

Am I the only person still using spamgourmet.com?

Re:

[nukenerd]

Am I the only person still using spamgourmet.com?

Hi there, I do too. It's brilliant. I just worry that too many people will use it as the guy who runs it (for free) could probably not afford too much traffic.

Re:

[nukenerd]

If I sign up for something anything that wants an email address I usually use businessname@mydomain.com for the address. I get a lot of funny looks when I feed back an email address with their name in it (even had a few people accuse me of attempting to hack their system by doing this!).

It's not a good idea to use the business's own name as it is likely to be rejected either automatically or by some person as you say (unless you enjoy the wind-up). I use some word that helps reminds me of the business, like "mike" for Misco (a UK computer supplier). In fact I keep a table to relate the email name to the company.

Re:

[Zocalo]

I've been doing just this for years - unique email for every online account. So far I've only had a few instances of spam arriving on one of the addresses, all from smaller specialist retailers who most probably got their customer DB pwned since the spam was definite junk (pills and porn) rather than the kind of targetted marketing emails you'd expect from a sold-on customer list. I reported the possible compromise each time, but I never received any form of acknowlegement or apology from the companies co

Re:

[Ark42]

Manually editing /etc/mail/virtualusertable works for me. You never want to accept all email of course. The last line should always be "@domain.tld error:5.7.0:550 Address invalid"

Re:

[tlhIngan]

I remember a while back I read about an interesting way to identify where this info is coming from. If you have your own domain, there are people out there who will append the site name to their email address when they sign up.... e.g. kenneth.facebook@yourdomain.com - then as you receive spam you can see where it orignated from...due to them sharing your email ( or if it was stolen ). Would be interesting to know if anyone has done this and identified the original source of the data.

I do this, but the spam

Re:

[Daniel Matthews]

This is a built in feature of gmail, just add +whatever before the @ in the email address. https://gmail.googleblog.com/2... [googleblog.com]

Re:

[nukenerd]

If you have your own domain, there are people out there who will append the site name to their email address when they sign up.... ..... then as you receive spam you can see where it orignated from...due to them sharing your email ( or if it was stolen ). Would be interesting to know if anyone has done this and identified the original source of the data.

I do that, and I received one of these scam emails yesterday. The address is the one I use for ebay, and only for ebay. I receive other spam with my ebay address too.

When I read this story I had just been in the process of trying to complain to ebay about spammers getting my address. I looks though that it is practically impossible to compalin to ebay. Their "Contact Us" link only leads to a FAQ of some typical problems (not spamming problems though), and ultimately round in a circle.

Re:

[Ark42]

I do this with my own domain, and I don't do it in a way that makes it obvious (such as including .facebook for facebook's email address).
I manually edit /etc/mail/virtualusertable and make a random alias and leave myself a comment about what it's for, every time I'm about to sign up for something on a new site. So far, I've had to disable aliases for Mozilla's Bugzilla, Invisible Fence, 1-800 Contacts, and Hansons, along with a few other really obscure places. The amount of spam that went to those aliases

Re:

[Solandri]

I've been doing this for about 10 years now. Most of the spam-producers have been small or little-known sites. The two big exceptions are Microsoft and Adobe. Both either sold or lost my email address. With Adobe I suspect it was theft because it only happened once (I started getting spam all at once, and it gradually tapered off after about a year) shortly after they publicly notified me their customer database had been hacked. Microsoft was more continuous, coming as a wave every couple years. The l

Re:

[JazzLad]

I have done this for the better part of a decade, but I don't do appending - the company gets something like 'amazon@[mydomain]' - it used to be far more effective than it is now for determining who shared my address (looking at you, dropbox), but now it's great for phishing emails as amazon won't email me anywhere but amazon@... & I can see who they emailed.

Troll 'em

[wkwilley2]

I just like to troll the spammers.

Anything that makes it past my spam filter is fair game.

Re:

[nukenerd]

I just like to troll the spammers. Anything that makes it past my spam filter is fair game.

So do I. I am currently getting spam from geof.gibbons@stampwood.co.uk who is not just a spammer, it's even worse - his company is a spam consultancy. They call it "Automated Marketing".

Come on slashdot

[Zedrick]

"Clicking on the email apparently installs malware"

Stuff like this is common in dead tree media, but here, on Slashdot? What email client? Allright:

What do you mean by "clicking" the email? Selecting it, opening it in a separate window or allowing html crap in it to be rendered?

Affected operating systems?

[Dadoo]

It would also be nice if the source article could tell us which operating systems it affects. Do I have to worry about my Linux machines and my parents' Macs, or does this just affect Windows?

Re:

[Pfhorrest]

What kind of broken browser / operating system allows clicking a link to install new software?

Download an installer (or just the app itself for sane operating systems that don't need "installers"), sure, but run it?

In any software environment that's not pants-on-head retarded, the steps required to get infected this way would have to be:

- User opens email.
- User clicks link in email.
- User runs program that link downloads.

At which point it's the damn user's own fault; you can't protect a computer from error

Spear-phishing

[redelm]

Ho, hum, the Beeb is dumb!

This sort of phishing including personal details is properly called spear-phishing. Most likely, some UK retailer/service provider "lost" parts of the customer database, including email addys and physical adress, but [interestingly] not including customer names.

If their DB included the [I hope] standard bogus "trap" entries, they should have been hit and the DB owner know of the loss. More interesting will be if they own up.

Re:

[phorm]

Or various people signed up for some "contest" online, joined a facebook group/app, etc

Re:

[Builder]

It has names. My mother in-law got two of these a few days ago. They had her name with correct honorific, home address and e-mail address. It was the most real phishing attack I've ever seen.

Did we forget about "mail merge"?

[xxxJonBoyxxx]

"Knows your address" made me laugh. Of course, there are lists that have email addresses and physical addresses in different columns. Good phishing emails already insert variables like your name (if known) in the right places - it's trivial to also put in an address too.

Re:

[Anonymous Coward]

The point here is that this appears to be spear phishing attack on a mass scale. It is not about how easy or difficult it is to create a fraudulent email.

I've had a couple of these now

[richy freeway]

ehardy@cc-systems.org.uk
4 Apr (2 days ago)
Reply
to me
Dear xxxxxxx xxxx,

Regarding the amount due 561.45 GBP, we act on behalf of Bondline Electronics Ltd in order to collect the outstanding account value of your debt.

We would like to remind you that the amount above was due for payment on 29.03.16 but as no payment has been received, your invoice is now considered as overdue. Please find a printable version of your invoice at the following link:
http://kojomaindustries.com/in... [kojomaindustries.com]

Original invoice will be sent out to:
xxxxxx xxxxx
15 xxxx xxxxx
Cxxxxx, xxxxxx xHxxxF

In order to avoid further costs, please forward the payment to us and transfer the amount due not later than 13.04.16

Yours sincerely,
Ernest Hardy

Address was indeed written exactly as I do and the original link went to a page with my name, but spelt incorrectly asking for a captcha to be entered. I didn't enter so no idea what was beyond it, nothing good I'd wager.

Re:

[MrL0G1C]

The incorrect spelling is the clue that could show who got compromised / leaked your data. It also suggests that a company that interacted with you by phone or by written form leaked the data, again the manner of the mis-spelling could indicate which method of communication it was.

Re:

[richy freeway]

The spelling in the original email was perfect, it was only when I clicked the link did the incorrect spelling appear.

They got my surname wrong by one vowel.

Next gen spearphishing will use AI

[presidenteloco]

Having constructed a profile of you by mining your online activities via tracking networks, it will guess with uncanny accuracy what scam is going to seem plausible to you and seem specifically consistent with your recent activities and interests.

Then it will send you an email or text or tweet seemingly from a close associate of some business or personal connection/contact you have, and the invitation for you to act will be convincingly specific to your life and recent interests.

Interesting change in strategy

[ZorinLynx]

I've read that scammers tend to write their E-mails using bad grammar and spelling on purpose, because they only want the most dimwitted people out there falling for their scam; idiots tend to part with their money and private information a lot more easily.

These guys seem to be going in the other direction, making the E-mails look as legitimate and official as possible, thus going after more savvy individuals too.

I guess maybe they're running out of suckers?

Re:

[GuB-42]

But... I had "backup" written right there in my todo list...

whois

[short]

What's interesting on that? Just run whois on each recipient's domain.

My company is a "victim" of this

[BellyJelly]

There have been loads of targeted emails like this sent out pretending to be from debt collection agencies acting on our behalf. Our switchboard and generic company email address were swamped by calls from the recipients. Some were quite nasty and threatened violence....

Clicking installs malware

[Pfhorrest]

Clicking on the email apparently installs malware...

What the hell kind of broken mail client executes random code just because the user asked to view a message?

Oh right, Outlook. Well, there's your problem.

The big question here is

[al0ha]

Where are the miscreants getting such good data? I certainly don't believe they are scraping it off the web; more likely criminal organizations are legitimately purchasing this data from Alexa, TRD, Facebook, Google and others whose primary business is selling data about you to third parties. Big business cares very little about whom they are actually doing business with, as long as the money is good, the sale is made.

Re:

[nukenerd]

Where are the miscreants getting such good data?

They got mine from ebay or PayPal. I got one of these via an address that I only use for those organisations.

Re:

[Anonymous Coward]

http://info.rippleshot.com/blog/ebay
Year and a half ago, 128 million ebay records breached, including addresses. So that would be why. Guess some UK cyber crooks found a good way to exploit the info and bought the data from someone.

The most secure thing you can do at this point

[OrangeTide]

Is to delete your email client and forget your gmail password. Stop reading email if scams are so sophisticated that you cannot detect a con.

Phishing email attacks computing device :)

[khz6955]

Slashdot: "Clicking on the email apparently installs malware such as Cryptlocker ransomware on the recipient's computing device"

Original article: "clicking on the link would install malware such as Cryptolocker, which is a form of ransomware that will encrypt files on Windows-based computers."
--

This place is getting worse than the Register for free Adverts for Microsoft and managing to not mention W*****S in relation to the malware plague currently infesting "computers" everywhere.

Emails, phone calls, even letters!

[DNX Blandy]

Well, what can I say about the sorry state spammers and scammers have left todays digital and manual communication systems. The phishing emails are getting better but IT savvy techs are not fooled, but I cannot say the same for the average Joe or Jane Bloggs. It's all a complete mess :(

Current email, but very old address

[Catmeat]

I got one two days ago - it had my email but an address that was current as of ten years ago. I googled some of the phrases in the email and got some early reports of others getting it and reporting the same thing -current email and old postal address. I've got a feeling it's a ebay seller that got hacked.

Dangerous and quite convincing

[simonwalton]

I have to admit, I received such an email and for a few seconds I was quite concerned. I've never had one of these attempts not only pass my spam filter, but also provide my home address. I can imagine many people falling for this one. Ideally contact your family members to advise them never to click anything in such an email.