The spammers are getting clever

[Sac Arrow]

So I receive an email asking if I want to attend a major industry conference in Hanoi, which I have attended in the past, and I'll receive attendance and pricing information. The event, dates, location, etc... are legit.

But wait, there's more. This email is not originating from the event's organization. Third party contractor? The guy's name is "Addison Harry."

I do some digging. His email URL is real but doesn't seem to be associated with any type of publicized business. His name does not appear to be connected in any way, shape or form to the event. His name is, however, connected to compiled email lists up for sale. Needless to say I didn't reply.

Gotcha, b*******.

 

[Skyrys62]

They are getting amazingly good at their craft.
I take care of the security for our company.....and if there was ever a crack in a dam, email is it.

 

[EdFred]

So we actually sell to quite a few universities across the US. Every once in a while we get an email requesting a quote with the email address looking similar but not quite

similar to something like this:

some.guy@uwisc-edu.org

Sometimes they get 'lucky' and actually get the name of someone who we have dealt with in the past.

Sneaky, but not good enough.

 

[iflyvfr]

They are getting amazingly good at their craft. I take care of the security for our company.....and if there was ever a crack in a dam, email is it.

The weak link IME is the preoccupied reader who obediently clicks the link provided and blissfully gives up her creds to any old website that happens to look like Office365, Google, etc.

 

[cessna182b]

So I receive an email asking if I want to attend a major industry conference in Hanoi, which I have attended in the past, and I'll receive attendance and pricing information. The event, dates, location, etc... are legit.

But wait, there's more. This email is not originating from the event's organization. Third party contractor? The guy's name is "Addison Harry."

I do some digging. His email URL is real but doesn't seem to be associated with any type of publicized business. His name does not appear to be connected in any way, shape or form to the event. His name is, however, connected to compiled email lists up for sale. Needless to say I didn't reply.

Gotcha, b*******.

Yesterday I got an email from a supposed law firm informing me that "the city" was taking legal action against me (didn't say what city) - and to click on the link
for further information (I didn't). Seeing as how I do not live in any city, own no property in one, nor have any other connection with one - that can hardly be true.

Forwarded it to the spam bin.

Dave

 

[bflynn]

The weak link IME is the preoccupied reader who obediently clicks the link provided and blissfully gives up her creds to any old website that happens to look like Office365, Google, etc.

Respectfully, the weak link is the web browser that allows code to be downloaded and run. That should never be allowed.

 

[iflyvfr]

But I'm not talking about an attack that downloads and runs PS for example, I'm talking about a link in an email that takes an end user to a scraped page made to mimic Google or O-365 and simply harvests the creds entered in the ID and PW field. Any firm who implements cloud without at least 2FA is asking for (and subsequently delivering to others) unwanted attention and trouble.

 

[RJM62]

But I'm not talking about an attack that downloads and runs PS for example, I'm talking about a link in an email that takes an end user to a scraped page made to mimic Google or O-365 and simply harvests the creds entered in the ID and PW field. Any firm who implements cloud without at least 2FA is asking for (and subsequently delivering to others) unwanted attention and trouble.

Yes, but only if they do so in a sensible way. Almost all sites that require 2FA do it by way of text messages, occasionally with a spoken PIN option on a landline. Using a cell number makes it impossible to log in unless you have a cell signal, and using a landline number makes it impossible to log in away from home unless you had the forethought to forward the number to wherever you'll be.

Personally, I think pushing for 2FA using text messages is just a way for companies to get your cell number, which is a highly-valued piece of information in the datamining market. I've closed accounts with companies that insisted on it. It's also less secure than a simpler option, which is to use a PIN in addition to the email / password login. The PIN can be baked into the email and/or the password hash for even more security.

The reason I say the PIN is more secure is because if you collect mail on your phone, and you lose your phone or it is stolen, and you were silly enough not to set a PIN on the phone itself, then the person possessing the phone has everything they need to change your passwords. This is even easier if you also have the bank's or organization's app installed. That tells them where you have accounts. Just tap "Forgot Password," and the bank or organization will send a link to the email and a text message to the phone. Voila. You're screwed.

Facial recognition and fingerprints are also notoriously unreliable. But a combination of email, password, and PIN would be extremely difficult to crack in the amount of time a miscreant would have before you could secure the account, requires no cell connection, and works anywhere in the Interwebs-connected world.

Rich

 

[Kenny Phillips]

They are getting amazingly good at their craft.
I take care of the security for our company.....and if there was ever a crack in a dam, email is it.

Our company sends cleverly disguised phishing to see who they can catch out [their filter for external mail is extraordinary, I've probably only gotten spammed five times in 14 years]. I'm on early, and warn all of my people about it!
My personal email is 90% spam, including stealth emails like the one the OP describes.

 

[DaleB]

Our company sends cleverly disguised phishing to see who they can catch out [their filter for external mail is extraordinary, I've probably only gotten spammed five times in 14 years].

We may work for the same place.

My personal email is 90% spam, including stealth emails like the one the OP describes.

My personal email gets about 0.5% spam, because squelching it has been a hobby of mine for years. I have very long header_checks and body_checks files in Postfix, and Postgrey eliminates a huge portion of it.

 

[Skyrys62]

I'm talking about a link in an email that takes an end user to a scraped page made to mimic Google or O-365 and simply harvests the creds entered in the ID and PW field.

Lot's of C-level staff get targeted for this. Our CEO has thrice gotten burned from emails that say their email account is locked, and have to enter their username and password.
Then, (no joke)...we have emails coming legit from his email box to other members in the company asking for checks, gift cards to surprise staff, etc.
Most reply and ask questions, which legitimately get answered from his email, and some know it's a scam, while some happily travel to Walmart and buy gift cards (yes really).

A recent trick for them is, they set rules in place on the mailbox to move any replies from the people they send messages to. Often to obscure folders such as RSS feeds, etc.
Then the email is automatically deleted from sent items, so the compromised user can legitimately feel it isn't coming from them.....they know they aren't doing it!
Very clever, but I usually can handle them, and prevent future attacks with my own rules/logic.
However, there are more of them working more hours than me to get in....so it's a never ending battle.

They will peruse websites, find the financial staff, send emails with "ACH attachments" and while the staff are in the middle of processing ACH payments, of course they click on them, as they are sending/receiving legitimate ones all the while.

Sneaky bastages...

 

[Capt. Geoffrey Thorpe]

The weak link IME is the preoccupied reader who obediently clicks the link provided and blissfully gives up her creds to any old website that happens to look like Office365, Google, etc.

Current employer decides that they need to train everyone in cyber security - so they set up the training somewhere where you log in with your work user id and password. Then, they send out an email with a link to the training site and tell you to click on it and log in. Really?