Author Topic: Today's scammer  (Read 25178 times)

Jaded

  • The Codfather
  • Formerly known as Jaded
Today's scammer
« on: 02 February, 2016, 11:06:13 pm »
A little different from 'today's spammer' thread - and quite possibly worse.

A friend sent me an email the other day. Along the lines of "I hope you can help, I'm stuck in a foreign place, and I need money, please help me as soon as you can. "

So I knew his account had been hacked. It was Gmail so a good hacking target. I saw him later that day and he said he couldn't get into his email.  I helped him initiate a Google password recovery process. This only takes 3 to 5 days, so it's pretty helpful! The next day he had an email from Google saying "We see you got access to your account again, if you haven't then reply to this email."

The problem was he hadn't got access to his email and he couldn't send any emails from his recovery address. But the bigger problem was that a relative of his has sent four figure sum to the scammers.

Oh well,  i've been helping as much as I can, but Google with the lack of a phone service and their 3-5 day recovery don't help at all.

Yes, it was a weak password. But why won't they let you ask for a password reset unless you are on a browser / IP address you normally use, when they let a scammer put 2-step verification on from a different IP?
It is simpler than it looks.

Re: Today's scammer
« Reply #1 on: 02 February, 2016, 11:19:40 pm »
My employer moved to Google mail/ drive etc last year and our e-mail system has been hacked at least twice now to my knowledge.
Scammers send an e-mail with attachment titled "confidential information for you only" or somesuch.
If you search on google the website address carries a warning "may have been hacked".
After less than 12 months use we are now returning to Microsoft .

Is gmail known to be lots less secure?

Afasoas

Re: Today's scammer
« Reply #2 on: 03 February, 2016, 08:59:33 am »
Is gmail known to be lots less secure?

We've been using it for as long as I've been here and it hasn't happened yet. But I suspect you are confusing anecdata with science. The problem is most likely people using the same creds for other sites, or people authorizing rogue applications to send email from their Google accounts.

Jaded

  • The Codfather
  • Formerly known as Jaded
Re: Today's scammer
« Reply #3 on: 03 February, 2016, 09:18:11 am »
My anecdata is that the vast majority of these scams come from hotmail or gmail accounts.

I guess that as a broad generalisation people that use free gmail/hotmail don't view computer security in quite the same way as those that have proper domains for their business/serious personal emailing.
It is simpler than it looks.

Re: Today's scammer
« Reply #4 on: 03 February, 2016, 09:38:58 am »
My anecdata is that the vast majority of these scams come from hotmail or gmail accounts.


Isn't that simply a factor of the fact that enormous numbers of people have hotmail or gmail accounts?

My countervailing anecdatum is that the only time I've had a holiday disaster scam email, it came from a yahoo address, while the overwhelming mass of other dodgy spam from friends' addresses has been from corrupted BT accounts.

Quote
I guess that as a broad generalisation people that use free gmail/hotmail don't view computer security in quite the same way as those that have proper domains for their business/serious personal emailing.

I'm sure that madcow's employer was paying plenty for its gmail for business setup, and has every right to assume it's as secure as any other email provider; equally, I don't think that choice will have affected the attitude he or his colleagues take to security.

As for private use, sure, if you have your own domain you may well have a reasonably secure approach. But I'm not convinced that choosing a free email provider indicates anything much as compared to simply using your ISP's email service.

Jaded

  • The Codfather
  • Formerly known as Jaded
Re: Today's scammer
« Reply #5 on: 03 February, 2016, 09:51:43 am »
My anecdata is that the vast majority of these scams come from hotmail or gmail accounts.


Isn't that simply a factor of the fact that enormous numbers of people have hotmail or gmail accounts?

My countervailing anecdatum is that the only time I've had a holiday disaster scam email, it came from a yahoo address, while the overwhelming mass of other dodgy spam from friends' addresses has been from corrupted BT accounts.

Quote
I guess that as a broad generalisation people that use free gmail/hotmail don't view computer security in quite the same way as those that have proper domains for their business/serious personal emailing.

I'm sure that madcow's employer was paying plenty for its gmail for business setup, and has every right to assume it's as secure as any other email provider; equally, I don't think that choice will have affected the attitude he or his colleagues take to security.

As for private use, sure, if you have your own domain you may well have a reasonably secure approach. But I'm not convinced that choosing a free email provider indicates anything much as compared to simply using your ISP's email service.

Yes, the numbers thing is probably a factor.

As for the other stuff, I did say "as a broad generalisation" .
It is simpler than it looks.

Feanor

  • It's mostly downhill from here.
Re: Today's scammer
« Reply #6 on: 03 February, 2016, 10:06:08 am »
Thing is, it's pretty hard to tell the source of an e-mail.

Just because it claims to come from joe.blow@gmail.com doesn't mean that it actually did.
It doesn't mean joe's e-mail account is compromised.

Obviously, these scams rely on sending the mail to someone who is likely to know joe, so they must harvest e-mail address pairs that have some chance of working.
So it *could* be joe's account that's compromised.
But it might well be anyone who happens to have both you and joe on their contact list.
Hard to say.

Jaded

  • The Codfather
  • Formerly known as Jaded
Re: Today's scammer
« Reply #7 on: 03 February, 2016, 10:09:11 am »
Yes, that's true, in this case the password of the account has been changed and 2-stage verification added, so they have either cracked the password or got it by a rogue app asking for it.
It is simpler than it looks.

Re: Today's scammer
« Reply #8 on: 03 February, 2016, 11:30:27 am »
provide a mobile # for password recovery - a link etc is txted immediately.

<i>Marmite slave</i>

Re: Today's scammer
« Reply #9 on: 03 February, 2016, 11:43:23 am »
...But the bigger problem was that a relative of his has sent four figure sum to the scammers.


That's a good reminder of one's internet security responsibilities.

Afasoas

Re: Today's scammer
« Reply #10 on: 04 February, 2016, 09:38:01 am »
Thing is, it's pretty hard to tell the source of an e-mail.

Just because it claims to come from joe.blow@gmail.com doesn't mean that it actually did.
It doesn't mean joe's e-mail account is compromised.

Obviously, these scams rely on sending the mail to someone who is likely to know joe, so they must harvest e-mail address pairs that have some chance of working.
So it *could* be joe's account that's compromised.
But it might well be anyone who happens to have both you and joe on their contact list.
Hard to say.

Gmail and Office365/Outlook.com will pretty much spam anything that fails SPF/DKIM. Using SPF/DKIM for a domain/mail server doesn't prevent spoofing, but it does make it easier for receiving mail servers to discern whether or not a sender has been spoofed.

One sure sign that your email address is getting spoofed is receiving lots of bounce messages for emails you haven't sent.

Re: Today's scammer
« Reply #11 on: 04 February, 2016, 10:07:47 am »
Since initiating Sun Protection Factor on my domains the number of bounced mails spoofing send from <random chars>@mydomain has dropped significantly.

Re: Today's scammer
« Reply #12 on: 04 February, 2016, 01:47:07 pm »
[...] the overwhelming mass of other dodgy spam from friends' addresses has been from corrupted BT accounts.

Thing is, it's pretty hard to tell the source of an e-mail.

Just because it claims to come from joe.blow@gmail.com doesn't mean that it actually did.
It doesn't mean joe's e-mail account is compromised.

Obviously, these scams rely on sending the mail to someone who is likely to know joe, so they must harvest e-mail address pairs that have some chance of working.
So it *could* be joe's account that's compromised.
But it might well be anyone who happens to have both you and joe on their contact list.
Hard to say.

Aye, but ...

The cases I'm thinking of, the spam has turned up in my mailbox with DisplayName $MyFriend, SenderEmail $SomethingRandom, and the distribution list something that looks *very* likely to have come from $MyFriend's contacts (though of course it could have come from the contacts list of several other acquaintances-in-common).

This holds true for quite a few emails, from several different people in about three different circles, and in every case but a couple the DisplayName has been of someone I know to use BT (in the other couple, they've been Yahoo users).

Feanor

  • It's mostly downhill from here.
Re: Today's scammer
« Reply #13 on: 04 February, 2016, 02:11:15 pm »
Since initiating Sun Protection Factor on my domains the number of bounced mails spoofing send from <random chars>@mydomain has dropped significantly.

Yes, I did that way back.
This thread has prodded me into also setting up DKIM on my mailserver.
I'll have a hack at it tonight, if I get the time.

Feanor

  • It's mostly downhill from here.
Re: Today's scammer
« Reply #14 on: 05 February, 2016, 06:32:20 pm »
OK, so got DKIM configured on my e-mail domain and all is working, with only mild swearing.

Main problem was trying to put the public key TXT record into DNS ( using AAISP's web interface ).
It accepts it on the web interface, but never serves it.
Turns out there's a 255 character limit on the strings in a TXT record, which 2048 bit keys bust.
Fortunately, you can "split it into" "shorter strings".
And then it works.


Phil W

Re: Today's scammer
« Reply #15 on: 05 February, 2016, 06:56:59 pm »
Most DKIM keys are 1024 bit.

Feanor

  • It's mostly downhill from here.
Re: Today's scammer
« Reply #16 on: 05 February, 2016, 07:07:08 pm »
True, but I didn't know that at the time.
I do now!

The key-pair generator I used defaulted to 2048, and I didn't at the time see a good reason to change it.

Still, I learned about how to shoe-horn long strings into a TXT record.

Phil W

Re: Today's scammer
« Reply #17 on: 05 February, 2016, 07:17:05 pm »
I put DKIM and SPF in place for LEL2017.  It's stopped Danial's emails ending up in the spam bin / bounced which was a problem he had reported from LEL2013  ;D

Feanor

  • It's mostly downhill from here.
Re: Today's scammer
« Reply #18 on: 05 February, 2016, 09:33:12 pm »
That's the reason I'm re-visiting this whole issue.

My work previously did it's own e-mail, but we've gone all cloudy Orrifice 360 in the last few months.
It's caused a problem when I try to e-mail myself at work from my home address.
The work mail is hosted by MS, who reject all my home mail as spam because I don't pay for it not to be.

It's already:
Not on a dynamic IP;
Has a valid MX / A / AAAA / Reverse lookup in DNS;
Has valid SPF
Now has valid DKIM too.

But not good enough, it seems.
I've hit the 'request de-listing' links in the bounces, and had auto-replies that I've been de-listed, but they lie.
Google suggests that I need to call a magic number and talk to a person, and that's the Only Way.
I may do that later.

It is possible to have independent un-paid-for mail accepted by MS, but it's an uphill struggle, and SPF and DKIM help in the process.

hellymedic

  • Just do it!
Re: Today's scammer
« Reply #19 on: 06 February, 2016, 10:01:08 pm »
My anecdata is that the vast majority of these scams come from hotmail or gmail accounts.

I guess that as a broad generalisation people that use free gmail/hotmail don't view computer security in quite the same way as those that have proper domains for their business/serious personal emailing.

'Mike's came from a bt.internet = yahoo account.

Feanor

  • It's mostly downhill from here.
Re: Today's scammer
« Reply #20 on: 06 February, 2016, 11:00:11 pm »
Maybe it did, and maybe it didn't.

It's difficult to tell, even for people who know about this stuff.
You can't believe what an e-mail says in the "From:" field.

Think of it like paper mail.
You get a letter, in an envelope, addressed to you, delivered by the postman.
On the back of the envelope, there is a sticker, which says:
Sender: Joe Blow, 100 Main Street, Anywhere.

Is that the genuine source of the letter?
No, it's just what the sender stuck on the envelope.

It's the same with e-mail.







Steph

  • Fast. Fast and bulbous. But fluffy.
Re: Today's scammer
« Reply #21 on: 11 February, 2016, 09:58:57 pm »
That particular scam is known as the Spanish Prisoner and is centuries old.
Mae angen arnaf i byw, a fe fydda'i

Jaded

  • The Codfather
  • Formerly known as Jaded
Re: Today's scammer
« Reply #22 on: 12 February, 2016, 01:24:44 am »
It took 9 days to get the email address back in action.
It is simpler than it looks.

Gattopardo

  • Lord of the sith
  • Overseaing the building of the death star
Re: Today's scammer
« Reply #23 on: 14 February, 2016, 11:05:46 pm »
Well a defunct email address from viola.fr, no longer has an email part, is quite happily spamming people.  But none that I know.

Mr Larrington

  • A bit ov a lyv wyr by slof standirds
  • Custard Wallah
    • Mr Larrington's Automatic Diary
Re: Today's scammer
« Reply #24 on: 23 February, 2016, 06:50:13 pm »
Quote from: Cluefree Twunt


 Valued Customer,
 
 Please note that starting from February 23, 2016 we will be introducing new online banking authentication procedures in order to protect the private information of all online banking users.
 
 You are required to confirm your online banking details with us as you will not be able to have access to your accounts until this has been done.
 
 As you're already registered for online banking all you need to do is to confirm your online banking details.
 
 Confirm your details
 
 Once you've completed this you'll be able to manage your money whenever you want, giving you more control of your finances.
 
 Regards
 Customer Service
 Halifax - Uk Alert Team

Except there isn't a link - fraudulent or otherwise - in the entire message. 2/10 - must try harder.
External Transparent Wall Inspection Operative & Mayor of Mortagne-au-Perche
Satisfying the Bloodlust of the Masses in Peacetime