There has been an increase in the number of e-mails and text messages that are landing in my spam folders recently. I am not sure why the upturn is happening, but some of the e-mails are getting very convincing.<\/p>\n
It was not long ago that I would get badly spelled, poorly constructed e-mails that were easy to spot,<\/p>\n
Subject:<\/strong> Yuor Natwast account has ten tnarsactions pending.<\/p>\n Now, not only do I not have a Natwest account, but the typo’s in the subject line made it super obvious.<\/p>\n Yesterday I got an e-mail.<\/p>\n Subject:<\/strong> Lloyds Bank Fraud Alert.<\/p>\n Which looked legit to me at first glance.<\/p>\n Sender:<\/strong> FraudAlert@lloyds.co.uk<\/p>\n Not bad – but a quick check (by hovering over the senders name) showed that the domain was not lloyds – that was the sender name, the actual account sending the e-mail was something like<\/p>\n Fraud.Alert@lloyds.bank.user332798712379821.net<\/em><\/p>\n Additionally it was sent to an e-mail address that I do not use for banking. The e-mail address was one of the e-mail addresses that was part of a previous attach on Talk Talk – where many thousands of e-mail and hashed passwords were obtained, along with partial credit card details.<\/p>\n The body of the e-mail looked perfect, it looked just like a Lloyds e-mail.<\/p>\n It was addressed to me too, although it was First and Last names, not Mr. M R – so that gave things away slightly. But it was subtle, it had my name on it, which upgrades from a phishing attack to a spear phishing attack<\/p>\n What was even more interesting was that the ‘click to sign in’ looked like it would took me to https:\/\/signin.lIoydsfraudaIerts.com.user332798712379821.net\/(my email address) – again hover over the link and you see the full thing.<\/p>\n Which again, at a glance looked super legitimate the extra junk in the domain would probably only be visible when viewed in most browsers it was very impressive.<\/p>\n Out of interest, I fired up a VM and visited the site.<\/p>\n HTTPS was valid – chrome reported the site as secure – someone had bought a certificate for this.<\/p>\n The sign-in page was very nicely done, this was very impressive. Most of the links took me back to the same page though….<\/p>\n Then the actual login piece was very clever indeed.<\/p>\n I bailed at this point. I deleted the VM, just in case and sat thought about this.<\/p>\n After this, I got an email that contained a PDF that was a fake ‘Lloyds Satisfaction Survey’ – which had I opened it on a windows machine would have installed a worm…..<\/p>\n This was super good, it was a Spear-Phishing attempt. It was tailored to me. I should be honoured.<\/p>\n But look at what it could have collected.<\/p>\n Holy shit – that is brilliant<\/em>.<\/p>\n It looked very official, it took me to a secure site, it was setup to trap useful information that would give people access to my bank account. The satisfaction survey PDF was a lovely touch too.<\/p>\n This is one of the best attempts I have ever seen, I am sure that the average person would have given away some or all of their information.<\/p>\n Let’s recap.<\/strong><\/p>\n My e-mail address was harvested along with partial credit card details in the Talk-Talk breach. This gave an attacker my First and Last names, a valid e-mail address and potentially the bank I used based on the partial credit card data.<\/p>\n Knowing that I bank at Lloyds (great customer service BTW) and armed with decent spelling and grammar, customised e-mails were easy to generate, and custom landing pages to harvest the information too.<\/p>\n The PDF satisfaction survey was brilliant, the worm, had I been on Windows, looked like it would have run riot all over my network unless I was absolutely up-to-date on my update, virus protection and using an admin (not user) account.<\/p>\n Very, very nicely done.<\/p>\n","protected":false},"excerpt":{"rendered":" There has been an increase in the number of e-mails and text messages that are landing in my spam folders recently. I am not sure why the upturn is happening, but some of the e-mails are getting very convincing. It was not long ago that I would get badly spelled, poorly constructed e-mails that were […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[108,34],"tags":[],"class_list":["post-593","post","type-post","status-publish","format-standard","hentry","category-security","category-technology"],"_links":{"self":[{"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/posts\/593","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/comments?post=593"}],"version-history":[{"count":2,"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/posts\/593\/revisions"}],"predecessor-version":[{"id":2028,"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/posts\/593\/revisions\/2028"}],"wp:attachment":[{"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/media?parent=593"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/categories?post=593"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/tags?post=593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
\n