Got a credit card? use our Credit Card & Finance Calculators
Thanks to Rhyd6,eyeball08,Wondergirly,bofh,johnstevens77, for Donating to support the site
Is this a new scam?
Forum rules
Direct questions and answers, this room is not for general discussion please
Direct questions and answers, this room is not for general discussion please
-
- Lemon Quarter
- Posts: 2941
- Joined: November 4th, 2016, 3:46 pm
- Has thanked: 640 times
- Been thanked: 496 times
Is this a new scam?
I have no doubt that it is a scam, but is it new, or have I just not seen it before?
An incoming email thanking me for setting up to pay my tax disc by DD. Tax disc?
When I looked at the message header the from is
From: "directdebit@taxdisc.service.gov.uk" <directdebit@taxdiscservice029.top>
So it looks a bit like a .gov.uk but all the detail is in the attachment, apparently and I presume that the attachment carries a freight of either a macro, or the new swath of nasties that take advantage of OLE to do nasty things.
Be careful out there
Slarti
An incoming email thanking me for setting up to pay my tax disc by DD. Tax disc?
When I looked at the message header the from is
From: "directdebit@taxdisc.service.gov.uk" <directdebit@taxdiscservice029.top>
So it looks a bit like a .gov.uk but all the detail is in the attachment, apparently and I presume that the attachment carries a freight of either a macro, or the new swath of nasties that take advantage of OLE to do nasty things.
Be careful out there
Slarti
-
- Posts: 35
- Joined: November 6th, 2016, 5:05 pm
- Has thanked: 7 times
- Been thanked: 12 times
-
- Lemon Quarter
- Posts: 2941
- Joined: November 4th, 2016, 3:46 pm
- Has thanked: 640 times
- Been thanked: 496 times
Re: Is this a new scam?
AllYourBase wrote:Goes back to 2014 at least ...
https://www.gov.uk/government/news/motorists-warned-about-scam-emails
Amazing that I've never seen it before
Well a warning to all, don't open the attachment.
Slarti
-
- Posts: 35
- Joined: November 6th, 2016, 5:05 pm
- Has thanked: 7 times
- Been thanked: 12 times
Re: Is this a new scam?
I don't recall the last time I saw a spam/phising email - gmail filters are pretty reliable.
-
- Lemon Quarter
- Posts: 2941
- Joined: November 4th, 2016, 3:46 pm
- Has thanked: 640 times
- Been thanked: 496 times
Re: Is this a new scam?
AllYourBase wrote:I don't recall the last time I saw a spam/phising email - gmail filters are pretty reliable.
This was in my ISP's spam trap. I check them pretty regularly as it is not unusual to find "real" messages in one or the other of them, including Gmail.
Slarti
-
- Lemon Quarter
- Posts: 4179
- Joined: November 4th, 2016, 9:42 pm
- Has thanked: 1001 times
- Been thanked: 1855 times
Re: Is this a new scam?
Slarti wrote:When I looked at the message header the from is
From: "directdebit@taxdisc.service.gov.uk" <directdebit@taxdiscservice029.top>
You can spoof anything you want to appear in the "..." part of 'From:' but the actual sender is in the <...> part. If it was genuine that too should have said '...gov.uk'. That's why looking at the message header is always a good idea.
-
- The full Lemon
- Posts: 10813
- Joined: November 4th, 2016, 8:17 pm
- Has thanked: 1471 times
- Been thanked: 3005 times
Re: Is this a new scam?
Breelander wrote:Slarti wrote:When I looked at the message header the from is
From: "directdebit@taxdisc.service.gov.uk" <directdebit@taxdiscservice029.top>
You can spoof anything you want to appear in the "..." part of 'From:' but the actual sender is in the <...> part.
You can spoof that too, just as easily.
Originally SMTP had a separate "Sender" field for cases where From was re-labelled (e.g. I borrow your account). But that's also trivial to spoof. These headers come from a more innocent era. As recently as the early 1990s, spoofing email headers was an innocent prank rather than anything darker.
-
- Lemon Quarter
- Posts: 4179
- Joined: November 4th, 2016, 9:42 pm
- Has thanked: 1001 times
- Been thanked: 1855 times
Re: Is this a new scam?
UncleEbenezer wrote:You can spoof that too, just as easily...
Well, you can't spoof the originating server, that's added to the header after it has been sent, so still worth looking at it.
-
- The full Lemon
- Posts: 10813
- Joined: November 4th, 2016, 8:17 pm
- Has thanked: 1471 times
- Been thanked: 3005 times
Re: Is this a new scam?
Breelander wrote:UncleEbenezer wrote:You can spoof that too, just as easily...
Well, you can't spoof the originating server, that's added to the header after it has been sent, so still worth looking at it.
Actually you can.
The only part of an SMTP header that you can rely on not being spoofed is the "Received From" line where it reaches a server you fully trust - typically your own. Anything else can be spoofed. And since a typical message has several hops, there could be a false trail of those Received lines from before it reaches your trusted server.
-
- Lemon Half
- Posts: 8286
- Joined: November 4th, 2016, 11:20 am
- Has thanked: 919 times
- Been thanked: 4137 times
Re: Is this a new scam?
I'm getting confused here, because looking at the source code for my similar message, which does coincide with a tax renewal, all I see is:
From: directdebit@taxdisc.service.gov.uk
Also:
Received: from a6-57.smtp-out.eu-west-1.amazonses.com (54.240.6.57) by rgin03.bt.ext.cpcloud.co.uk (9.0.019.21-1)
id 5A4D27E1378ABD95
and
X-Originating-IP: [54.240.6.57]
Authentication-Results: mta1044.bt.mail.ir2.yahoo.com from=; domainkeys=neutral (no sig); from=amazonses.com; dkim=pass (ok)
Received: from 198.37.145.138 (EHLO rgin03.bt.ext.cpcloud.co.uk) (65.20.0.12)
by mta1044.bt.mail.ir2.yahoo.com with SMTP; Sat, 17 Feb 2018 11:55:28 +0000
X-OWM-SPF-MAILFROM: Pass
X-OWM-SPF: 0
X-OWM-DKIM: 1
X-OWM-DMARC: spf 0 dkim 1
X-Originating-IP: [54.240.6.57]
X-OWM-Source-IP: 54.240.6.57(US)
X-OWM-Env-Sender: 01020161a39e7824-75ecb6c8-cd17-48f5-8ee ... zonses.com
X-RazorGate-Vade-Classification: clean
X-RazorGate-Vade-Verdict: clean 0
X-VadeSecure-score: verdict=clean score=0/300LM349, class=clean
X-SNCR-VADESECURE: CLEAN
Why is the source IP US?
TJH
From: directdebit@taxdisc.service.gov.uk
Also:
Received: from a6-57.smtp-out.eu-west-1.amazonses.com (54.240.6.57) by rgin03.bt.ext.cpcloud.co.uk (9.0.019.21-1)
id 5A4D27E1378ABD95
and
X-Originating-IP: [54.240.6.57]
Authentication-Results: mta1044.bt.mail.ir2.yahoo.com from=; domainkeys=neutral (no sig); from=amazonses.com; dkim=pass (ok)
Received: from 198.37.145.138 (EHLO rgin03.bt.ext.cpcloud.co.uk) (65.20.0.12)
by mta1044.bt.mail.ir2.yahoo.com with SMTP; Sat, 17 Feb 2018 11:55:28 +0000
X-OWM-SPF-MAILFROM: Pass
X-OWM-SPF: 0
X-OWM-DKIM: 1
X-OWM-DMARC: spf 0 dkim 1
X-Originating-IP: [54.240.6.57]
X-OWM-Source-IP: 54.240.6.57(US)
X-OWM-Env-Sender: 01020161a39e7824-75ecb6c8-cd17-48f5-8ee ... zonses.com
X-RazorGate-Vade-Classification: clean
X-RazorGate-Vade-Verdict: clean 0
X-VadeSecure-score: verdict=clean score=0/300LM349, class=clean
X-SNCR-VADESECURE: CLEAN
Why is the source IP US?
TJH
-
- Lemon Half
- Posts: 7893
- Joined: November 4th, 2016, 11:24 am
- Has thanked: 7 times
- Been thanked: 3051 times
Re: Is this a new scam?
UncleEbenezer wrote:Breelander wrote:Slarti wrote:When I looked at the message header the from is
From: "directdebit@taxdisc.service.gov.uk" <directdebit@taxdiscservice029.top>
You can spoof anything you want to appear in the "..." part of 'From:' but the actual sender is in the <...> part.
You can spoof that too, just as easily.
Yes, you can do, but most receiving servers nowadays implement SPF and DKIM checks, so it's very likely to get put into the spam folder (or rejected outright).
-
- Lemon Quarter
- Posts: 2941
- Joined: November 4th, 2016, 3:46 pm
- Has thanked: 640 times
- Been thanked: 496 times
Re: Is this a new scam?
tjh290633 wrote:I'm getting confused here, because looking at the source code for my similar message, which does coincide with a tax renewal, all I see is:
From: directdebit@taxdisc.service.gov.uk
I was looking at the source through my webmail "View source" option, perhaps different ISPs have different options.
Since spotting the first one the ISPs AV has caught and deleted 2 more because of suspected virus
From: "directdebit@taxdisc.service.gov.uk" <directdebit@taxdiscservice109.top>
From: "directdebit@taxdisc.service.gov.uk" <directdebit@taxdiscservice091.top>
Neither of which were addressed to somebody who has ever existed at my domain, so if they'd got past the ISP my mail server would have caught them.
tjh290633 wrote:Why is the source IP US?
Why not?
Some of the most prolific spammers in recent times were based in the USA
Slarti
-
- Lemon Half
- Posts: 6624
- Joined: November 4th, 2016, 6:10 pm
- Has thanked: 977 times
- Been thanked: 2329 times
Re: Is this a new scam?
I may be a bit slow on the uptake these days, but I received one of these e mails today, and I have no reason to assume it isn't genuine because it contains my correct licence plate no,. my correct bank details (last 4 digits) and sort code. My current licence expires at the end of this month, so I was expecting it to be renewed by DD.
There is an attachment called Mandate.pdf which I have not as yet opened.
Why would it not be real?
There is an attachment called Mandate.pdf which I have not as yet opened.
Why would it not be real?
-
- Lemon Quarter
- Posts: 4179
- Joined: November 4th, 2016, 9:42 pm
- Has thanked: 1001 times
- Been thanked: 1855 times
Re: Is this a new scam?
Nimrod103 wrote:I may be a bit slow on the uptake these days, but I received one of these e mails today, and I have no reason to assume it isn't genuine because it contains my correct licence plate no,. my correct bank details (last 4 digits) and sort code...
That's the genuine article, I have one of those too. The Mandate.pdf is just the same information as a DVLC-headed letter you can save or print for your records.
This scam works by sending a very similar 'thank you for setting up a direct debit' email to thousands of random people in the hope that a few who haven't set one up will click on the attachment - this will then install malware.
-
- Lemon Quarter
- Posts: 2941
- Joined: November 4th, 2016, 3:46 pm
- Has thanked: 640 times
- Been thanked: 496 times
Re: Is this a new scam?
Nimrod103 wrote:I may be a bit slow on the uptake these days, but I received one of these e mails today, and I have no reason to assume it isn't genuine because it contains my correct licence plate no,. my correct bank details (last 4 digits) and sort code. My current licence expires at the end of this month, so I was expecting it to be renewed by DD.
There is an attachment called Mandate.pdf which I have not as yet opened.
Why would it not be real?
The spam ones replace your licence plate no with ******* and the same with all of your bank details, which is a bit of a give away. Mine were also sent to either an email address the DVLA hasn't got, or to people who don't exist, but who are one some spam list being sold to the bad boys (honour among thieves?)
Worth double checking by looking at the email source that a) it is from .gov.uk and that the pdf is a .pdf and not a .pdf.exe which are doing the rounds.
Slarti
-
- Lemon Slice
- Posts: 313
- Joined: November 4th, 2016, 11:43 am
- Has thanked: 2 times
- Been thanked: 55 times
Re: Is this a new scam?
Slarti wrote: Mine were also sent to either an email address the DVLA hasn't got
The most useful thing I acquired from TMF was the use of spamgourmet. If you create an account called "fred" with them, then you can create any number of throwaway emails of the form
<something>.fred@spamgourmet.com
(other domain names other than spamgourmet.com are available)
The advantage being that if you get a dodgy email from the "DVLA" that is addressed to amazon.fred you know it is suspect, and you also have reason to suspect that amazon have been lax with your personal details because you only use amazon.fred with amazon purchases.
Additional useful thing with spamgourmet, they tell you when you first received an email from each address, so you can date when you first made "contact" with an organisation.
Edit! Forgot to add that all these extra email addresses are picked up by spamgourmet and sent to you registered "hidden" address, so you do not have an overhead trying to read every single email address you create!
www.spamgourmet.com
Meatyfool..
-
- Lemon Quarter
- Posts: 2941
- Joined: November 4th, 2016, 3:46 pm
- Has thanked: 640 times
- Been thanked: 496 times
Re: Is this a new scam?
Meatyfool wrote:Slarti wrote: Mine were also sent to either an email address the DVLA hasn't got
The most useful thing I acquired from TMF was the use of spamgourmet. If you create an account called "fred" with them, then you can create any number of throwaway emails of the form
<something>.fred@spamgourmet.com
(other domain names other than spamgourmet.com are available)
The advantage being that if you get a dodgy email from the "DVLA" that is addressed to amazon.fred you know it is suspect, and you also have reason to suspect that amazon have been lax with your personal details because you only use amazon.fred with amazon purchases.
Additional useful thing with spamgourmet, they tell you when you first received an email from each address, so you can date when you first made "contact" with an organisation.
Edit! Forgot to add that all these extra email addresses are picked up by spamgourmet and sent to you registered "hidden" address, so you do not have an overhead trying to read every single email address you create!
http://www.spamgourmet.com
Meatyfool..
Having my own domain allows me to do something similar and has lead to me helping track down a leak at an genealogy site I use, leading to a prosecution.
But, beyond having many different emails for different organisations I also check them against https://haveibeenpwned.com/ as not only can emails be leaked, but in some security breaches, passwords can also be compromised - eg organisations where they were storing passwords in plain text!
After discovering https://haveibeenpwned.com/ it took me about 5 man days to check all of my email addresses and change those that have been compromised, even if I haven't received spam on them. Though to be hones, depending on which breach it was I deleted accounts with some organisations and added them to my "do not use" blacklist.
Slarti
-
- Lemon Slice
- Posts: 470
- Joined: November 8th, 2016, 1:42 pm
- Has thanked: 223 times
- Been thanked: 210 times
Re: Is this a new scam?
Slarti wrote:After discovering https://haveibeenpwned.com/ it took me about 5 man days to check all of my email addresses and change those that have been compromised
If you use LastPass as a password manager, you can run their security challenge and it checks all your email addresses associated with sites in your LastPass vault. It's a oneclick operation whereas at the site you mention you have to enter them all individually.
BTW, how safe is that site? They now have all your email addresses.
-
- Lemon Quarter
- Posts: 2941
- Joined: November 4th, 2016, 3:46 pm
- Has thanked: 640 times
- Been thanked: 496 times
Re: Is this a new scam?
Gaggsy wrote:Slarti wrote:After discovering https://haveibeenpwned.com/ it took me about 5 man days to check all of my email addresses and change those that have been compromised
If you use LastPass as a password manager, you can run their security challenge and it checks all your email addresses associated with sites in your LastPass vault. It's a oneclick operation whereas at the site you mention you have to enter them all individually.
BTW, how safe is that site? They now have all your email addresses.
I'm pretty sure that the site is safe as the IT security pro who set it up is recommended by many other security professionals in other countries.
And as far as is known, they don't save the passwords entered by end users, just the uploads of breach data.
Does Lastpass check for password and other breach information?
How secure is Lastpass? There are 2 security breaches and 2 "incidents" mentioned at Wikipedia
Slarti
Who is online
Users browsing this forum: No registered users and 28 guests