Is this a new scam?

[Slarti]

I have no doubt that it is a scam, but is it new, or have I just not seen it before?

An incoming email thanking me for setting up to pay my tax disc by DD. Tax disc?

When I looked at the message header the from is
From: "directdebit@taxdisc.service.gov.uk" <directdebit@taxdiscservice029.top>

So it looks a bit like a .gov.uk but all the detail is in the attachment, apparently and I presume that the attachment carries a freight of either a macro, or the new swath of nasties that take advantage of OLE to do nasty things.


Be careful out there
Slarti

[AllYourBase]

Goes back to 2014 at least ...

https://www.gov.uk/government/news/motorists-warned-about-scam-emails

[Slarti]

Goes back to 2014 at least ...

https://www.gov.uk/government/news/motorists-warned-about-scam-emails

Amazing that I've never seen it before

Well a warning to all, don't open the attachment.

Slarti

[AllYourBase]

I don't recall the last time I saw a spam/phising email - gmail filters are pretty reliable.

[Slarti]

I don't recall the last time I saw a spam/phising email - gmail filters are pretty reliable.

This was in my ISP's spam trap. I check them pretty regularly as it is not unusual to find "real" messages in one or the other of them, including Gmail.

Slarti

[Breelander]

When I looked at the message header the from is
From: "directdebit@taxdisc.service.gov.uk" <directdebit@taxdiscservice029.top>

You can spoof anything you want to appear in the "..." part of 'From:' but the actual sender is in the <...> part. If it was genuine that too should have said '...gov.uk'. That's why looking at the message header is always a good idea.

[UncleEbenezer]

When I looked at the message header the from is
From: "directdebit@taxdisc.service.gov.uk" <directdebit@taxdiscservice029.top>

You can spoof anything you want to appear in the "..." part of 'From:' but the actual sender is in the <...> part.

You can spoof that too, just as easily.

Originally SMTP had a separate "Sender" field for cases where From was re-labelled (e.g. I borrow your account). But that's also trivial to spoof. These headers come from a more innocent era. As recently as the early 1990s, spoofing email headers was an innocent prank rather than anything darker.

[Breelander]

You can spoof that too, just as easily...

Well, you can't spoof the originating server, that's added to the header after it has been sent, so still worth looking at it.

[UncleEbenezer]

You can spoof that too, just as easily...

Well, you can't spoof the originating server, that's added to the header after it has been sent, so still worth looking at it.

Actually you can.

The only part of an SMTP header that you can rely on not being spoofed is the "Received From" line where it reaches a server you fully trust - typically your own. Anything else can be spoofed. And since a typical message has several hops, there could be a false trail of those Received lines from before it reaches your trusted server.

[tjh290633]

I'm getting confused here, because looking at the source code for my similar message, which does coincide with a tax renewal, all I see is:

From: directdebit@taxdisc.service.gov.uk

Also:

Received: from a6-57.smtp-out.eu-west-1.amazonses.com (54.240.6.57) by rgin03.bt.ext.cpcloud.co.uk (9.0.019.21-1)
id 5A4D27E1378ABD95

and

X-Originating-IP: [54.240.6.57]
Authentication-Results: mta1044.bt.mail.ir2.yahoo.com from=; domainkeys=neutral (no sig); from=amazonses.com; dkim=pass (ok)
Received: from 198.37.145.138 (EHLO rgin03.bt.ext.cpcloud.co.uk) (65.20.0.12)
by mta1044.bt.mail.ir2.yahoo.com with SMTP; Sat, 17 Feb 2018 11:55:28 +0000
X-OWM-SPF-MAILFROM: Pass
X-OWM-SPF: 0
X-OWM-DKIM: 1
X-OWM-DMARC: spf 0 dkim 1
X-Originating-IP: [54.240.6.57]
X-OWM-Source-IP: 54.240.6.57(US)
X-OWM-Env-Sender: 01020161a39e7824-75ecb6c8-cd17-48f5-8ee ... zonses.com
X-RazorGate-Vade-Classification: clean
X-RazorGate-Vade-Verdict: clean 0
X-VadeSecure-score: verdict=clean score=0/300LM349, class=clean
X-SNCR-VADESECURE: CLEAN

Why is the source IP US?

TJH

[mc2fool]

When I looked at the message header the from is
From: "directdebit@taxdisc.service.gov.uk" <directdebit@taxdiscservice029.top>

You can spoof anything you want to appear in the "..." part of 'From:' but the actual sender is in the <...> part.

You can spoof that too, just as easily.

Yes, you can do, but most receiving servers nowadays implement SPF and DKIM checks, so it's very likely to get put into the spam folder (or rejected outright).

[Slarti]

I'm getting confused here, because looking at the source code for my similar message, which does coincide with a tax renewal, all I see is:

From: directdebit@taxdisc.service.gov.uk

I was looking at the source through my webmail "View source" option, perhaps different ISPs have different options.


Since spotting the first one the ISPs AV has caught and deleted 2 more because of suspected virus
From: "directdebit@taxdisc.service.gov.uk" <directdebit@taxdiscservice109.top>
From: "directdebit@taxdisc.service.gov.uk" <directdebit@taxdiscservice091.top>

Neither of which were addressed to somebody who has ever existed at my domain, so if they'd got past the ISP my mail server would have caught them.

Why is the source IP US?

Why not?

Some of the most prolific spammers in recent times were based in the USA

Slarti

[Nimrod103]

I may be a bit slow on the uptake these days, but I received one of these e mails today, and I have no reason to assume it isn't genuine because it contains my correct licence plate no,. my correct bank details (last 4 digits) and sort code. My current licence expires at the end of this month, so I was expecting it to be renewed by DD.
There is an attachment called Mandate.pdf which I have not as yet opened.
Why would it not be real?

[Breelander]

I may be a bit slow on the uptake these days, but I received one of these e mails today, and I have no reason to assume it isn't genuine because it contains my correct licence plate no,. my correct bank details (last 4 digits) and sort code...

That's the genuine article, I have one of those too. The Mandate.pdf is just the same information as a DVLC-headed letter you can save or print for your records.

This scam works by sending a very similar 'thank you for setting up a direct debit' email to thousands of random people in the hope that a few who haven't set one up will click on the attachment - this will then install malware.

[Slarti]

I may be a bit slow on the uptake these days, but I received one of these e mails today, and I have no reason to assume it isn't genuine because it contains my correct licence plate no,. my correct bank details (last 4 digits) and sort code. My current licence expires at the end of this month, so I was expecting it to be renewed by DD.
There is an attachment called Mandate.pdf which I have not as yet opened.
Why would it not be real?

The spam ones replace your licence plate no with ******* and the same with all of your bank details, which is a bit of a give away. Mine were also sent to either an email address the DVLA hasn't got, or to people who don't exist, but who are one some spam list being sold to the bad boys (honour among thieves?)

Worth double checking by looking at the email source that a) it is from .gov.uk and that the pdf is a .pdf and not a .pdf.exe which are doing the rounds.

Slarti

[Meatyfool]

Mine were also sent to either an email address the DVLA hasn't got

The most useful thing I acquired from TMF was the use of spamgourmet. If you create an account called "fred" with them, then you can create any number of throwaway emails of the form

<something>.fred@spamgourmet.com

(other domain names other than spamgourmet.com are available)

The advantage being that if you get a dodgy email from the "DVLA" that is addressed to amazon.fred you know it is suspect, and you also have reason to suspect that amazon have been lax with your personal details because you only use amazon.fred with amazon purchases.

Additional useful thing with spamgourmet, they tell you when you first received an email from each address, so you can date when you first made "contact" with an organisation.

Edit! Forgot to add that all these extra email addresses are picked up by spamgourmet and sent to you registered "hidden" address, so you do not have an overhead trying to read every single email address you create!

www.spamgourmet.com

Meatyfool..

[Slarti]

Mine were also sent to either an email address the DVLA hasn't got

The most useful thing I acquired from TMF was the use of spamgourmet. If you create an account called "fred" with them, then you can create any number of throwaway emails of the form

<something>.fred@spamgourmet.com

(other domain names other than spamgourmet.com are available)

The advantage being that if you get a dodgy email from the "DVLA" that is addressed to amazon.fred you know it is suspect, and you also have reason to suspect that amazon have been lax with your personal details because you only use amazon.fred with amazon purchases.

Additional useful thing with spamgourmet, they tell you when you first received an email from each address, so you can date when you first made "contact" with an organisation.

Edit! Forgot to add that all these extra email addresses are picked up by spamgourmet and sent to you registered "hidden" address, so you do not have an overhead trying to read every single email address you create!

http://www.spamgourmet.com

Meatyfool..

Having my own domain allows me to do something similar and has lead to me helping track down a leak at an genealogy site I use, leading to a prosecution.

But, beyond having many different emails for different organisations I also check them against https://haveibeenpwned.com/ as not only can emails be leaked, but in some security breaches, passwords can also be compromised - eg organisations where they were storing passwords in plain text!

After discovering https://haveibeenpwned.com/ it took me about 5 man days to check all of my email addresses and change those that have been compromised, even if I haven't received spam on them. Though to be hones, depending on which breach it was I deleted accounts with some organisations and added them to my "do not use" blacklist.

Slarti

[Gaggsy]

After discovering https://haveibeenpwned.com/ it took me about 5 man days to check all of my email addresses and change those that have been compromised

If you use LastPass as a password manager, you can run their security challenge and it checks all your email addresses associated with sites in your LastPass vault. It's a oneclick operation whereas at the site you mention you have to enter them all individually.

BTW, how safe is that site? They now have all your email addresses.

[Slarti]

After discovering https://haveibeenpwned.com/ it took me about 5 man days to check all of my email addresses and change those that have been compromised

If you use LastPass as a password manager, you can run their security challenge and it checks all your email addresses associated with sites in your LastPass vault. It's a oneclick operation whereas at the site you mention you have to enter them all individually.

BTW, how safe is that site? They now have all your email addresses.

I'm pretty sure that the site is safe as the IT security pro who set it up is recommended by many other security professionals in other countries.
And as far as is known, they don't save the passwords entered by end users, just the uploads of breach data.

Does Lastpass check for password and other breach information?
How secure is Lastpass? There are 2 security breaches and 2 "incidents" mentioned at Wikipedia

Slarti