NHS leak? I can't see this being very convincing unless you've had a blood test recently.
Scam emails tell people they have cancer to trick them into installing a money-stealing Trojan
Sick fraudsters have put out a batch of malware-riddled hoax emails warning recipients that they may have cancer. The scam emails purport to come from the UK National Institute for Health and Care Excellence (Nice). The emails - which arrive with the header "important blood analysis result" - ask prospective victims to …
-
-
Friday 14th March 2014 17:12 GMT Anonymous Coward
statistics
Here's a scenario: I have had a blood test lately (completely unrelated). I have a 100% cancer-related mortality rate in my closest family. All true. No, let's say I get this email, what happens next?
Yes, if I were an armchair security guru, I might smirk and delete this (...) without thinking about this for a second longer. But due to the particular coincidence of blood test / cancer history / cancer email, my brain makes an instantaneous (false) connection and
- I shit my pants
- in the fog that's filled my head (do I have weeks? months?) I click on the zip, click on the "pdf" (all remnants of sanity crushed somewhere in a deepest corner, even though I'm supposedly "paranoid" about security, by the average standards, etc.)
- nothing happens
- fog continues. I call my gp, I call the hospital (never get through, or "what are you on about, calm down", etc.)
At SOME point later I might decide to run an av scan (which might come up with something - or not). Or - perhaps, relieved that all's fine, I just erase the whole incident out of my memory. Job done, trojan delivered.
And, mind you, a similar reaction from a "mark" can be expected even with no family history of "the big C". There were about 100 people having blood test taken on that morning, and it was an ordinary day, they told me. They would have gone through 500 blood tests per day, easily, 5 days a week, just one hospital. And while the appeal of penis enlargement is rather dubious, who can resist to find out if they're walking dead?
p.s. Yes, I can see a clear cases for capital punishment here. Not because of my smelly pants, but because such people are past redemption and should be removed from society.
-
Sunday 16th March 2014 12:48 GMT alexmcm
Re: statistics
That's possible I suppose, but the number of 'hits' would still be very small. I could come up with a spoof email that would get waaaayyy more 'hits' than a recent cancer treatment. How about :
To all recent passengers of <insert national carrier here> .
We are contacting all recent passengers of out short and long haul flights, specifically Airbus 320 and Boeing 7x7 series. A staphylococci virus has been detected in the air-conditioning systems of these plane variants and you are required to attend your local gp for a blood test (see attachment).
Please bring your booking details and passport when you attend.
Some further convincing bullshit
Rgds,
<National Carrier>
Attachment: Your_Trojan.doc<rtl>.com
-
-
Friday 14th March 2014 18:51 GMT Anonymous Coward
'I can't see this being very convincing'
What a scam. Gotta love your fellow man that put this together. Not only would it be quite effective, it would hit the right demographic i.e. those of a particular age, well off baby boomers, not web savvy. Having different email accounts or an account not based on your real full name would be an advantage...
-
Saturday 15th March 2014 08:49 GMT Anonymous Coward
Re: 'I can't see this being very convincing'
@hollymcr - I know what phishing is. I was wondering if it was spear phishing. If the victims were pulled off a list of people who had had a recent blood test that would change the scenario from "Jesus, that's despicable" to "We need to nail these bastards right now"
If anyone who hadn't had a recent blood test received one it would be completely unconvincing, just like those ones with the wrong bank on them.
If you had had a blood test though, it would be a totally different matter. Wouldn't be too surprising if it caused a suicide or two.
-
Saturday 15th March 2014 16:01 GMT Anonymous John
Re: 'I can't see this being very convincing'
NICE has denied that the email addresses came from them, and as they don't deal with the public, wouldn't have any such list.
UK blood donors (who are blood tested every time) are regularly contacted by email, but not for clinical purposes. I can see that some of us would be panicked by this email.
The standard of English and implausible name says West Africa to me.
"We suggest you to print out your CBC test results and interpretations in attachment below and visit your family doctor as soon as possible
Sincerely,
Dr.Moon Earnest"
-
-
-
-
Friday 14th March 2014 16:21 GMT Anonymous Coward
Zip files
I started seeing this incoming (and getting blocked by our third-party scumbag filter gateway) on Tuesday. I thought they were particularly sick, but hey it's thieving tossbags we're talking about.
In my opinion Zip files do have some legitimate uses, and any decent incoming mail scanner should be able to check inside zip attachments, or quarantine any it's can't?
Of course if you're still not convinced, it's feasible to write a regex or similar to filter incoming mail attachments based on file names, such that you could specify a suffix that would flag legitimate attachments and block all others (eg. <filename>_MyCompany.zip).
-
Friday 14th March 2014 16:27 GMT Flocke Kroes
Back in the day ...
... e-mails over 32k were not certain to make it across the internet. There were tools to split and reassemble large files, but it was far more sensible (and polite) to use sftp/ftp/http. It all started to go horribly wrong when Microsoft started sending e-mail as a container with the same message in html and plain text. I assume they did it because putting **emphasis**, _underlining_ and SHOUTING in plain text was too difficult for Microsoft executives. The internet would be a better place if people set their mail delivery agents to reject long messages.
PS - The ODF formats are a bunch of things in zip files. If you block zip format files, you will also block .odt word processing documents.
-
Friday 14th March 2014 18:52 GMT Hugh McIntyre
Re: Back in the day ...
Containers with HTML and plain text (or RTF and plain text, etc.) are actually MIME multipart/mixed. Back in the early 90s when this was introduced Microsoft was actually sending the markup in a proprietary "winmail.dat" attachment (very annoyingly for non-Windows users), so they were late to multipart/mixed.
PS: even in 1989 (rfc1123), >=64KB was more likely: "Although SMTP does not define the maximum size of a message, many systems impose implementation limits. The current de facto minimum limit in the Internet is 64K bytes. [....] and a much larger maximum size is highly desirable"
-
-
Friday 14th March 2014 17:12 GMT Mike Moyle
@ Jim Willsher
Re: a business case for ZIP files:
I work for a government agency. Our MIS people block access to cloud/FTP sites (SendSpace, DropBox, etc.). Inserting multiple attachments (InDesign document and PDF from one folder, fonts from another, images from a third -- repeat if you're sending multiple documents) into an email to send off to the printer's is a PITA when compared with dropping in one ZIP archive.
So, yeah; While it's not an ideal solution, ZIP still serves a useful function in business.
-
Friday 14th March 2014 23:52 GMT John Tserkezis
"Emailed zip files no longer serve a business purpose IMHO."
Bzzt. Wrong answer.
Had a client who couldn't download the latest iteration of our software that fixed a crititcal bug from our website. Claimed it "wouldn't download properly".
So I emailed to him. Nope, it gets everything except setup.exe.
So I renamed it. Nope, it interrogates the file and still blocks it.
So I zipped it, and renamed it. Nope, it inspected the zip opened it, inspects files and blocks them anyway.
I could have gone further, but it REALLY was beyond what I should be doing to work around something that's entirely outside my control. So I asked if he could get his IT people to open an exception, or offer another way. His response was diplomatic in the least, but that wasn't going to happen any time soon.
So I snail mailed it. Yep, with a fucking postage stamp and everything.
If it were a substancial volume of data, I would have snailmailed a thumb drive (non-secure critical data here boys and girls!). Are you going to block external drives next? CD/DVD drives? There is only so far you can go before you prevent your people from doing their job.
Remember how long the Soup Nazi lasted on Seinfeld?
Like I've said before, never piss off your customers, they might not come back. Second to that, never piss off your employees, not only will they not come back, they'll leave a trail of desctruction on their way out.
All because you took the easy way out. I'd downvote again if I could.
-
Saturday 15th March 2014 14:15 GMT Annihilator
"Emailed zip files no longer serve a business purpose IMHO."
* Zip preserves file/folder structure for multiple attachments
* Most blue-chip tech companies will have insanely small mailbox sizes (25 *Meg* isn't unheard of)
* Business docs (.doc, .ppt, .xls) compress incredibly well (3:1, or even 10:1 if no pics are involved)
* Zip has (albeit fairly weak) encryption
Just 4 purposes without putting much thought into it.
-
Friday 14th March 2014 16:18 GMT DNTP
Dear commentors,
We have been sent a sample of your thumbs for thumb analysis research. During the complete thumb count (CTC) we have revealed that giving me thumbs up is low and unfortunately we have suspicions of missing or negative thumbs.
Thunmbs up: not enough
Thumbs down: don't plz
Other fingers: Unknown
We suggest you thumbps up this posts so further thump research can confirm that you have thumbs (the up kind not the down kind).
Thank you,
Dr. DNTP
-
Friday 14th March 2014 16:24 GMT JLV
Inquiring minds want to know
"""
The name of the file is CBC_Result_[random alphanumeric string].zip. Inside the archive is a file with a double extension made to look like a PDF file but in actuality is an executable with a PDF icon
"""
This wouldn't happen to be on Windows, by any chance? With the thoughtfully-provided hide file extension default setting?
Oi, Redmond, didn't another malware pull the exact same trick, like 3 months ago?
-
Friday 14th March 2014 17:13 GMT VinceH
Re: Inquiring minds want to know
"This wouldn't happen to be on Windows, by any chance? With the thoughtfully-provided hide file extension default setting?"
That's always been a stupid setting - but over the last few years I've come to realise that it doesn't matter one single jot. Typical users will believe what they are told the file is, and wouldn't have a clue what the extension means.
-
Saturday 15th March 2014 00:01 GMT John Tserkezis
Re: Inquiring minds want to know
"Typical users will believe what they are told the file is, and wouldn't have a clue what the extension means."
When it comes to "typical" it appears your milage may vary.
Of the 300+ employeebase at my last company, I don't ever recall that particular rename trick ever being fallen for. We did have filters in place for known corrupt sources, but they did occasionally get through. Depending on the department, some would get zip attachments all the time - as a matter of their daily work.
So, either you were dealing with a collection of complete idiots, or more likely, you were too lazy to train them.
-
-
-
-
Friday 14th March 2014 17:21 GMT Goldmember
I had this one
Sent to one of my publicly accessible accounts a couple of days ago, along with the usual "HMRC Tax Refund", "HSBC Transaction number" and "Please your girl tonight" bollocks. Usually I just laugh at how ridiculous they are, but this one actually stopped me in my tracks. It knocked my faith in humanity down that little bit more. There are some really sick fucks out there.
I'd like to see they guy(s) who did this caught and punished, but the cynic in me doubts that will happen.
-
Friday 14th March 2014 17:44 GMT SteveK
Re: I had this one
On the subject of ridiculous, I did have one the other day telling me I had to
"fill attached questionary before May 13259579338080851941308th, 2014"
I'm guessing that's a very long way in the future, so won't bother to open it now..
but yes, I agree with your sentiments entirely about the sort of people who prey on those likely to fall for this particular one.
-
-
Friday 14th March 2014 17:23 GMT Flugal
Anybody in the UK with even a vague sense of what is going on around them would be aware that NICE are not a body that gives test results, and has *something* to do with whether a given treatment should be made available on the NHS.
Then again, I spoke to a customer today, old enough to be married and have a child, who was not even aware of the name Tony Benn, let alone who he was, or that he'd died.
The people running this scam are evidently scum, but it should not be a surprise that people oblivious to the world around them are more vulnerable.
-
Friday 14th March 2014 19:17 GMT Anonymous Coward
I've also seen an e-mail which advises me I have been evicted and have 10 days to clear the premises open the attached zip file for details. Probably from the same scumbags. Tell ya what, I invite them to come try, I'm in the gun-mad U S of A, and anyone who tries to evict me from my paid for mobile home better be wearing a bullet-proof vest.
(They also do "you are summoned to court, open the attached file for details".)
I want their GPS coordinates so we can send in the drones and do it as a public service.
-
Friday 14th March 2014 23:05 GMT Anonymous Coward
Haven't seen an NSA/GCHQ angle mentioned yet
If I was running say a shadowy n-eys type organisation, which say had recently received some quite bad press for hoovering up vast amounts of data, then I might do something like this:
Devote a vanishingly small part of my operational capability (and budget) to tracking down the perpetrators of things like this and pass on details to the relevant civil authorities such as the police for arrest and charging. The results would be published widely and eventually attributed to my (shadowy etc etc) organisation.
It would be useful training for new recruits in my cyber division and be unlikely to reveal any funky operational capability to my opos in other (shadowy etc etc) organisations. Mr Snowdon has already done quite a lot of that - the real me rather than the shadowy me is grateful for that by the way.
Instead of blustering about how law abiding my (shadowy etc etc) organisation really is - honest, I personally would be going on a charm offensive, if I was half as clever as I am supposed to be, I'd do a bloody good job of it as well ...
-
Saturday 15th March 2014 03:33 GMT Steve Davies 3
I got one of these yesterday
They couldn't spell 'White' as in White Cells.
As someone who has Blood Cancer (Hairy Cell , nearly 5 yrs in remission) I find this scam just about a low as it is possible to go.
Can someone please find the lot responsible for this and exterminate them from the face of the planet?
-
Saturday 15th March 2014 08:20 GMT Lapun Mankimasta
Why oh why can't they try something amusing, like an email telling people "Dear London Resident, Your blood tests show you are susceptible to getting incredibly hairy, howling at the moon and biting strangers, friends and family at the full moon. Please donate all your money to us so we can find a cure ASAP"
-
Saturday 15th March 2014 14:40 GMT Anonymous Coward
Wait... There actually is such a thing as "National Institute for Health and Care Excellence"?
My first reaction was that the name of the institution should be a clear giveaway, as it couldn't possibly be a real name. It sounds like something a nigeria scammer dreamt up while drunk.
(I'm not from the UK, btw)