You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
I have been getting spam that initially looks like they come from contacts of mine but when you click to reveal the full email address the first part of the email address uses their name or part of email address and the rest is a random collection of letters/numbers so it's not my contact who has been hacked.
How do they get my contact list then as I'm pretty certain I've not been hacked (new password) and if I had surely they would use my email account for more bad stuff than just getting my contact list to email me spam using a half made up email?
You’ve been hacked 🤷♂️
How do they get my contact list then
They may have your contact list. They may have a contact list that includes both yours and the 'senders' addresses in it. Ie someone else you both know has been hacked.
If I've been hacked why wouldn't they do something a bit more dodgy than just use my contact list to send me a dodgy link?
I've just had one of these, I assumed I or my mate has been hacked. Spose I better change my password....
myti do you use Windows?
Does the email address look like fred.smith+abc123@wherever.com? That's a legitimate email address that would resolve to fred.smith@wherever.com. Somewhere in the email header will be a redirect that stops any reply going to fred smith and sends it to the spammers instead.
If I’ve been hacked why wouldn’t they do something a bit more dodgy than just use my contact list to send me a dodgy link?
depends what the nature of hacking is - you could have been hacked in the sense that someone has full access to use your email account as they wish (in which case they might use it for something more interesting than this) - or 'something' could have been hacked, at some time, to reveal that you and the apparent sender know each other. In which case all the spam-sender has is a list of names /addresses that have come into their possession by some means (a hack, a leak, someone making poor use of CC'd addresses) and no actual, current, hacked access to anything.
All they have is addresses - if they had a working password they wouldn't be having to use a spoof address behind the name.
You and the apparent sender could change all your login details in the presumption of a hack but that list would still exist and could be used in the same way.
Put your address into https://haveibeenpwned.com then put your mates in - you might be surprised at how many hacked services the two of you have in common.
If you've been 'hacked' or more accurately; phished, and your account compromised - the 'hackers' will put measures in to ensure you don't become aware of this, such as setting up rules to delete any incoming emails that might alter you to the emails they have been sending from your account.
Those emails from your friend but not your friend as simply a spoofed email address. They'll contain malicious links/documents, probably asking for you to log into your email account.
Very little, if any actual 'hacking' occurs with these, it's nearly all just relying on the stupidity of people falling for the fake emails. It's a self fulfilling thing too, as soon as they have access to one account it's game on. Hundreds of emails will be sent in seconds, which then generates one or two more compromised accounts, which then get a few hundred emails sent out, and so-on. The real damage is done when they get access to an account which has sent invoices to customers/suppliers. They'll send a new invoice with different bank details directly from the persons account, and someone will send that payment to the new bank account without checking that they have actually changed banks. Payday for the 'hackers'. Rinse and repeat.
They’ll send a new invoice with different bank details directly from the persons account, and someone will send that payment to the new bank account without checking that they have actually changed banks. Payday for the ‘hackers’. Rinse and repeat.
thats hopefully a vulnerability that will close soon. Presently when that scammed recipient of the invoice pays it their bank only pays attention to the sort and account numbers - even if you enter a payee account holder name its just for decoration, its not part of the transaction checks.
So if I've hacked your email and send out invoices to customers pretending to be TallPaul but with my bank details it wouldn't matter that they typed 'TallPaul' in when making the payment that the account is actually in the name of Maccruiskeen.
Soon - the payment will only go through if the name typed by the person paying matches the name of the account holder.
I was going to chip in here, but basically what @maccruiskeen said.
You probably haven't been compromised but there's absolutely no harm in running a malware scan as a precaution. MBAM is good, the free version is fine for your purposes.
https://www.malwarebytes.com/mwb-download/thankyou/
After you've run the scan, change the password on your email account. Your email is the single most important account you have - if it is compromised then it can be used for "I forgot my password" links on everything else you use and you're going to have a Very Bad Day. Choose a strong password and under no circumstances use the same password anywhere else. If I can't hack your email directly, maybe I can hack something less secure where you've used the same credentials and boom, you're pwned. Enable two-factor authentication if that's an option with your email provider (and if it isn't, consider changing your email provider).
thats hopefully a vulnerability that will close soon. Presently when that scammed recipient of the invoice pays it their bank only pays attention to the sort and account numbers – even if you enter a payee account holder name its just for decoration, its not part of the transaction checks.
So if I’ve hacked your email and send out invoices to customers pretending to be TallPaul but with my bank details it wouldn’t matter that they typed ‘TallPaul’ in when making the payment that the account is actually in the name of Maccruiskeen.
Soon – the payment will only go through if the name typed by the person paying matches the name of the account holder.
That's good to know - it's a pretty major flaw in the system, but I'm sure the scammers will find a way around it. Internet/email and IT security in general, with issues like this are not going away any time soon, and although most phishing emails are laughably bad and easy to spot after a few seconds, some still have us as IT professionals who see these emails every single day, taking 30 seconds to a minute to tell fake from genuine. Some of the scammers are getting very, very clever at this stuff.
although most phishing emails are laughably bad and easy to spot after a few seconds... Some of the scammers are getting very, very clever at this stuff.
I have a theory that the "laughably bad" ones are intentionally bad. If you're daft enough to believe an obviously fake email then you're far less likely to go "hang on a minute..." further down the line, whereas someone falling for a realistic-looking phish could waste the scammers' time engaging in someone who's potentially going to see through it later.
Who would fall for this, you might ask. Well, it's a mistake to underestimate people's potential to do really, really ill-conceived things. I was once helping out a user with his laptop when a phishing email came in. I took the opportunity for a bit of user education, explained to them what it was, and deleted it. I hadn't made it back to my desk when my mobile rang, "my computer's gone funny." The user had retrieved the email from Deleted Items (schoolboy error on my part for not purging that), opened it and run the attachment. I stood there incredulous, "why would you do that?" I asked. "Oh, I just wanted to see what it said..."
You're right though that some of these are getting far more sophisticated now. I'm working in security these days, and some of the tricks and exploits I've seen recently are utterly terrifying. Things are going to get a lot worse before it gets better, people at all levels from CEOs to your mum really need to start taking security seriously rather than it being an inconvenient afterthought or something really nasty is going to hit the fan.
You’re right though that some of these are getting far more sophisticated now. I’m working in security these days, and some of the tricks and exploits I’ve seen recently are utterly terrifying. Things are going to get a lot worse before it gets better, people at all levels from CEOs to your mum really need to start taking security seriously rather than it being an inconvenient afterthought or something really nasty is going to hit the fan.
1000% agree. On the plus side, anyone with a career in IT security should be sorted for the next few years or so... 😀
Thanks for detailed replies. I don't think my email account has been compromised then. Yes I use Windows. The password for my email is different from other less important accounts and changes not that long ago. I guess they have got a contact list at some point somehow. The emails I get look like it's from Sophie for example when you glance at inbox but if you click to see full address it's Sophie@ghyyhddbnj124789553.com not just generic names though some more unique ones that can't be a coincidence. I am pretty careful with checking things like this because I'm self employed and have heard about the scams intercepting invoices.
Point of note here, even if the addresses were correct it's laughably easy to spoof email addresses so that's no guarantee of anything.
It's a pity email headers aren't a bit easier to read, and access. I don't use Outlook any more, but it used to be really difficult to find the headers. If you look at the headers and spend a little while understanding them, you can quite often see that the sender is not the person whose address appears in the From field. With a bit more knowledge, you can check things like SPF to see if the computer that sent it was one that the owner of the domain (the .co.uk or .com bit) has authorised for sending their mail.