mailto: blog -at- heyrick -dot- eu
Compromised, but what?
This morning I checked my mail and discovered an email with a one line URL. Nothing new, this spam is doing the rounds.
What was new was that the email claimed to be from me and it was sent to people on my address book. Sort of.
As you can see, the email address is actually somebody at advancedframingcorp. No idea if it is a real person and if his identity has been swiped or if he is the sender. And the recipients? I think I know or have been in contact with them all:
One of those is my boss, so I hope you, dear spammer, choke on your own vomit and die in horrible prolonged agony, all alone. Yes, it is a nasty thing to wish to another person, but I'm sure if this had happened to you, you'd feel the same.
Luckily for me, there's such a flurry of messages at the moment that the one supposedly from me was off the top of the screen so I was able to get my boss to delete it before it had even been looked at.
This list is actually quite interesting. It is woefully incomplete by virtue of omitting the people I contact the most frequently. My original thought was that Yahoo! had been compromised, but the address book on Yahoo! doesn't hold all of these addresses. GMail? Hardly any. I intentionally don't set my devices to synchronise address books.
So, let's look at this list again. I have fired up all four phones and tried to write an email to "li". One phone recognised that as part of the name "John Williams", however the email address listigraev (a nice bloke from America, we used to talk about Eurovision stuff) is not known on any of my phones, neither in the address book nor in "recently contacted". I'm sure I used one or other of the phones to communicate with him, but I've not spoken to him for a long time.
Same for rdecker. It's been... years.
Ganesh? Sorry. I'm sure we communicated in some fashion at some time, but I don't remember when or why. Ditto dodwell and therealbrute.
Why is Mick on the list using the non-obvious backup address, and not the one I usually use? Satsuki? Not there. My mother? Not there, nor is her friend that I sometimes am asked to send pictures to. Don't think I'm complaining, the fewer people that got spammed, the better. But in terms of trying to work out the origin of these addresses... you got me. There's no ROOL (Steve, Ben, etc). David Pilling is on the list but other people in the RISC OS scene are not. Ewen? Not there either.
Then there is heyriXXXX. That's me. Why am I there? Because the only thing these addresses have in common is that they are addresses used to send stuff from Yahoo! - and in cases where I send stuff to myself or send test messages to verify that things are working (or not...), I send between accounts. Few people on the list are contacted from my private email account, all may have been contacted via Yahoo!'s web form.
Now, I can't point the finger of blame at Yahoo! with nothing that resembles evidence, but it is an extremely interesting collection of email addresses, it is missing the people that I talk to regularly and it contains people I don't remember. These (most likely) are people that I have been in touch with, but this list does not correspond to the addressbook on any of my devices (physical or "remembered recent"). Apart from carrier bundled software and things that I feel I can trust (like Amazon), I don't install stuff that asks for more permissions than makes sense, despite Google's continuing efforts to better hide the list of permissions that apps actually want. There's no fart app in the world that is going to be good enough to justify it wanting to rummage around my address book. No, it just ain't gonna happen.
As such, I am starting to suspect that it was not me that was compromised.
As Mick pointed out in a message to me earlier in the day, with all of these service providers outsourcing to god only knows where, who knows what could happen? You'd think you'd be taken care of well if you were tactless enough to stay in a Trump hotel, right? I mean, the guy with the fake looking hair is vying to be president for God's sake. Well, bzzzt. They got pwned. So did the Hilton chain. Okay, okay, I am pushing it a bit to compare nicking a weirdly incomplete list of my email addresses with nicking credit cards from a hotel chain (or two, or ....)
but in reality I think the issues are more closely related. We rely upon computers and technology for a lot of things, we have some bizarre misplaced trust in computers to not lie or cheat, any those self-same systems run software created in "developing countries" where labour is cheap and shareholders in the first world nation can all go kerching! together. Everybody is bribable, so I don't think it is fair to say a Californian is going to have more integrity than an Indian or a Chinese; however when said Indian/Chinese is working long hours and being bossed around by some guys on the other side of the planet and is being paid maybe enough to feed his family and educate one of his children...you might find the yardstick for "how much it would take" to be considerably lower. As for the auditing and code verification, well... does this even happen to a greater degree than getting some beta testers to attempt to break the product? The modern mobile phone, for instance, is so complicated that who knows if some sort of spyware is included these days.
Yes - it probably is. One of the selling points of my Galaxy S5 Mini was that it did not have any Facebook bloatware within. This is one of the reasons I was not going to be buying a Sony phone. I never used the Facebook stuff in the previous two phones, but I wouldn't be surprised if it didn't report back to the mothership at intervals. It just wouldn't necessarily be able to associate what it saw with me. And then there's other stuff and sometimes it's your own government.
Essentially, we're screwed. And because everything is oh-so-convenient, we'll carry on being screwed.
As a closing note, I sincerely trust that nobody who received this message supposedly from me was dumb enough to click on the link. If I am going to mail you a link, I would begin by at least saying "Hi", and at least some sort of synopsis of what the link was - essentially your reason for wanting to click it. The only time I would skip this part is if you asked me for a link and I was getting back in touch with you. Otherwise, I am mindful of the fact that I would not click a link that I had no idea what it was; why should you? And, finally, just because it says "Rick Murray" doesn't mean that it is "Rick Murray". If you get an email that looks peculiar, look for the sender's address (usually tapping/clicking the friendly name will pop up something telling you the associated email address). Clearly it's a fake.
And a final note for Spotify subscribers
La version française dit (aussi para 3.3):
Vos contacts: nous ne scannerons ou n’importerons jamais les contacts enregistrés dans votre téléphone à moins que vous nous y autorisiez de manière préalable et explicite. Nous utiliserons vos informations de contacts uniquement dans le but de vous aider à trouver des amis ou contacts qui utilisent Spotify si vous le choisissez, et nous n’utiliserons pas vos informations de contacts à d’autres fins sans vous demander au préalable, et de manière distincte, votre autorisation explicite. La législation locale exige que vous obteniez l’accord de vos contacts pour fournir leurs informations personnelles à Spotify, qui peut utiliser ces informations aux fins spécifiées dans la présente Politique de confidentialité.
Just so there is no misunderstanding here - I do not give Spotify permission to collect any information on me from the mobile devices of those who may contact me.
Et, aussi, Je ne donne pas la permission pour Spotify de recueillir mes informations du carnets d'adresses de mes amis.
If you have me in your address book and you wish to use Spotify and permit it to access your address book, please delete me first.
Si je suis dans votre carnet d'adresses et vous souhaite d'ouvrir l'accès à Spotify, merci de me supprimer avant.
All clear now?
Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.
|Mick, 30th September 2015, 14:04|
Ding - Penny drops.! It's a BT yahoo compromise. I had a similar message from one of my contacts yesterday with a few of his contacts. Came from josher-at-muralsrule.whatever... Gave me a link to SusanBoatman? Anyhow, I've looked at my block list from the last 4 months and all the genuine addresses from senders being spoofed belong to yahoo.co.uk or btinternet. Not all these contacts know each other. I'd ruled out my phone as not all the contacts are in there. I was pulling my hair out trying to make a connection. BT and Yahoo are one and the same now I believe?!
List all b.log entries
Return to the site index
PS: Don't try to be clever.
It's a simple substring match.
Last read at 21:39 on 2020/07/03.
© 2015 Rick Murray
This web page is licenced for your personal, private, non-commercial use only. No automated processing by advertising systems is permitted.
RIPA notice: No consent is given for interception of page transmission.