Spam: Mail Quotas and Bitcoin

Recently we have become aware of an issue in relation to one of our cloud service providers which is weakening one of our email security measures – specifically the mechanism put in place to make it harder to impersonate UoP senders (i.e. any @port.ac.uk email address). This has allowed a recent increase in the amount of spam being received.

As of late in the afternoon of the 24th February, the cloud vendor has fixed the issue so there relevant spams should stop arriving. Leaving just ordinary spams!

We are in contact with the vendor to resolve this issue, but in the meantime you very well may receive spams with a sender address (“From”) of something@port.ac.uk.

Two quite common varieties of spam that are cropping up are mentioning mail quotas (“your mail quota is exceeded”) and bitcoins (“pay us bitcoin or we’ll leak your secrets”).

In relation to the mail quota spams :-

This example may not reflect the appearance of spams you receive.
  1. We do not have mail quotas; anyone offering to increase your mail quota is offering to do the impossible … or more likely ask you for your password so they can use it nefariously.
  2. If you “hover” (move the mouse pointer to where the clickable link is, but don’t click it), you can see where the link really takes you too at the bottom of the browser window. In the case of this spam, it will say something like https://port.ac.uk/mail-quota/ but will in fact take you somewhere else.

This is a standard phishing spam email – the link will take you to a page that looks like a login window and you will be prompted for your password. Don’t fill it in!

In the case of the bitcoin extortion spams, the main characteristic is that they say something that amounts to “send us bitcoin or we’ll leak all your secrets”. Sometimes they will claim to have broken into your account; sometimes they will claim to have recorded you indulging in activities that you won’t want others to know.

Whilst this could be alarming, it is exceptionally unlikely to be the truth. Extortion spams are widespread and known to have no truth behind them; although the latest ones don’t appear to be “sextortion”, it remains a possibility.

If you are wondering what “bitcoin” is, a link to the Wikipedia article can be found earlier in this article, but in summary it is a “crypto-currency” which is form of money without a backing government/central bank implemented using cryptographic mechanisms. Criminals appear to like it because they (falsely) believe it to be anonymous.

Whilst this is an ongoing situation with a special wrinkle, the advice is still pretty standard :-

  1. If it sounds too good to be true, it probably is.
  2. Does the email “ring right”? If it came from an @port.ac.uk address :-
    1. Does it look like it was composed in Gmail
    2. Do you normally receive emails from that sender?
    3. Is the writing standard what you would expect?
  3. Before you click on a link, check (by “hovering”) if that link takes you to where you expect.
  4. If you click on the link, does the page appear to be in the usual UoP style? Most of our authentication pages go through the same “identity provider” and although there are two main ones with different appearances, they do have a standard “look”.

Because of the current issue (which we expect to resolve in a day or two), be wary of emails from @port.ac.uk addresses that you haven’t corresponded with before.

This entry was posted in Active Attacks, Email and tagged , , , . Bookmark the permalink.

Leave a Reply