I received a phishing scam email this morning. The link in the email takes you to a page which looks lust like a virgin Media login page - but it isn't. Notice how the words in the body contain extra letters to confuse spam engines. The font colour of the extra letters is set to white in the original email so that they don't show up on the screen.
The email it was sent to isn't the primary email on my account so I knew something was fishy about this. The return address clearly isn't virgin media and the address of the linked page at the bottom isn't virgin media either. I have removed the link details so that nobody can click on it from here.
I would be happy to share a copy of the original with Virgin Media if I could only find out where I can send it to! In the meantime, be aware that these emails are being sent out and you should not respond to them.
Return-Path: <email@example.com> Delivered-To: **Redactedfirstname.lastname@example.org Received: from md21.tb.ukmail.iss.local ([126.96.36.199]) by mc7.tb.ukmail.iss.local (Dovecot) with LMTP id 9imELpt4gVg4fgAAu0mRFQ for <**Redactedemail@example.com>; Fri, 20 Jan 2017 03:40:42 +0100 Received: from mx2.tb.ukmail.iss.as9143.net ([188.8.131.52]) by md21.tb.ukmail.iss.local (Dovecot) with LMTP id Hn8ACBOnsFbLVgAADJc0sg ; Fri, 20 Jan 2017 03:40:42 +0100 Received: from 10.mo173.mail-out.ovh.net ([184.108.40.206]) by mx2.tb.ukmail.iss.as9143.net with bizsmtp id aSgf1u00h3By4by01Sgg1P; Fri, 20 Jan 2017 03:40:42 +0100 X-SourceIP: 220.127.116.11 X-CNFS-Analysis: v=2.2 cv=aZARpVgt c=1 sm=1 tr=0 a=HXow+KII6CRwBpRwm1oOGg==:117 a=HXow+KII6CRwBpRwm1oOGg==:17 a=kj9zAlcOel0A:10 a=IgFoBzBjUZAA:10 a=NLZqzBF-AAAA:8 a=dJbfLWhzAAAA:8 a=S2BnI4uaAAAA:8 a=wCAtVBXwnotUtLMw65MA:9 a=Ve1ADDYU8EqZd9ob:21 a=CjuIK1q_8ugA:10 a=VHZsXNVCBSYA:10 a=wW_WBVUImv98JQXhvVPZ:22 a=dUwgDRQI5yeyuw7QQUlG:22 a=zeZIAsrCKXVmH3gtOYCV:22 Received: from player718.ha.ovh.net (b7.ovh.net [18.104.22.168]) by mo173.mail-out.ovh.net (Postfix) with ESMTP id 9A46618404 for <**firstname.lastname@example.org>; Fri, 20 Jan 2017 03:40:39 +0100 (CET) Received: from PC-PC (unknown [22.214.171.124]) (Authenticated sender: email@example.com) by player718.ha.ovh.net (Postfix) with ESMTPSA id 305034E006B for <**firstname.lastname@example.org>; Fri, 20 Jan 2017 03:40:37 +0100 (CET) From: "Virgin Media" <email@example.com> Subject: Your latest Virgin Media Bill cannot be processed To: **firstname.lastname@example.org Content-Type: text/html; charset=us-ascii MIME-Version: 1.0 Reply-To: email@example.com Date: Fri, 20 Jan 2017 02:40:34 +0000 X-Ovh-Tracer-Id: 8693917607750849184 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 60 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrfeelgedrgedvgdehiecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpd
I received this and checked it on my phone and as the email was correct and the payment date was correct I followed it. I've now had to change all passwords and notify banks etc. Please post this information out to all users Virgin so they are aware.
Not when the only un picking a spam filter has to do is test whether the login request points to a genuine virgin media domain.
You and I can both tell, in seconds that it is a phish, and my brain's not exactly state of the art nowadays.
In fact all the filter has to spot is that it is a an e-mail with a login link for virgin. As virgin ,by policy, Never send emails asking for that. It is fraud. Do not pass go , do not deliver to customer....