Forum Discussion

nigelss's avatar
nigelss
Up to speed
8 months ago

Spoof message allegedly from Virgin with subject "Your Bill Is Ready"

Hi Everyone,

I just got caught out by an email looking like it was from Virgin Media. I get them every month so I was running on autopilot. The email contained a pdf file "Your Virgin Media Bill is here___.pdf" which I opened in acrobat reader. The pdf contained Virgin and O2 logos and mentioned that the bill might have increased etc, with a button to click to view the bill. This opened a website in a browser asking for VM account login details which I submitted, after which I did not see my bill.

With hindsight it should have been very obvious that it was a scam email from the dodgy email address to the dodgy log-in page but I was not paying attention and I do get legit emails which do not display as you would expect in my email client so I have to select a different view. In this case I just went straight to attachments, spotted the pdf and downloaded it. Total idiot.

The full sequence is:

1. email containing...

2. pdf with button to click to see bill which takes you to...

3. website requesting VM username and password.

The pdf link is actually to a dropbox page which asks for the VM credentials. On submission the information is passed to a Wix-hosted website. All so blindingly obvious if I had taken the time to look first!

So the scammers are collecting VM accountholder email addresses and passwords so they can try to log in to your VM account. If successful they can collect and change all your details etc. so you might get locked out of your account. It would also give them access to other services you might have, e.g. your email.

In my case I knew something was up when I did not see my bill and instantly logged in to my account and changed everything - account log-in email address, password, memorable words, phone number etc. so the stolen credentials are useless to the scammers.

The time from me submitting the form to getting into my account was probably about ten minutes because VM insisted on sending a validation code to another email address for me to log in and it took some time to arrive. VM did it again when I wanted to change my account details which added to the delay in changing them. The question is did the scammers manage to get into my account in that brief period? I am assuming that I beat them to it because a couple of hours later I can still log in with my updated account/password credentials.

I scanned the pdf for malware and it came up clean so I suppose its main purpose was as a redirect to the dodgy login page. It is beyond belief that I did not even look at the url or stuff at the top of the page because I am so used to getting emails every month from VM.

I hope the above is of use to you. I have been using email and the internet since 1995 and this is the first time I have been caught out, Be warned!

  • Postscript - The spoof email mentioned above arrived in my inbox at 0951hrs this morning. I see another one from the same source but this time with subject "Your latest bill is ready" arrived in my inbox at 1344hrs, both allegedly from [removed] as virgin@media (I can examine the raw headers without actually downloading the email itself). The curious thing is that these emails pass all the validation checks - SPF, dkim, dmarc, - and have an X-spam score of zero. Not downloading/opening this one!

     

     [MOD EDIT: Personal and private information has been removed from this post. Please do not post personal or private information in your public posts. Please review the Forum Guidelines]

    • nigelss's avatar
      nigelss
      Up to speed

      This is a scam operation so I included full details so people would know what to look out for. I thought I would contact security at Wix and Dropbox with the relevant details so they can investigate/shut down the spoofers but it turns out there is no way of doing so because I don't have an account with them. I am fed up with useless AI chatbots!

  • ALF28's avatar
    ALF28
    Super solver

    Thank for the warning, I will look out for any fake VM email saying your bill is ready.

    I also have had a few phishing emails pretending to be virgin, one was picked up by by the VM spam filter, but the previous one got through. Usually the sender email address is different to a VM official address.

    The wording was your billing information has expired, or your account is set to close.

    A simple check is to look at the source header and check the sender IP address and look up the IP address which may not be VM but from an unknown server.

    I also have had one from Virgin Money not tagged as spam, and last year when VM email was down, I had an email planning essential works via amazon on a German IP address not tagged as spam, but the  sender address did look like a VM .

    In one case I had a blackmail email sent from my own ntlworld.com email address ,tagged as spam.

    I do get a lot of fake banking emails also including most of the UK banks, TSB, Natwest, LLoyds and also Betfair

    So best to always check emails before clicking on any links to fake websites as they are not always tagged as spam, but may be spam so do not assume an email is genuine unless the email sender detail is checked first in the header.It is very easy for scammers to send a an email that may look genuine at first glance and end up submitting data or passwords for accounts that then enables hacking of an account, and if an email is hacked the hacker can then use that to hack associated accounts that use the email.

    Hackers are continually trying to hack accounts and email and social media, I have had recent activity on social media and some emails.

    The use of 2FA helps to keep out hackers and use long strong passwords, and also change your password quick if you think you may have been compromised or fooled by am email that may look genuine but is actually a fake.

    It is best to always login via the actual VM web site rather than click on links in an email

  • Hi to all, I am now seeing these emails on a daily basis, always mark them as spam and delete but they change their email and domain so rapidly, always hover the cursor on the senders email and note the personal email addresses that these are sent from, always be careful what you click on.

    • ALF28's avatar
      ALF28
      Super solver

      they change their email and domain so rapidly-

      The spammers continually change the sender address to avoid blacklists and spam filters.

      I have had spam activity also on gmail,possibly by the same spammers sending to VM email and linked to romance fraud using my gmail email and evidence that they also know my VM email address.

      I also think the spammers may be also hackers and will try to hack the emails and I have noticed activity that is unsusual both on my ntlworld.com and gmail.com by the same hackers so advise strong passwords and change them regularly including the app password.

      In some cases the cyber criminals may use your address to register you with a company using your identity/email, in one case I have had to delete an account set up by an unknown hacker using my email for fraud.

      So it is advisable to keep a check on the spam emails as some may be criminal activity.

      As I can not remove my old VM email, the problem remains.

      If an email is getting attention from spammers and hackers on a regular basis, it may be wise to cease from using that email and open a new free email in outlook or yahoo for example.

      Cyder criminals use social engineering to Get your data to enable hacking, spam email can be part of that data collection using phishing emails. so they can hack your accounts, banks etc.

      I did some check and most of the spam emails to my VM email are  form servers in other European countries but claiming to be UK companies so the websites in any links are probably fake. Many of the companies do not exist or have an address used which is just a postbox for many fake companies they set up.

      • Akua_A's avatar
        Akua_A
        Forum Team

        Sorry to hear you are still receiving spam emails ALF28 We can understand the frustration caused. You may find the following link useful. You may also find this link useful regarding spam. Please let us know if you need any further help with this.

        Thanks,

  • AnsteySteve's avatar
    AnsteySteve
    On our wavelength

    I have had several of these over the last couple of weeks.  Almost caught me out because I had just changed my contract but luckily I realised just in time to stop me opening it.