A false accusation of "hacking"

One particular style of phishing email runs something like this (edited for brevity):

From: service@paypalL.com
Subject: Your account was hijacked by a third party.

Dear PayPal valued account holder,

We recently noticed one or more attempts to log in your PayPal account from a foreign IP address and we have reasons to believe that your account was hijacked by a third party without your authorization.

If you recently accessed your account while traveling, the log in attempts may have initiated by you.

However if you are the rightful holder of the account, click on the link below and submit, as we try to verify your account.

The log in attempt was made from:

ISP host: sargon.cl.cam.ac.uk


well, spare a thought for the lucky owner of sargon.cl.cam.ac.uk (not its real name), because sometimes when people receive these emails they see it as compelling evidence (kindly supplied by PayPal) of someone who was trying to hack into their account and steal all their money.

In practice of course, the accusation is as false as the rest of the email, which is merely designed to get you to click on a link to visit a phishing website and reveal your PayPal login credentials to the criminals.

We’ve found examples of emails mentioning our machine name in several web archives, so it looks as though this part of the rubric isn’t entirely random, but is chosen from a shortlist… and on two recent occasions people have worked out where this machine is located and have decided to get in touch with our hardworking sysadmins to complain about, it is assumed, some students who are acting in a criminal manner.

Such complaints would be straightforward to deal with, except that the “sargon” machine happens to be used for monitoring phishing website lifetimes. Fairly regularly this leads to correspondence, when people clearing up an intrusion into their machine come across our monitoring visits in their web server logs. Of course once we explain the nature of our research, everyone is happy.

Anyway, last weekend someone complained about us hijacking his PayPal account, and it was immediately assumed that it just someone else looking at their logs, and so there was little here to be unduly worried about.

The complainant was promptly asked for the evidence, and he sent back a copy of the email. Unfortunately, the University of Cambridge spam filter quietly discarded it, because it contained a phishing URL. Everyone here assumed that the matter had been forgotten about, and nothing proactive was done to follow it up.

Unfortunately, at the other end of the conversation, it looked as if Cambridge wasn’t responding, and perhaps the sysadmins were part of the criminal conspiracy. So, still concerned about the safety of their PayPal account, contact was made with the Metropolitan Police and the local Cambridgeshire constabulary… which would be an interesting experiment in seeing whether eCrime is ever investigated if it hadn’t, at heart, been an unfortunate misunderstanding. So far, no officers have appeared at our door, so hopefully not too much police time has been spent on this.

Eventually, after a little more to-ing and fro-ing, a copy of the original email arrived with the sysadmins via a @gmail account (which doesn’t completely discard phishing URLs), the penny dropped and it was all sorted out on the phone.

I’d like to draw a moral from this story, but apart from noting the wickedness of discarding valuable email merely because it superficially resembles spam, it’s not easy to cast fault more in one place than another. In particular, it’s clearly nonsense to suggest that people should just “know” that emails like this are fraudulent. If phishing emails didn’t mislead a great many people, then they’d evolve until they did!

5 thoughts on “A false accusation of "hacking"

  1. Did you double-check the discard with Mail Support? In general the central filter doesn’t discard a message _just_ because it contains a phishing URL. If it discarded (as opposed to tag-and-pass-on and hit personal filters) then AFAIK it must have been owing to the DNS blacklisting checks which meant it did not reached the SpamAssassin checks – the mail gateway “…does not reject email based on its SpamAssassin score”

  2. The spam filter doesn’t automatically cause discards, but I bet the anti-virus one does – and given that quite often AV systems pick up phising URLs as viruses, that might be why it vanished…

  3. @0800…

    Simon Bunce has posted on this blog before you can google for it.

    One thing that did come out of his protracted attempt to clear his name was an FOI request in the US. Apparently some fairly interesting stuff came out of the woodwork over and above that which proved Simon was not the person using his CC details.

    It will be interesting to see how Simon’s case against a retailer pans out.

  4. (Been meaning to say hello)

    Directly after reading this, I received an interesting evolution of the Nigerian scam:

    “The BRITISH High Commission in Nigeria, Benin Republic, Ghana and Bokinafaso received a report of scam against you and other British/US citizens and Malaysia Etc.”

    Presumably on the basis that people who have fallen for a scammer once will fall for another one, reducing to more likely targets.

Leave a Reply

Your email address will not be published. Required fields are marked *