UKC

FYI, I have this morning received a scam email, of a new kind to me to which climbers and outdoor people may be vulnerable.

The email, seemingly coming from an outdoor supplier who I have probably purchased something from in the past, supposedly gives away a 3 season sleeping bag, for which you are supposed to pay only the delivery costs. The email includes a link, which takes you presently to paying for the delivery. This includes getting card nos, 3 digit security no and other details.

A glance at the URL of the payment page shows that it is nothing to do with the (genuine) supplier, it is a scam to get credit card details. Obviously no genuine supplier/financial institution should include a link in an email that leads to payment information being sought, it should just say "you have this wonderful prize", now go and sign on to our website. But some people may be caught out by this and seduced by the supposed free goodies.

Be warned.

In reply to Simon4:

Thanks for the heads up

In reply to Simon4:

Oddly well targeted. Have you dropped an email to the supplier? They may have lost their customer list.

In reply to KevinD:

Not necessary, they actually sent a warning email later.

It seems that there was a clear breach of data security, the "payment page" had my phone no, name and address correct. Fortunately my instincts kicked in to say that if something seems too good to be true, it usually is, also if they were giving away a reasonable quality sleeping bag, they would hardly be likely to balk at paying for the postage. So I started to inspect elements of the message, the payment page etc.

Just thought it would be useful to get this warning out as soon as possible, less someone else be caught by being a little less cautious than me.

In reply to Simon4:

Thanks for the heads up!

Strangest phishing scam to hit my inbox was one saying that I had been tagged as a co-author in some academic paper. They needed me to fill in my personal details to credit me properly...

In reply to Simon4:

Which supplier?

In reply to johncook:

Would rather not say, seeing as they appear to have tried to repair the matter. A description of the scam should be enough to warn everyone.

In reply to Simon4:

Out of interest - are you signed up to Mountain Training UK? They had a data breach a few weeks ago - with most of the details you mentioned.

In reply to SenzuBean:
No, they are not involved in this instance of scamming.

I take this scam to be entirely motivated by money, sometimes data-breach attacks, e.g. denial of service attacks, are motivated partly by money (i.e. straightforward thieving) and partly by the desire to cause reputational damage to the target company. But seeing as the supplier concerned seem to have done what they can to rectify the situation, it seems unreasonable to bandy their name around as people should have enough information to recognise and avoid the scam.

In reply to Simon4:



What I meant was that maybe the MT details were sold on the darkweb, and the buyers decided the best way to scam 'mountain trainees' was not to try and sell them a training course (because who would sign up for that? no-one), but to say they won a sleeping bag, using some supplier chosen at random from the UK. But that theory goes out of the window since you're not signed up to mountain training

How else do you think they got your details and associated you as being an outdoor person?

In reply to SenzuBean:


Well I would imagine that they have in fact managed to hack into the supplier's database, so have got genuine information. So a relatively sophisticated hacking operation, as contrary to what happens in all the films, spotty 15 year-olds in their bedrooms can't really navigate their way around systems or SQL databases.

Once when I worked for a rare book seller, they had a system that stored credit card details INCLUDING security information like the 3 digit verification no in clear in, of all things, an Access database. Which given that this might include things like signed first editions of Hemingway novels at $500,000, with customers including some very well known popstars and actors, was a pretty spectacular vulnerability, especially as the database had been copied in a totally uncontrolled fashion by one of the developers!

In reply to Simon4:


Depends really on how good their systems are. A spotty 15 year old can stick Kali on a usb stick and start playing from there. Plenty of guides and sadly sql injection is still way to common a vulnerability.


Access in itself isnt necessarily that bad. Its how you manage permissions that count and the limitations that mean it doesnt play well at scale are actually a defence of sorts. Quite spectacular breach of the banking guidelines though. They would have kissed good bye to their ability to use cards if that was found out by the banks.

In reply to Simon4:


As a software engineer, that makes me cry a little on the inside.

In reply to Simon4:
And now because you followed the link they now know your email account is still active. Get ready for more phishing scams.

In reply to KevinD:

Actually if discovered, let alone abused in the way that there was obvious scope for, it would probably have meant curtains for the company.

Which was exactly what I told the CEO in an emergency late-night (late night in the UK that is), phone call to say that we should drop everything else until a fix was found. Not possible to be sure about all or any copies that might have been made of the DB retrospectively though.

In reply to Simon4:

Climbers do not read or post in Off Belay so a slightly pointless post being in the wrong section of the forum, even more pointless is the fact that climbers are the tightest ham fisted bunch of bastards I have ever met, so they wouldn't pay £3 delivery on a free sleeping bag anyway.
Scammers need to up their game to catch climbers out.

The scammers who targeted Simon4 are still at it. I received an e-mail purportedly from the retailer concerned this morning, this time offering a £140 rucksack for the cost of shipping alone. It does look fairly convincing: sender's e-mail well spoofed (it surprises me how many scammers don't even bother to do this), addresses me by name, and no spelling errors. The actual language is a bit clunky - eg "we have special present for you", "you are the one of ten our valued customers" - and the obvious red flag is the invitation to click on an embedded link in order to pay for the shipping. They are clearly hoping that people will be so distracted by the idea of a free rucksack that they let their guard down and hand over their payment card details to a random passer-by on the Internet.

The retailer concerned had already e-mailed me earlier in the week to warn of a potential data breach in their systems. Looks like someone got hold of a good chunk of their customer database and is slowly working their way through it.

In reply to Martin W:

You have proved yourself a climber by refusing to pay £4 postage to receive a £140 backpack. Well done!

In reply to Martin W:

Sounds remarkably similar.

I guess that most people can spot the banking scams very easily now, let alone the Nigerian princes, so scammers need to be a bit more sophisticated in their targeting, giving at least a plausible story and some appearance of personal connection. I imagine something similar is being done regarding cycling, swimming and dozens of other specialist interest areas, to catch people when they are a bit less guarded than with the well known, generic areas.

A while ago I remember the fake delivery scam, when you supposedly had to get an unexpected parcel from Parcel Force or whoever. That seems to have run its natural life now, or perhaps it was never very successful.

A red queen arms race between the scammers and the punters really, lets hope they don't get genuinely hard to distinguish from real transactions.

In reply to Simon4:

No such thing as a free lunch.

In reply to PATTISON Bill:


Congratulations! You have just won a free lunch,

The delivery charge is £....

In reply to Simon4:

A well known outdoors site sent me an email about 6 months back saying that it was just possible that someone might have hacked them a teeny tiny bit but not to worry, just to let you know, you might want to look at your statements carefully, but of course the data was in such a form that it is impossible for them to use it etc etc.

2 days later the card ran a series of very expensive transactions for hotel stays in London from fictitious people in my name. I was demonstrably on the other side of the world at the time; I was alerted by my bank that there were suspicious transactions that were stopped straight away and the card held. The fraud was reported by the bank here (and they were informed of the source of the potential security breach).

I emailed the company to let them know and they said there was no proof it was anything to do with them. Obviously it was just a coincidence... Which was why they sent the email warning presumably. "We will continue to conduct a thorough internal investigation and we will update all affected [individuals] on any material developments" was the last I heard from them - in April 2014.

The old outdoor wish to "stay safe out there" still applies in cyberspace...

b