Internet Hackers Target Ofcom UK via Telecoms SPAM Email
Some people and telecoms operators around the United Kingdom are being hit by a spate of SPAM emails, which appear to emanate from the national regulator. Industry sources initially suggested to ISPreview.co.uk that Ofcom had suffered a security breach, although the regulator denies this.
The email itself appears to have come from Ofcom’s “spectrum licensing” division, although the regulator said they have “not been sent” by Ofcom and are a “hoax” that should be “treated as spam and deleted“. In a statement Ofcom added, “We have not experienced a breach of our data or systems, and we are investigating as a priority.”
A partial example of the email in question can be found below.
The Hoax Ofcom SPAM Email
From: Spectrum.licensing@ofcom.org.uk
Sent: 05 August 2015 **:**
To: ******************
Subject: IMPORTANT – Document From Ofcom Spectrum LicensingDear Sir/Madam,
Please find attached an electronic version of important documents relating to your Wireless Telegraphy licence or application.
Please read the document carefully and keep it for future reference.
If any details within this letter are incorrect, please notify Ofcom Spectrum Licensing as soon as possible. It is the Licensee’s responsibility to ensure all information we hold is correct and current.
If you have any enquiries relating to this document, please email
spectrum.licensing@ofcom.org.ukYours faithfully,
Ofcom Spectrum Licensing
Riverside House
2a Southwark Bridge Road
London SE1 9HAPhone: *******
Fax: *******
Textphone: ******
The email includes a Microsoft Word attachment that, upon being opened, will ask you to enable Macros (automated tasks). Sadly anybody who is foolish enough to be tricked into doing that will instead enable a malicious macro that downloads further malware (Trojan), which appears designed to monitor and steal personal / financial information or do other damage.
As Ofcom says, it’s best to treat these as SPAM and delete them. Sadly it’s not hard to spoof legitimate email addresses and usually only a more advanced user will know to go into the message source and check the sending server details to see if they match with a legitimate one. The SPAMs sending servers tend to include locations from Iran to Romania and many more.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, Google+, Facebook and Linkedin.
« UPD Got an EE Power Bar with Your Broadband or Mobile? It Might Explode
Comments are closed.
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.
NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
I got one of these and I don’t think I’ve ever given my email address to Ofcom so perhaps it is just general spam.
More info here:
https://thecomputerperson.wordpress.com/2015/08/05/important-document-from-ofcom-spectrum-licensing-docm-virus-spam/
Shortly followed by another bit of spam about booking a conference room:
https://thecomputerperson.wordpress.com/2015/08/05/booking-confirmation-accumentia-16915-doc-macro-attachment-virus/
Same “threat actors” and command and control infrastructure.
So not ‘hackers’ at all, just the usual spammers.
Yep, sad little script kiddies with a exploit which will only affect idiots.
I disagree. Given that the CnC uses SSL and the domains in use have at least 5 geographically diverse IPs it looks very “professional” to me in the scheme of these kinds of crap.
I also received two of these messages and I thought I’d look at one of the messsage source (though not downloading and viewing here – I’m too careful for that) on the ISP’s mail server. I don’t remember the exact details but I did notice that it seemed quite cleverly crafted with some sort of ‘document’ built in. I guess it was a macro virus. Just reading the message would likely do nasties if no application opening caution were used. I have the feeling that it was a JScript and thus smartphones might be affected as well as PC’s. I don’t know if a virus checker would pick this one up? Is there a virus checker for Android? It seems the headers are getting more sophisticated these days in that the usual source ‘url’ and IP number mismatch is getting less common.
Pity the poor innocent appliance operator.
“Pity the poor innocent appliance operator.”
More fool them if they say yes to macros without knowing what the macro will do.