Sophos Cloud Optix
When the O2 mobile network went down in the UK earlier this month, hundreds of thousands of people were unable to make and receive calls, or connect to the internet from their 3G smartphones.
When the service was eventually returned to normal, O2 apologised and said it would offer compensation to affected users.
It was, therefore, with some interest that SophosLabs researchers noticed a wave of spammed-out emails claiming to come from O2 with the subject line “O2 Online Security”.
Here’s what a typical email looks like (if you want better picture, take a look at this larger version).
Part of the email reads:
As we said in our last update, we want to make it up to our customers for the loss of service some people experienced over the weeks.
The issue we had was unprecedented and we recognise that this caused inconvenience and frustration to those impacted over that one-day period.
We have now identified all those customers directly affected (those whose devices could not connect on our system). To thank all our customers for supporting us through an unprecedented and difficult period, we are also giving everyone on O2 a £10 O2 voucher to spend in store.
Click the link below to protect your account with the new security update.
A £10 voucher. That sounds nice. Who wouldn’t want one of those? And a security update as well!
Well, O2 *is* offering customers a £10 voucher – but the link in the email is, of course, bogus.
If you click on it, you aren’t taken to the real O2 website, but instead a webpage hosted on a compromised third-party website which is just waiting to scoop up your login details.
In short, if you enter your information on the fake O2 login page you will be phished.
Always be cautious about the links that you click on in emails, and think twice before entering your personal information.
Why then blur the URL of the phishing site? Surely it’d be better to leave it unobscured for the purposes of illustrating just where the link will send its victims?
I wonder whether the part in the serif font has been copied from someone else's scam message. It's reasonably-well written, and I saw only the perplexing jump from "over the weeks" to just "that one-day period" that would make me doubt the authenticity. (OK, writing about a "one-day period", instead of a "day", raises an eyebrow, but it probably passes, in a legal/technical context.)
The sans-serif text, however, is reassuringly the infant-grade standard of writing that's the hallmark of scam messages. (Notice that the "customer", in "Dear customer", is in the plain font, suggesting the source message was aimed at someone else.)
I ALWAYS look at the address for domains or embedded sub domains in messages. As a graphic designer I know how easy it is to compose a message with graphics and hijacked text. Bad language skills and syntax can be simple markers too, but the address can be checked in scam listing sites if there are any questions.