back to article Scam emails tell people they have cancer to trick them into installing a money-stealing Trojan

Sick fraudsters have put out a batch of malware-riddled hoax emails warning recipients that they may have cancer. The scam emails purport to come from the UK National Institute for Health and Care Excellence (Nice). The emails - which arrive with the header "important blood analysis result" - ask prospective victims to …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    NHS leak? I can't see this being very convincing unless you've had a blood test recently.

    1. hollymcr

      That's the whole point of phishing. You send it to enough people and you're going to hit people who have just had a blood test. It's no different from targeting <insert name of bank here>

      1. Anonymous Coward
        Joke

        I don't know, inserting random names could not possibly give such successful hits? Could it? What do you think Dave?

    2. Anonymous Coward
      Anonymous Coward

      Yes, when the doctor took my blood he asked for my email address and said he'll email me the results.

    3. Anonymous Coward
      Anonymous Coward

      statistics

      Here's a scenario: I have had a blood test lately (completely unrelated). I have a 100% cancer-related mortality rate in my closest family. All true. No, let's say I get this email, what happens next?

      Yes, if I were an armchair security guru, I might smirk and delete this (...) without thinking about this for a second longer. But due to the particular coincidence of blood test / cancer history / cancer email, my brain makes an instantaneous (false) connection and

      - I shit my pants

      - in the fog that's filled my head (do I have weeks? months?) I click on the zip, click on the "pdf" (all remnants of sanity crushed somewhere in a deepest corner, even though I'm supposedly "paranoid" about security, by the average standards, etc.)

      - nothing happens

      - fog continues. I call my gp, I call the hospital (never get through, or "what are you on about, calm down", etc.)

      At SOME point later I might decide to run an av scan (which might come up with something - or not). Or - perhaps, relieved that all's fine, I just erase the whole incident out of my memory. Job done, trojan delivered.

      And, mind you, a similar reaction from a "mark" can be expected even with no family history of "the big C". There were about 100 people having blood test taken on that morning, and it was an ordinary day, they told me. They would have gone through 500 blood tests per day, easily, 5 days a week, just one hospital. And while the appeal of penis enlargement is rather dubious, who can resist to find out if they're walking dead?

      p.s. Yes, I can see a clear cases for capital punishment here. Not because of my smelly pants, but because such people are past redemption and should be removed from society.

      1. alexmcm

        Re: statistics

        That's possible I suppose, but the number of 'hits' would still be very small. I could come up with a spoof email that would get waaaayyy more 'hits' than a recent cancer treatment. How about :

        To all recent passengers of <insert national carrier here> .

        We are contacting all recent passengers of out short and long haul flights, specifically Airbus 320 and Boeing 7x7 series. A staphylococci virus has been detected in the air-conditioning systems of these plane variants and you are required to attend your local gp for a blood test (see attachment).

        Please bring your booking details and passport when you attend.

        Some further convincing bullshit

        Rgds,

        <National Carrier>

        Attachment: Your_Trojan.doc<rtl>.com

    4. Anonymous Coward
      Anonymous Coward

      'I can't see this being very convincing'

      What a scam. Gotta love your fellow man that put this together. Not only would it be quite effective, it would hit the right demographic i.e. those of a particular age, well off baby boomers, not web savvy. Having different email accounts or an account not based on your real full name would be an advantage...

      1. Anonymous Coward
        Anonymous Coward

        Re: 'I can't see this being very convincing'

        @hollymcr - I know what phishing is. I was wondering if it was spear phishing. If the victims were pulled off a list of people who had had a recent blood test that would change the scenario from "Jesus, that's despicable" to "We need to nail these bastards right now"

        If anyone who hadn't had a recent blood test received one it would be completely unconvincing, just like those ones with the wrong bank on them.

        If you had had a blood test though, it would be a totally different matter. Wouldn't be too surprising if it caused a suicide or two.

        1. Anonymous John

          Re: 'I can't see this being very convincing'

          NICE has denied that the email addresses came from them, and as they don't deal with the public, wouldn't have any such list.

          UK blood donors (who are blood tested every time) are regularly contacted by email, but not for clinical purposes. I can see that some of us would be panicked by this email.

          The standard of English and implausible name says West Africa to me.

          "We suggest you to print out your CBC test results and interpretations in attachment below and visit your family doctor as soon as possible

          Sincerely,

          Dr.Moon Earnest"

          1. Andy A

            Re: 'I can't see this being very convincing'

            I've had 4 of these delivered already, and I've (touch wood) never had to visit the doc for over a decade.

            It's a standard model attack, sending to everyone on their list.

  2. Jim Willsher

    Yesterday was a catalyst for us, I'm now blocking all emails with zip attachments. If anyone needs to get a zip file, they'll find another way. All the zip attachments we've received in the last month have been viruses.

    Emailed zip files no longer serve a business purpose IMHO.

    1. Anonymous Coward
      Anonymous Coward

      Been there, done that

      Hehe... I did that 3 jobs ago in 2005. I believe that place kept the policy in place for a couple of years after I left until some marketing genius threw a tantrum.

    2. Anonymous Coward
      Anonymous Coward

      Zip files

      I started seeing this incoming (and getting blocked by our third-party scumbag filter gateway) on Tuesday. I thought they were particularly sick, but hey it's thieving tossbags we're talking about.

      In my opinion Zip files do have some legitimate uses, and any decent incoming mail scanner should be able to check inside zip attachments, or quarantine any it's can't?

      Of course if you're still not convinced, it's feasible to write a regex or similar to filter incoming mail attachments based on file names, such that you could specify a suffix that would flag legitimate attachments and block all others (eg. <filename>_MyCompany.zip).

    3. Flocke Kroes Silver badge

      Back in the day ...

      ... e-mails over 32k were not certain to make it across the internet. There were tools to split and reassemble large files, but it was far more sensible (and polite) to use sftp/ftp/http. It all started to go horribly wrong when Microsoft started sending e-mail as a container with the same message in html and plain text. I assume they did it because putting **emphasis**, _underlining_ and SHOUTING in plain text was too difficult for Microsoft executives. The internet would be a better place if people set their mail delivery agents to reject long messages.

      PS - The ODF formats are a bunch of things in zip files. If you block zip format files, you will also block .odt word processing documents.

      1. Hugh McIntyre

        Re: Back in the day ...

        Containers with HTML and plain text (or RTF and plain text, etc.) are actually MIME multipart/mixed. Back in the early 90s when this was introduced Microsoft was actually sending the markup in a proprietary "winmail.dat" attachment (very annoyingly for non-Windows users), so they were late to multipart/mixed.

        PS: even in 1989 (rfc1123), >=64KB was more likely: "Although SMTP does not define the maximum size of a message, many systems impose implementation limits. The current de facto minimum limit in the Internet is 64K bytes. [....] and a much larger maximum size is highly desirable"

    4. Mike Moyle

      @ Jim Willsher

      Re: a business case for ZIP files:

      I work for a government agency. Our MIS people block access to cloud/FTP sites (SendSpace, DropBox, etc.). Inserting multiple attachments (InDesign document and PDF from one folder, fonts from another, images from a third -- repeat if you're sending multiple documents) into an email to send off to the printer's is a PITA when compared with dropping in one ZIP archive.

      So, yeah; While it's not an ideal solution, ZIP still serves a useful function in business.

      1. Yet Another Anonymous coward Silver badge

        Re: @ Jim Willsher

        >I work for a government agency

        Shouldn't you be exchanging documents by meeting on a bench in a park and picking up the other briefcase?

    5. Blartbast

      Our mail scanners have always blocked zip attachments that contain any type of executable, but we allow other content as several of our business systems send large reports zipped with passwords for smaller size and a little extra security.

    6. John Tserkezis

      "Emailed zip files no longer serve a business purpose IMHO."

      Bzzt. Wrong answer.

      Had a client who couldn't download the latest iteration of our software that fixed a crititcal bug from our website. Claimed it "wouldn't download properly".

      So I emailed to him. Nope, it gets everything except setup.exe.

      So I renamed it. Nope, it interrogates the file and still blocks it.

      So I zipped it, and renamed it. Nope, it inspected the zip opened it, inspects files and blocks them anyway.

      I could have gone further, but it REALLY was beyond what I should be doing to work around something that's entirely outside my control. So I asked if he could get his IT people to open an exception, or offer another way. His response was diplomatic in the least, but that wasn't going to happen any time soon.

      So I snail mailed it. Yep, with a fucking postage stamp and everything.

      If it were a substancial volume of data, I would have snailmailed a thumb drive (non-secure critical data here boys and girls!). Are you going to block external drives next? CD/DVD drives? There is only so far you can go before you prevent your people from doing their job.

      Remember how long the Soup Nazi lasted on Seinfeld?

      Like I've said before, never piss off your customers, they might not come back. Second to that, never piss off your employees, not only will they not come back, they'll leave a trail of desctruction on their way out.

      All because you took the easy way out. I'd downvote again if I could.

    7. Annihilator

      "Emailed zip files no longer serve a business purpose IMHO."

      * Zip preserves file/folder structure for multiple attachments

      * Most blue-chip tech companies will have insanely small mailbox sizes (25 *Meg* isn't unheard of)

      * Business docs (.doc, .ppt, .xls) compress incredibly well (3:1, or even 10:1 if no pics are involved)

      * Zip has (albeit fairly weak) encryption

      Just 4 purposes without putting much thought into it.

  3. DNTP

    Dear commentors,

    We have been sent a sample of your thumbs for thumb analysis research. During the complete thumb count (CTC) we have revealed that giving me thumbs up is low and unfortunately we have suspicions of missing or negative thumbs.

    Thunmbs up: not enough

    Thumbs down: don't plz

    Other fingers: Unknown

    We suggest you thumbps up this posts so further thump research can confirm that you have thumbs (the up kind not the down kind).

    Thank you,

    Dr. DNTP

  4. auburnman
    Coat

    That's pretty low...

    ...it's definitely not Nice.

  5. Arthur the cat Silver badge
    Megaphone

    I'm normally a pacifist but ...

    some people should simply be beaten to death with a baseball bat. I've got a sick relative who has days bad enough to open one of these without thinking about it first.

    1. Lapun Mankimasta

      Re: I'm normally a pacifist but ...

      I'd settle for a medically correct therapeutic amputation of their heads.

  6. JLV
    Facepalm

    Inquiring minds want to know

    """

    The name of the file is CBC_Result_[random alphanumeric string].zip. Inside the archive is a file with a double extension made to look like a PDF file but in actuality is an executable with a PDF icon

    """

    This wouldn't happen to be on Windows, by any chance? With the thoughtfully-provided hide file extension default setting?

    Oi, Redmond, didn't another malware pull the exact same trick, like 3 months ago?

    1. VinceH

      Re: Inquiring minds want to know

      "This wouldn't happen to be on Windows, by any chance? With the thoughtfully-provided hide file extension default setting?"

      That's always been a stupid setting - but over the last few years I've come to realise that it doesn't matter one single jot. Typical users will believe what they are told the file is, and wouldn't have a clue what the extension means.

      1. John Tserkezis

        Re: Inquiring minds want to know

        "Typical users will believe what they are told the file is, and wouldn't have a clue what the extension means."

        When it comes to "typical" it appears your milage may vary.

        Of the 300+ employeebase at my last company, I don't ever recall that particular rename trick ever being fallen for. We did have filters in place for known corrupt sources, but they did occasionally get through. Depending on the department, some would get zip attachments all the time - as a matter of their daily work.

        So, either you were dealing with a collection of complete idiots, or more likely, you were too lazy to train them.

        1. VinceH

          Re: Inquiring minds want to know

          "or more likely, you were too lazy to train them."

          Thanks for the out of nowhere insult that lacks any grounds whatsoever. Much appreciated.

      2. Anonymous Coward
        Anonymous Coward

        Re: file display settings

        Too true. the default "big gay icon" rather than list or details is also the bane of my life. All the settings in that dialogue are pretty much wrong. they should have a "invert selection" button!

  7. Suricou Raven

    Double extension?

    That's very 2000s. The trick these days is to use a unicode right-to-left control character:

    Actual filename: Sucker_amdiwn<RtL>exe.gpj

    Windows* displays: sucker_amdiwnexe.jpg

    *I don't know if this works on OSX or linux.

    1. Bronek Kozicki

      Re: Double extension?

      Did you mean

      Actual filename: Sucker_amdiwn<RtL>gpj.exe

      1. mark 63 Silver badge

        Re: Double extension?

        no he didnt, or you could skip the <Rtl>

        I used to use similar technique for talking anonymously in Quake2 . It really spooked some people!

  8. Goldmember

    I had this one

    Sent to one of my publicly accessible accounts a couple of days ago, along with the usual "HMRC Tax Refund", "HSBC Transaction number" and "Please your girl tonight" bollocks. Usually I just laugh at how ridiculous they are, but this one actually stopped me in my tracks. It knocked my faith in humanity down that little bit more. There are some really sick fucks out there.

    I'd like to see they guy(s) who did this caught and punished, but the cynic in me doubts that will happen.

    1. SteveK

      Re: I had this one

      On the subject of ridiculous, I did have one the other day telling me I had to

      "fill attached questionary before May 13259579338080851941308th, 2014"

      I'm guessing that's a very long way in the future, so won't bother to open it now..

      but yes, I agree with your sentiments entirely about the sort of people who prey on those likely to fall for this particular one.

  9. Flugal

    Anybody in the UK with even a vague sense of what is going on around them would be aware that NICE are not a body that gives test results, and has *something* to do with whether a given treatment should be made available on the NHS.

    Then again, I spoke to a customer today, old enough to be married and have a child, who was not even aware of the name Tony Benn, let alone who he was, or that he'd died.

    The people running this scam are evidently scum, but it should not be a surprise that people oblivious to the world around them are more vulnerable.

  10. poopypants

    If I'm at all undecided about it

    I'll read it in Linux running on a virtual machine.

  11. Anonymous Coward
    Anonymous Coward

    I've also seen an e-mail which advises me I have been evicted and have 10 days to clear the premises open the attached zip file for details. Probably from the same scumbags. Tell ya what, I invite them to come try, I'm in the gun-mad U S of A, and anyone who tries to evict me from my paid for mobile home better be wearing a bullet-proof vest.

    (They also do "you are summoned to court, open the attached file for details".)

    I want their GPS coordinates so we can send in the drones and do it as a public service.

  12. The Godfather
    Mushroom

    Sick people..

    Got one of these myself but realised straight away it was spam...trouble is, others may not have. Nasty way to approach this and if I find out who did it, I'll gladly castrate them

  13. Anonymous Coward
    Anonymous Coward

    Haven't seen an NSA/GCHQ angle mentioned yet

    If I was running say a shadowy n-eys type organisation, which say had recently received some quite bad press for hoovering up vast amounts of data, then I might do something like this:

    Devote a vanishingly small part of my operational capability (and budget) to tracking down the perpetrators of things like this and pass on details to the relevant civil authorities such as the police for arrest and charging. The results would be published widely and eventually attributed to my (shadowy etc etc) organisation.

    It would be useful training for new recruits in my cyber division and be unlikely to reveal any funky operational capability to my opos in other (shadowy etc etc) organisations. Mr Snowdon has already done quite a lot of that - the real me rather than the shadowy me is grateful for that by the way.

    Instead of blustering about how law abiding my (shadowy etc etc) organisation really is - honest, I personally would be going on a charm offensive, if I was half as clever as I am supposed to be, I'd do a bloody good job of it as well ...

  14. Anonymous Coward
    Joke

    "Sir Andrew Dillon, Nice chief executive"

    Bullshit. There's no such thing as a nice chief executive.

  15. Steve Davies 3 Silver badge
    Mushroom

    I got one of these yesterday

    They couldn't spell 'White' as in White Cells.

    As someone who has Blood Cancer (Hairy Cell , nearly 5 yrs in remission) I find this scam just about a low as it is possible to go.

    Can someone please find the lot responsible for this and exterminate them from the face of the planet?

  16. Lapun Mankimasta

    Why oh why can't they try something amusing, like an email telling people "Dear London Resident, Your blood tests show you are susceptible to getting incredibly hairy, howling at the moon and biting strangers, friends and family at the full moon. Please donate all your money to us so we can find a cure ASAP"

  17. Joe Drunk

    Is this a UK thing?

    Because here in the US you can't get medical test results of ANY kind over email or phone - you have to go directly to the physician that ordered the test(s) (and subsequently pay another consultation fee as this counts as a doctor's visit, grrrrr.) just to get results.

    1. mark 63 Silver badge

      Re: Is this a UK thing?

      Damn, how you supposed to trust doctors who are fkin you over like that?

      not sure on the uk rules, hence the phishing would work

      I do know that if you have to go back itd be cheaper than the US!

      1. monkeyfish

        Re: Is this a UK thing?

        No, they do not email you your test results in the UK. Banks don't ask you to click a link and verify your account details either, but that doesn't stop people falling for it.

  18. Anonymous Coward
    Anonymous Coward

    Wait... There actually is such a thing as "National Institute for Health and Care Excellence"?

    My first reaction was that the name of the institution should be a clear giveaway, as it couldn't possibly be a real name. It sounds like something a nigeria scammer dreamt up while drunk.

    (I'm not from the UK, btw)

    1. mark 63 Silver badge

      "National Institute for Health and Care Excellence"?

      "National Institute for Health and Care Excellence"?

      no thats something a manager would dream up , and therefore entirely possible. My last job had 3 or 4 "centres of excellence" , nee "departments"

  19. simlb
    Thumb Up

    Subtle, very subtle

    I like the way this comment section currently has a sidebar advert featuring a picture of Pele, who just happened to be in advertorials for testicular cancer in the UK.

    I'm impressed.

  20. PassiveSmoking

    (AOL voice): You've got cancer!

  21. Don Quioxte

    "Email spammers. You will never find a more wretched hive of scum and villainy."

This topic is closed for new posts.

Other stories you might like