back to article Lancashire Police warn of malware email impersonation scam

Lancashire Police are warning ordinary folk not to open phishing email purporting to be from the plod. Users have apparently been targeted in a "widespread" scam seeking to obtain personal information through a malware attachment. "If you have opened an email or attachment from us and are now experiencing problems with your …

  1. Anonymous Coward
    Anonymous Coward

    No email records

    Tweeted about this yesterday when they started to come through. They don't have any SPF etc records for their domain this anyone can send an email pretending to be from them. Some basic DNS records will fix most of this. Also, the realm has a 'typo' in for the , i think, notify. Was .au instead of .uk

    1. Dadmin
      Facepalm

      Re: No email records

      If you did tweet it, you're nicked, mate. now we know a subset of tweety handles that are you, AC.

      Also, sorry to be late, but I only have this to add:

      What's all this then?!

  2. Anonymous Coward
    Anonymous Coward

    I got one of these - as above, no SPF. It was sent from a .ae (I think it was) domain. Attachment was a .doc "invoice" (no, I didn't open it).

    Not sure how turning off their e-mail will help. Fixing the DNS records would be a start...

    1. Kraggy

      Their switching off their e-mail seems to indicate their mail server techs don't understand the concept of spoofing.

      Kind of worrying really.

      1. Anonymous Blowhard

        "Their switching off their e-mail seems to indicate their mail server techs don't understand the concept of spoofing."

        Or more likely, they just get orders from "on high" like:

        "I don't know anything about spoofing, and I don't care, just turn it off!"

        1. Stuart 22

          Or the bounce backs were kinda getting overwhelming until they could put a filter in place?

    2. Allan George Dyer Silver badge
      Facepalm

      An "invoice" from the "police"? The spoofers don't have any respect for the intelligence of their targets!

      (If it was a purchase order, that would be a different matter...)

      1. F0rdPrefect

        An "invoice" from the "police"?

        If you request some forms of disclosure from them then you may get an invoice and if you are expecting one, you may get caught.

        Though the guy I am aware of who did found it an easy clean.

  3. seanj
    Devil

    I like how everyone commenting so far was checking the technical details of the email. I saw an email from 'Lancashire police' with a subject of 'Invoice attached' (or whatever it said) and just deleted it whether it was spam or not...

    1. Anonymous Coward
      Anonymous Coward

      Yeh, that's my normal response. I was curious to see how this got through my (very aggressive) spam filter...

  4. Roger Greenwood

    I saw one of these - from an IP address in Jordan. Their website also went down for a while yesterday.

  5. Reality Dysfunction

    I saw 4000 of these (hit our spam manager) , all from different compromised servers and workstations.

    1. Anonymous Coward
      Anonymous Coward

      Looks like those of us who got it early and pushed it back to the filters helped a bit then ;-)

      1. Reality Dysfunction

        A lot of it was from IPs on the PBL, so they flagged themselves for analysis as Spam.

        Some of the IPs were in a similar Dridex run last week as well.

  6. phil 27

    I reported this via the city of london site on tuesday I think, origin ip of the mailserver was in india, no spf on the domain, provided full headers and original content.

    It spoofed a genuine police.uk domain, the funny bit was the attachment was a mswrod (spelt like this) filetype, with the usual macro virus payload embedded.

    I only bothered reporting it because they had got most of the detail that normal people would trip up on. And well, spoofing the police is bound to actually get the police interested in sorting it out...

  7. Anonymous Coward
    Anonymous Coward

    Fuck whoever does this kind of thing

    About 100 of these got through our FireEye and Proofpoint systems yesterday morning before they started getting blocked. We appeared to be on the first wave, where the attachment was corrupt and basically useless (luckily)

    Still - about 20 users opened it, it beggars believe how supposedly intelligent people who managed to get jobs are still stupid enough to open stuff like this.

    Terrifying to think what their home machines are like....

  8. Stevie Silver badge

    Bah!

    This is a message from Ilkley Moor Police Station.

    By 'eck your computer is causing a problem. Your Vindows is breaking the internet doncha know old fruit.

    Also: click here to see naked Britney Spears.

    1. Rol Silver badge

      Re: Bah!

      This is a message from Pendle Hill Police station, Lancashire!!!!

      Hubble, bubble, toil n truble ut mill.

      Click here to remove t' spell frum yer tinternet.

      Also; click ere t see neked ferrets

      TFTFY

      1. Stevie Silver badge

        Re: Bah!

        How thee can tek out the Bombay accent and say "fixed that" is beyond me, yer gert possit.

        1. Rol Silver badge

          Re: Bah!

          Looks like I'll be going t fut ov r stairs and bellowing my sincerest apologies Stevie

  9. VinceH Silver badge

    I received one - but it was forwarded to me by a client, so came from a whitelisted address. They thought it was suspicious, so sent it to me to confirm (but didn't mention that when they forwarded it - only after I rang them to ask why they'd sent it).

    Good job I'm careful!

  10. Eclectic Man

    Me too

    I noticed this suspicious e-mail in my junk folder (who the heck in the police is sending me an invoice???). So passed it onto our IT security team. Within about 15 minutes an alert had been sent out to every internal recipient warning us not to open it, and later another one with more details and saying our A-V has been upgraded to clean it out.

    I even got a thank-you note :o)

  11. phil dude
    Pint

    Thank you Bayesian inference....

    I am happy that one of the junk filters found it, but a quick look at the header revealed.....->lancashire.pnn.police.au

    Icon, well, obviously...

    P.

  12. Anonymous Coward
    Anonymous Coward

    and don't open your door when they knock

    as to those funny-looking dressed-up comedians on the street, just shrug off their polite requests and carry on walking (oh, sorry, guv, uhm, officer, I thought you're a spoof!)

  13. Alan J. Wylie Silver badge

    United Utilities too

    Dridex spam, bouncebacks seem to have taken their mail servers down.

    $ dig +short +noshort -t mx uuplc.co.uk

    uuplc.co.uk. 222 IN MX 20 gateway4.uuplc.co.uk.

    uuplc.co.uk. 222 IN MX 10 gateway3.uuplc.co.uk.

    port 25 times out.

    No SPF record

    $ dig +short +noshort -t txt uuplc.co.uk

    uuplc.co.uk. 289 IN TXT "MS=ms96754945"

    just like lancashire police

    $ dig +short +noshort -t txt lancashire.pnn.police.uk

    $

  14. Pen-y-gors Silver badge

    Real plods?

    Given the general level of IT awareness and security shown by our wonderful plods, I'd assume that any e-mail that really came from your 'friendly' local peeler was still quite likely to be infected anyway.

  15. Mark 85 Silver badge

    Is it just affecting those around Lancashire?

    If so, that would mean it's highly targeted, I would think. I kind of doubt the local plod a file of all the locals email addy's. Makes me wonder where/how the miscreants got such a geographically targeted mailing list.

  16. Ilmarinen
    Holmes

    friendly???

    "...emails purporting to be from your local friendly bobby"

    As ours are neither friendly nor local that would be a major clue that the email was a scam.

  17. x 7 Silver badge

    I live in Lancashire and haven't seen any spam. There again its rare to see a policeman in Lancashire. Not surprising really - where does spam come from???

  18. Winkypop Silver badge

    Interesting

    Yesterday I received a Word attachment via email from a "bigpond.net.au" network printer.

    Me no clicky.

    All gone!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019