BT Phishing Attack

 A few weeks ago I checked my web-based email in case BT had dumped anything important in my Spam Box, which they occasionally do, perhaps because the sender used an inappropriate word? I noticed for the umpteenth time a notification to view my BT bill. In fact there were 12 notifications and all dated the 17th June 2016. As BT would surely not dump their own messages in the Spam Box I'd long since guessed they were genuine spam but today I hovered over a link or two to see to where I'd be directed if I clicked on a link. The emails used the same content as a proper BT message.. the same pictures and the same link addresses but the links actually pointed to an Indian web page.

I checked the website and discovered it was probably operated by by a real company whose website password must have been compromised. What happens is this.. you discover a password used to get into the edit feature of a website, perhaps divulged by a disgruntled or impoverished employee and you can add extra pages. These pages are not linked to the original website but operate as an independent collection of pages structured just like a section of a site such as that run by BT. The content will appear to be the genuine BT website but of course the underlying code will be designed to capture user names and passwords. A request to log in and view your latest BT bill, if answered by an unsuspecting BT customer will result in the user giving the phisher his password.

Once the phisher is in possession of a password he can log into the customer's email, change their password and possibly look in their emails for further passwords and other sensitive information. A ruse recently employed by phishers was to communicate with Tesco pretending to be a customer using a BT email address, and steal coupons sometimes worth many hundreds of pounds. This is done by opening a new "free" email account and password and switching from the BT email address by changing the unsuspecting Tesco customer's account details. This is easily spotted because the customer can no longer log in but, sadly by then, their coupons will have disappeared.

 Read on... the plot thickens... as well as the dozen emails parked in the Spam Box I also discovered some 39 strange emails in my Sent Box. All were dated 17th June 2016 and were clearly related to the dozen in the Spam Box because their content was exactly the same.

Why were 39 BT emails in my Sent Box? The answer became clear when I opened one and looked in its header. First, the address line was blank which was odd, but odder still was the copy address. The email had been sent to not one copy addressee but to 50. There was a list of 50 BT email addresses and none were familiar to me so had not originated in my list of contacts. I opened the second of the 39 "sent" emails and low and behold another 50 BT email addresses and all were different to the first 50. Opening the other 37 remaining "sent" emails produced 50 new addressees for each. A grand total of 39 x 50 = 1,950.

 What does all this mean? At first sight it looks like the phisher, not only was keen to pinch my BT password, but the passwords of a further 1,950 BT customers, and had the cheek to use my BT account to do his dirty work... I nearly said "my computer", but the rogue emails had been sent by the BT server, not from my computer.

Someone clearly must possess a list of BT customers. Probably such a list could be gathered from a search of the Internet, but a much easier way would be via a rogue BT employee. A clue is the website that was hosting the BT look-alike pages. This is in India, in which country reside lots of BT call centre employees.

 I've taken the trouble to let BT know all the details and offered to give them a list of their 1,950 potentially compromised customers. I've received a machine-generated response, but let's see if they respond properly. I checked the hosting website and see that the rogue pages have been removed so either the company owning the website, or its contractor, have seen the invasion and taken appropriate steps.

Return to Reception