Buy

Books
Click images for more details

Support

 

Twitter
Recent comments
Recent posts
Currently discussing
Links

A few sites I've stumbled across recently....

Powered by Squarespace
« A difference of opinion | Main | The Veolia affair - who knew? »
Thursday
Dec122013

Targeted?

I got an email today. It purported to come from dragonslayer John O'Sullivan, although a cursory look suggested that it was spam; the title was "hey" and the content consisted only of two links to websites, apparently something to do with architecture in France. I deleted the message.

A few hours later, however, David Holland got in touch to say that he'd also received a copy, and pointed out something odd about the message: the list of addresses was, apart from the two of us, as follows: Arthur B Robinson (of Oregon Petition fame), John Roscam of Australia's Institute of Public Affairs, BH regular Don Keiller and Peter Gill, who is also fairly well known in sceptic circles.

Are we being targeted?

PrintView Printer Friendly Version

Reader Comments (24)

Usually it means that the sender's mail account has been compromised and a spambot is sending rubbish to everyone in their address list..

Dec 12, 2013 at 12:52 PM | Unregistered CommenterFarleyR

The mail was not from O'Sullivan - it was an email address made to look like his. Also, those names in the post were the only people on the email "to:" field. It doesn't look like a standard virus hijack.

Dec 12, 2013 at 12:59 PM | Registered CommenterBishop Hill

I note that the Icecap site has been hacked recently. Maybe someone is up to something on skeptical sites

Dec 12, 2013 at 1:24 PM | Unregistered CommenterDavid Whitehead

Did any malware arrive by clicking on the links? Not that you'd necessarily know ...

Dec 12, 2013 at 1:28 PM | Registered CommenterRichard Drake

attempted hack possibly, bet one of the links was not going where it purported to be going.

Dec 12, 2013 at 1:32 PM | Unregistered CommenterJaceF

>The mail was not from O'Sullivan - it was an email address made to look like his. Also, those name in the post were the only people on the email "to:" field

That still sounds like a virus to me. Changing the email address around is something they do.

Dec 12, 2013 at 1:53 PM | Unregistered CommenterAnon

John O'Sullivan has confirmed that he did not send it, but I was already sure it was not from him. I have saved the file that loads from the link if anyone wants to do some sleuthing and could forward it with the original email. Its name, different from the link, is

xgreencoffee-fastfatburn_com.html

Onlinelinkscan and AVG say its OK but I am running Sophos now on the M/C that I ran it, to very sure. I think it is just an irritant locking you out of the browser but still leaving the task manager accessible to kill it. For those even less savvy than me it would be a real pain.

Somehow I suspect there is a clue in the greencoffee bit!

Dec 12, 2013 at 2:01 PM | Unregistered CommenterDavid Holland

Could be targeting but if so it's inept, which doesn't rule it out. "Normally" it'd be all sent to recipients via bcc so the "to" line wouldn't show the other recipients.

Dec 12, 2013 at 2:07 PM | Unregistered CommenterLurker

Lurker,

I think it clearly targeted and intended to have a number of known skeptics moaning at JO. I just do not believe a spambot with millions of addresses to randomly choose from would pick only five skeptics. (Off out for afternoon now)

Dec 12, 2013 at 2:34 PM | Unregistered CommenterDavid Holland

This will appear in the next paper by that professor of conspiracy theories and that cartoonist bloke from Oz. I'm 97% sure of it.

Dec 12, 2013 at 4:31 PM | Unregistered CommenterMorph

I agree with BH, it's targetted. It's not difficult to spoof the From address. (but harder to do that with the routing data that's accessible with the right tools)

Dec 12, 2013 at 4:32 PM | Unregistered CommenterVftS

I have found that submitting the email to spamcopDOTnet can be helpful in finding the true source.

Dec 12, 2013 at 4:38 PM | Unregistered CommenterIan

Someone who has all your email addresses held on their machine has had his system compromised. The 'From:' address in an email is NOT a reliable field - you can put anything you like in it. So the message probably hasn't actually come from who it says it has...

There's a common technique in dodgy software - read the address-book of a system's email application, and then send emails to all the addresses, purporting to come from one (or more) other addresses on the list.

People are more likely to click on a message if it apparently comes from someone they know, and if two people are in one address book, chances are that they know each other. You might use this trick just to get clicks on web pages to increase advertising revenue, or for something more sinister...

Dec 12, 2013 at 4:53 PM | Unregistered CommenterDodgy Geezer

I have received a couple of these in the last few days. The sender's name appears to be someone you know but revealing the actual email address, it is from an unknown. The links are to different weirdo sites judging from the urls (i didn't click on them). I think this is not serious nor targeted (as I am a nobody who doesn't' comment anywhere except once in a blu soon) but one of those bots who try combos until they work and I would be bet that the links are to viagra adverts. I just deleted the emails, and sent the purported senders an email telling them to change their passwords.

Dec 12, 2013 at 5:12 PM | Unregistered Commenterconiston

Someone hacked his email and sent an email to a selection of people in his address book. In fact his account might not have been compromised by "someone" as there are bots out there that do this. It might not have even been his account that was compromised it could have been a common 3rd party. Who knows.

This has happened to me before (password was too weak - never again!).

Dec 12, 2013 at 5:23 PM | Unregistered CommenterRobinson

Not a Yahoo email account or associated account by any chance?
I got a "hey" email with coffee links from one of my own secondary email addresses a couple of weeks ago.
This was from a Telecom NZ ... @xtra.co.nz account - but the web based version is driven by Yahoo.
It had my usual email address in its address book.
Telecom NZ advertised this problem and advised password changes.

Dec 12, 2013 at 6:25 PM | Unregistered CommenterRob

I don't think it's an address book that has been compromised - only those names? All with sceptical views? From a "greencoffee"? No, this is deliberate, but it might be more to irritate.

To me, "green-coffee" is saying, "hey, this is a wake up call from the greens" and the "fast-fat-burn" means they might want to burn you/melt you or get rid of what they see as sceptical excess.

The whole message is green. Sure I could be wrong, maybe a bot picked up a reference to "green" and is advertising genuine green coffee... But to only to those names? I don't think so. Someone is having fun with words and hiding the message in them. Clearly do not trust the links.

Now I'm off for my cup of coffee - it's 6:00 a.m. here in Australia and I'm not awake yet.

Dec 12, 2013 at 6:58 PM | Unregistered CommenterA.D. Everard

It could happen to anyone. Unlikely to be targeted.

Dec 12, 2013 at 7:50 PM | Unregistered Commenterkellydown

I find www.virustotal.com is useful - scans either files or URLs using 40 or so different antivirus programs.

Dec 13, 2013 at 12:00 AM | Unregistered CommenterHK

kellydown,

Unlikely to be targeted? Lets see.

I am a bit disorganised and do not full categorise all my email contacts, but since using gmail two years ago I have amassed 255 contacts. I have just trawled through and eyeballed 31 who like the Bish and I have had a bit of exposure as sceptics. Counting the sender, the 'greencoffee' email included seven sceptic names. By my calculations the odds of randomly picking seven sceptics are over 4.8 million to one.

If the numbers were just 100 contacts and 50 sceptics the odds would still be over 160 to 1

Dec 13, 2013 at 11:07 AM | Unregistered CommenterDavid Holland

I don't know - I found a couple of mails promoting green coffee-based products when I searched my spam log. And it's supposed to "burn fat".

Dec 13, 2013 at 12:35 PM | Unregistered CommenterEspen

Wouldn't surprise me if the purpose of the emails was to get you to click on a link, which would then install spyware on your computer. Which means that whoever did it could then read all your emails, inbox and outbox, and perhaps engineer an incriminating email supposedly coming from you, which would become a bit of a cause celebre at the Guardian and its ilk. Personally, Bish, I would make absolutely sure you don't have spyware on your computer right now, and I would email all the other recipients to ask them to clean up their computers as well.

Think Peter Glieck.

Dec 13, 2013 at 3:09 PM | Unregistered CommenterJohn

Espen,

What you say does not mean that the email that I received was not targeted. Almost certainly, I am not the only one to get an email with the link to the 'greencoffee' advert url. Anyone getting it could forward it. I forwarded it to JO to ask if he was aware. Spoofing the senders email address used to be very simple. It is bit more difficult now. See:http://en.wikipedia.org/wiki/Email_spoofing. The Link still works, despite my advising the web site that is hosting it.

John,

Yes, I thought Glieck. I don't know how much time it needed but I shut the M/C down quickly AVG and Sophos did not find any malware.

Dec 13, 2013 at 5:56 PM | Unregistered CommenterDavid Holland

IP address 142.4.206.25.

On the same ASN are such delights as "daddy and daughter ****"
this can end up on the mugs browsing history, and their IP is logged on the spoof server, and an anon grassup follows.

Perv Plod kick their door in, take their computer....etc.

Targeted, I think.

Dec 14, 2013 at 11:46 AM | Unregistered CommenterRightwinggit

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>