June 11, 2018Luno Wallet Phishing
I'm not a blockchain guy, so the email claiming to come from Luno Wallet asking me to verify my account was an immediate alarm to something sneaky. Here is the full text of the message:
Subject: Verify Wallet
Welcome to Luno
We have recently detected so many fraudulent SIGNUP on our website, we are hereby informing all Legit Luno users to immediately Validate their wallet by downloading attached Luno Validation form and verify your account is not a fraudulent Wallet.
The attachment was an HTML file, whose source code let me see what they're up to without even having to load the page (always a risky thing to do without prior inspection). The core portion of the form included fields for your email address, your email account password (!), your Luno password, and your phone number. The destination of the form submission was to a domain created last month, but whose identity is privacy blocked.
Those four little fields contain a ton of personal information that should never be in the hands of crooks. Besides, no third party ever has the need for your email account password. Giving that up means others have access not only to your sending server, but for IMAP-style accounts, also your entire server-stored archive. Blackmail, anyone?
Account verification scams are the leading phishing techniques, used for more than two decades. If you ever receive an email asking to verify one of your accounts, ignore the email, login to your account via a previously-saved bookmark, and see if the account needs attention. 99.99% of the time, you'll be in the clear without doing a thing.Posted on June 11, 2018 at 09:33 AM