Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Apple-Branded Telephone Scam | Main | Netflix Phishing »

June 11, 2018

Luno Wallet Phishing

I'm not a blockchain guy, so the email claiming to come from Luno Wallet asking me to verify my account was an immediate alarm to something sneaky. Here is the full text of the message:

From: Luno
Subject: Verify Wallet

Welcome to Luno

We have recently detected so many fraudulent SIGNUP on our website, we are hereby informing all Legit Luno users to immediately Validate their wallet by downloading attached Luno Validation form and verify your account is not a fraudulent Wallet.



Thank You
Team Luno

The attachment was an HTML file, whose source code let me see what they're up to without even having to load the page (always a risky thing to do without prior inspection). The core portion of the form included fields for your email address, your email account password (!), your Luno password, and your phone number. The destination of the form submission was to a domain created last month, but whose identity is privacy blocked.

Those four little fields contain a ton of personal information that should never be in the hands of crooks. Besides, no third party ever has the need for your email account password. Giving that up means others have access not only to your sending server, but for IMAP-style accounts, also your entire server-stored archive. Blackmail, anyone?

Account verification scams are the leading phishing techniques, used for more than two decades. If you ever receive an email asking to verify one of your accounts, ignore the email, login to your account via a previously-saved bookmark, and see if the account needs attention. 99.99% of the time, you'll be in the clear without doing a thing.

Posted on June 11, 2018 at 09:33 AM