Following on from my previous post about the BBC being imitated to perform a bitcoin scam, we were asked to look at another email today, that was uploaded via our submissions system. This is slightly more alarming than the previous one. The email is personally addressed with correct details. It looks like the school in question actually has been compromised and is sending the emails out from their email system. As far as I can ascertain the recipient does have a relationship with the school, so it is extremely likely that all parents or guardians of this school’s pupils will have received a similarly personalised email addressed to them as well.
The email they received looks like this ( I have obscured the recipient’s details and the pupil’s name for privacy reasons in the screenshot & the header info )
The email headers do show that this email does appear to originate from the school and has all the correct authentication so it will be delivered.
Based on comments below & other messages I have received. I have removed the school’s details from this post. They do know about it & are investigating it.
The link behind the View Now ” button is to http://board.sslmail-49.host/5c5b50d8b83a8860ca058476?mUq4gxU Which will redirect you to a fake BBC news site https://bbc-business.news-uk1.site/landers/bbc-business-news/#forward
The fake BBC site looks identical to the previous example apart from the fake BBC url which has changed https://bbc-business.news-uk1.site/landers/bbc-business-news/#forward which can very easily be mistaken at first for a genuine BBC page until you start to click any links. But this time to make it harder, you are only allowed 1 click per IP address. After that you stay on the fake BBC page which just refreshes.
And when you click on any link you get redirected to the bitcoin scam site https://thesecureoffer.com/bitcointraderc/ < loads of numbers and characters that are the affiliate code for the scumbag behind this scam >
The Fake BBC site is behind cloudflare who hopefully will respond quickly as usual to my reports & set up an immediate interstitial page warning of phishing or scam, so hopefully reducing the numbers of potential victims for this scam.