Chiltern Seeds have been hacked, customer details have been compromised. That means STOLEN. Used in Spear-Phishing attacks
This scam pretending to come from Chiltern Seeds telling you that you have won a hamper and you only need to pay post & packing is extremely worrying. All the details in the email and when you click through to the scam website are 100% correct. My full Name, Address and Telephone Number and email address. I have been a customer of Chiltern Seeds and have purchased plants and seeds from them. I regularly get catalogues from them.
The only way that this level of customer information can be available to the criminals trying to get money and credit card details from the recipient is for the Chiltern Seeds customer database to be breached. Chiltern obviously know they have been breached but haven’t notified customers. All they did was send an email last week warning about this scam and a bland message with a distinct lack of proper information on their website.
As far as I am concerned, any compromise, theft or leakage of customer details and data is very bad. The warning email last week suggested to me that somebody was spoofing Chiltern Seeds which is common in malware and phishing attacks. At that time there was nothing on their website. The bland warning appeared later.
Until I received the actual spoof, phishing scam email, I had absolutely no way of knowing that any of my customer information or data had been compromised, stolen or leaked.
I personally wouldn’t have been worried, if it was just my email address and possibly my name. But to have my Full Name, Full Address, Email Address and Telephone Number all stolen from this companies database, linked together and used in this spear phishing campaign is totally unacceptable. Chiltern Seeds must have known what data was stolen and should have informed affected customers. They should have put a proper warning on the website, saying that all personal details including Name, Address, Email Address and Phone Number was stolen, not just “payments on our website are 100% secure and that we do NOT hold any payment information on our website or server”
We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
The scam email looks like:
From: Chiltern Seeds <firstname.lastname@example.org>
Date: Sun 05/03/2017 19:12
Subject: Chiltern Seeds – Delivery Confirmation
Dear Mr Derek [redacted] Thank you for shopping with us. We have 10 special gifts for our valued customers… and you get one of them! We give this hamper “A special love” to you absolutely free! You pay only for delivery
Please check your shipping address and complete the delivery HERE
Hamper Contents Medium Hamper (460 x 310 x 195mm) The Chocolate Tree – Raspberry (70g) Sarah Gray’s Straw & Champ Jam (300g) Nevis Bakery Dundee Cake (360g) Cairnsmhor Raspberry Oat Crunch (150g) Bollinger Rose Champagne (750ml 12% vol) Delivery Address [Redacted] [Redacted] [Redacted] [Redacted]
Item Cost Goods £ 122.49FREE Postage: Standard UK £ 6.49 VAT Included where appropriate Total £ 6.49
|188.8.131.52||host.genesis4100.net||Andover||Massachusetts||US||AS11022 Alabanza, Inc.|
Received: from host.genesis4100.net ([184.108.40.206]:54932)
by knight.knighthosting.co.uk with esmtp (Exim 4.88)
for derek@[redacted]; Sun, 05 Mar 2017 19:12:12 +0000
Received: (from www@localhost)
by host.genesis4100.net (8.14.3/8.12.10) id v25JCD1t006461;
Sun, 5 Mar 2017 14:12:13 -0500
Date: Sun, 5 Mar 2017 14:12:13 -0500
To: derek@[redacted] Subject: Chiltern Seeds – Delivery Confirmation
Content-type: text/html; charset=iso-8859-1
To: Mr Derek [redacted] <derek@[redacted]>
From: Chiltern Seeds <email@example.com>
The link in the email goes to http://truenorthknives.com/vcom/chilternseeds.co.uk/index.php?ZGVyZtAb25lapZ2h0LmvLnVr where you see a website looking like this with all the victims details already filled in, just waiting for you to enter the credit card details. ( split into 2 screenshots)
I have edited the base64 part of the website url so that it will not display my details if followed. I really don’t want my Full name, address and phone number public for everybody to see and get even more unwanted phone calls. I did for a short while leave the full base64 link but have removed it after several phone calls and emails.
If any genuine researchers or Law enforcement personnel want the full link to see the details for themselves or pursue action, please email me firstname.lastname@example.org
I am not completely sure how they have managed to link my ( and other victims) full details to the phishing website. The random looking characters after the index.php? in the url is a base64 encoded version of my email address. In all previous cases I have seen this used, all that happens is the email address gets inserted into the web page. Normally I can substitute that with a “fake” email address like “email@example.com” in base64 format. But in this case they somehow insert all my full personal details as well. If I try to use a “fake” email address in base64, I get a blank page I can only assume that somehow the phishers have uploaded a copy of the stolen Chiltern Seeds database or somehow link to the database as a check. If the 2 sets of details don’t match then you get nothing. That really is spear phishing. That is extremely complicated to do and is normally reserved for “serious” cases like gaining information from a politician or CEO or other valuable service, not customers of a small company, where the benefits and returns to the criminals frankly don’t justify the work or the risks involved.
What makes this much worse is the fact that Chiltern Seeds must have known their customer’s data has been compromised. They sent this warning email last week, but no warning saying that their site had been compromised or customer data stolen. When I received the warning email last week, I had not received the scam, phishing “you have won a hamper” email. A google search did not turn up anything about it. Indeed the only hits in Google are this post and the short message on Chiltern Seeds page
If you have received an email purporting to be from Chiltern Seeds telling you that you have won a hamper, please IGNORE THIS AND DELETE THE EMAIL IMMEDIATELY.
This is a spam email and it is NOT from Chiltern Seeds.
Apologies for the inconvenience.
All at Chiltern Seeds
|220.127.116.11||ccm170.constantcontact.com||Waltham||Massachusetts||US||AS40444 Constant Contact, Inc|
If you click through to Chiltern Seeds website, you see this rather bland message
On 27th February we experienced a sophisticated cyber attack on our website. This caused the website to crash and some customers have received unsolicited emails purporting to be from Chiltern Seeds. The attack has been reported to the police and our team have been working through the night.
If you have received an email purporting to be from us telling you that you have won a hamper, please IGNORE THIS AND DELETE THE EMAIL IMMEDIATELY. This is a spam email and it is NOT from us, we would NEVER send emails asking you to click on any link other than to our own website.
Please be reassured that payments on our website are 100% secure and that we do NOT hold any payment information on our website or server. If you are in any doubt, please give us a call on 01491 824675.
We really appreciate your support at this difficult time and hope that you will continue to enjoy the best service and the best seeds, as you have done for the past 40 years.
All the Team at Chiltern Seeds.
No actual warning of customer details being stolen, just that some customers might have received spam emails.
I am going to assume that the criminals have also stolen my password to log into Chiltern Seeds. ( the last time I actually used them was in 2012 ) and I would have paid by PayPal so no financial information could have been stored on their server. I have done a password reset and set a new password.
After some discussion on Twitter between several researchers and Chiltern Seeds, they have accepted the advice and updated their website with much clearer information, allowing a victim to take steps to protect themselves.
In general any company that has been compromised, should alert its customers at the earliest possible opportunity. An email notification is not always the best way because emails can get misdirected and aren’t guaranteed to be delivered. A clear warning on the website, with information about what is believed to have been compromised is always a good response. Customers accept that sites get hacked. We don’t accept trying to hide it or denying that personal information has been stolen. If any doubt about what has been stolen, always err on the worse side and state that everything could have been stolen. When the IT team have done their full forensic investigation, you can then revise the details and say that less was stolen than originally thought ( if that turns out to be the case). Any potential victim should be given the earliest opportunity to take protective measures
Warning: if you are a customer of Chiltern Seeds, All your private & personal information has been compromised. Go to the account page on Chiltern Seeds and change your password, or delete your account. Make sure you have not used the same password anywhere else, otherwise those accounts are also likely to be compromised.
I really wish web designers would set up the password reset properly and send via SMTP mail from a proper email account and not via PHP mail with a distinct lack of easily tracked and verifiable information. It is a trivial fix to make the envelope from: ( the actual sender) to be firstname.lastname@example.org not email@example.com which indicates a hosted server on 1&1 internet
|18.104.22.168||chilternseeds.co.uk||DE||AS8560 1&1 Internet SE|
Received: from [22.214.171.124] (port=57578 helo=s15443754.onlinehome-server.info)
by knight.knighthosting.co.uk with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
for derek@[redacted]; Sun, 05 Mar 2017 21:01:23 +0000
Received: by s15443754.onlinehome-server.info (Postfix, from userid 502)
id C4DA4AE5; Sun, 5 Mar 2017 21:01:17 +0000 (GMT)
To: derek@[redacted] Subject: Chiltern Seeds Password Request
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 5 Mar 2017 21:01:17 +0000 (GMT)