This scam pretending to come from Chiltern Seeds  telling you that you have won a hamper and you only need to pay post & packing is extremely worrying. All the details in the email and when you click through to the scam website are 100% correct. My full Name, Address and Telephone Number and email address. I have been a customer of Chiltern Seeds and have purchased plants and seeds from them. I regularly get catalogues from them.

The only way that this level of customer information can be available to the criminals trying to get money  and credit card details from the recipient is for the Chiltern Seeds customer database to be breached. Chiltern obviously know they have been breached but haven’t notified customers. All they did was send an email last week warning about this scam and a bland message with a distinct lack of decent information.

The scam email looks like:

From: Chiltern Seeds <[email protected]>

Date: Sun 05/03/2017 19:12

Subject: Chiltern Seeds – Delivery Confirmation

Body content:

Dear Mr Derek [redacted] Thank you for shopping with us. We have 10 special gifts for our valued customers… and you get one of them! We give this hamper “A special love” to you absolutely free! You pay only for delivery

Please check your shipping address and complete the delivery HERE

Hamper Contents Medium Hamper (460 x 310 x 195mm) The Chocolate Tree – Raspberry (70g) Sarah Gray’s Straw & Champ Jam (300g) Nevis Bakery Dundee Cake (360g) Cairnsmhor Raspberry Oat Crunch (150g) Bollinger Rose Champagne (750ml 12% vol) Delivery Address [Redacted] [Redacted] [Redacted] [Redacted] Item Cost Goods £ 122.49FREE Postage: Standard UK £ 6.49 VAT Included where appropriate Total £ 6.49

 

Email Headers:

IP Hostname City Region Country Organisation 209.239.38.114 host.genesis4100.net Andover Massachusetts US AS11022 Alabanza, Inc.

Note: Only the final IP address outside of your network in the Received: fields can be trusted as others can be spoofed

Received: from host.genesis4100.net ([209.239.38.114]:54932)

by knight.knighthosting.co.uk with esmtp (Exim 4.88)

(envelope-from <[email protected]>)

id 1ckbZk-0007gQ-PJ

for derek@[redacted]; Sun, 05 Mar 2017 19:12:12 +0000

Received: (from www@localhost)

by host.genesis4100.net (8.14.3/8.12.10) id v25JCD1t006461;

Sun, 5 Mar 2017 14:12:13 -0500

Date: Sun, 5 Mar 2017 14:12:13 -0500

Message-Id: <[email protected]>

To: derek@[redacted] Subject: Chiltern Seeds – Delivery Confirmation

MIME-Version: 1.0

Content-type: text/html; charset=iso-8859-1

To: Mr Derek [redacted] <derek@[redacted]>

From: Chiltern Seeds <[email protected]>

The link in the email goes to http://truenorthknives.com/vcom/chilternseeds.co.uk/index.php?ZGVyZWtAb25la25pZ2h0LmNvLnVr where you see a website looking like this with all the victims details already filled in, just waiting for you to enter the credit card details.  ( split into 2 screenshots)

If you are unwise enough to press continue, then you get to the actual payment page, also with all details except the credit card details pre-filled in.

What makes this much worse is the fact that Chiltern Seeds must have known their customer’s data has been compromised. They sent this warning email last week, but no warning saying that their site had been compromised or customer data stolen. When I received the warning email last week, I had not received the scam, phishing “you have won a hamper” email. A google search did not turn up anything about it. Indeed the only hits in Google are this post and the short message on Chiltern Seeds page

If you have received an email purporting to be from Chiltern Seeds telling you that you have won a hamper, please IGNORE THIS AND DELETE THE EMAIL IMMEDIATELY.

This is a spam email and it is NOT from Chiltern Seeds.

Apologies for the inconvenience.

All at Chiltern Seeds

IP Hostname City Region Country Organisation 208.75.123.170 ccm170.constantcontact.com Waltham Massachusetts US AS40444 Constant Contact, Inc 10.252.0.102 Private IP

If you click through to Chiltern Seeds website, you see this rather bland message

On 27th February we experienced a sophisticated cyber attack on our website. This caused the website to crash and some customers have received unsolicited emails purporting to be from Chiltern Seeds. The attack has been reported to the police and our team have been working through the night.

If you have received an email purporting to be from us telling you that you have won a hamper, please IGNORE THIS AND DELETE THE EMAIL IMMEDIATELY. This is a spam email and it is NOT from us, we would NEVER send emails asking you to click on any link other than to our own website.

Please be reassured that payments on our website are 100% secure and that we do NOT hold any payment information on our website or server. If you are in any doubt, please give us a call on 01491 824675.

We really appreciate your support at this difficult time and hope that you will continue to enjoy the best service and the best seeds, as you have done for the past 40 years.

All the Team at Chiltern Seeds.

Still no warning of customer details being stolen, just that some customers might have received spam emails.

I am going to assume that the criminals also stole my password to log into Chiltern Seeds. ( the last time I actually used them was in 2012 ) and I would have paid by PayPal so no financial information could have been stored on their server.  I have done a password reset and set a new password.

I really wish web designers would set up the password reset properly and send via SMTP mail from a proper email account and not via PHP mail with a distinct lack of easily tracked and verifiable information. It is a trivial fix to make the envelope from: ( the actual sender) to be [email protected] not [email protected]  which indicates a  hosted server on 1&1 internet

IP Hostname City Region Country Organisation 87.106.143.197 chilternseeds.co.uk DE AS8560 1&1 Internet SE

Received: from [87.106.143.197] (port=57578 helo=s15443754.onlinehome-server.info)

by knight.knighthosting.co.uk with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)

(Exim 4.88)

(envelope-from <[email protected]>)

id 1ckdHP-0006wS-9o

for derek@[redacted]; Sun, 05 Mar 2017 21:01:23 +0000

Received: by s15443754.onlinehome-server.info (Postfix, from userid 502)

id C4DA4AE5; Sun,  5 Mar 2017 21:01:17 +0000 (GMT)

To: derek@[redacted] Subject: Chiltern Seeds Password Request

X-PHP-Originating-Script: 10000:account.php

From: [email protected]

Content-Type: text/html; charset=iso-8859-1

Message-Id: <[email protected]>

Date: Sun,  5 Mar 2017 21:01:17 +0000 (GMT)