Fake Ilford SPAM messages

[Rudeofus]

I just just received two identical email messages, proclaiming to be from Ilford Photo. The message content appears to be some scam involving transfer of funds and goods unrelated to Ilford's immediate business.

Of course these massages did not originate from Ilford, but outside of Ilford and photrio, I can not imagine another entity to draw a direct line between IlfordPhoto and my email address. I've been wondering, whether either Ilford's or photrio's stash of email addresses somehow became became accessible to miscreants.

Has anyone else here received such messages?

 

[Donald Qualls]

Could have come from a hack of any online photo supply vendor you've purchased from (they all get your email address); possibly from other hacked address books as well.

Don't think I've gotten that particular 419 scam version, but I spot and delete those so easily (I've been doing this much longer than the scammers) I might not recall doing so with any particular purported source.

 

[Rudeofus]

Could have come from a hack of any online photo supply vendor you've purchased from (they all get your email address); possibly from other hacked address books as well.

That's pretty much what I am after. as soon as we find a pattern among multiple recipients, we can greatly narrow down the source of this email list, and possibly alert the hacked entity.

Here is the email body for reference:

Hello,

Please I would want you to consider my request. My company wants you as our distributor to import 4 CNC Lathe Machine Kdck-40 from China because we are having difficulties with import from China. This is due to the trade dispute between the US and China.
We are asking you as our distributor / partner to import this machine. It is not an obligation that you must import the 4 machine, you can chose to supply one if you can. It will be easier and cheaper if we can get you as our partner / distributor to handle it outside the US. Your payment will be paid to you before the arrival of the machine to your destination before shipping it to us in the US. Please send your reply so we can discuss further. It is of utmost important you revert back to me. Thank you in anticipation.
Regards
Dr Sarmast
Founder / Director
ILFORD PHOTO
Ilford WayMobberley
Knutsford Cheshire
WA16 7JL

 

[Donald Qualls]

Oh, yeah. Three red flags that I can see at first glance. US/China disputes shouldn't affect imports to UK, no reason for a photo materials manufacturer to need a 4-axis CNC machine, and there is not "Ilford Photo" that would be buying such; it would be Harman Technologies. Never mind why they think Joe Photographer might get involved in any such thing...

 

[pentaxuser]

It makes very little sense to me in terms of what it is specifically trying to do that in any way resembles a normal business transaction. It looks and sounds laughably amateurish.

No doubt you were chosen to help Dr Sarmast and not the rest of us here on Photrio because you have a kind face

pentaxuser

 

[Bazza D]

Crazy phishing scam. I find the Signature interesting so I googled it. It ties to this article https://www.ilfordphoto.com/portrait-afghan-national-institute-music/
It appears that Ilford did a post on Dr. Samsast, founder of the Afghan national institute of Music. It seems that the spammers googled Ilford and founder not realizing CEO or something else would be more appropriate.
Phishing scams like this are usually random, They may have an email list or something. But often, they have just googled and picked some information that sounded plausible. Generally it is just random but still doesn't hurt to see if any others have gotten the same email.

 

[pbromaghin]

Check these people out. The "Letters" and "Trophy Room" are especially interesting.

419 Eater - The largest scambaiting community on the planet!

 

[removed account4]

Has anyone else here received such messages?

Nope. nothing from Ilford, but I'm still waiting for the $10Milion Dollars US I was promised a last week.

 

[Donald Qualls]

I'm still waiting for the $10Milion Dollars US I was promised a last week.

I figure my odds are better with Powerball.

 

[Rudeofus]

Phishing scams like this are usually random, They may have an email list or something. But often, they have just googled and picked some information that sounded plausible. Generally it is just random but still doesn't hurt to see if any others have gotten the same email.

If you send spam from "IlfordPhoto" to Joe/Jane Shmoe, they will go "Ilford who?" and most likely ignore the message. To Joe/Jane Shmoe they could have addressed the same message with sender set to "General Motors" or "Ford" or some company more known to the general populace.

Therefore I have the impression, that someone specifically targeted people with some affiliation or connection to Ilford Photo. Some entity with an online presence related to analog photography got their data base dumped.

 

[Donald Qualls]

some affiliation or connection to Ilford Photo.

Or at least to people who are film and silver image paper users, or might have been before digital.

 

[David A. Goldfarb]

I realize the original post is about e-mail off the forum, but if anyone receives these kinds of messages, or any kinds of scam offers in their PM box, please use the “Report this post” button to notify the moderators. We have pretty good tools to eliminate these spammers, but we don’t have access to your inbox unless you report the message (Sean has access, but isn’t looking into anyone’s inbox unless there’s a problem like a hacked account).

 

[pentaxuser]

Nope. nothing from Ilford, but I'm still waiting for the $10Milion Dollars US I was promised a last week.

I think you have to help the Nigerian resident who has fallen foul of some of its regulations, first, don't you?

pentaxuser

 

[BrianShaw]

I just checked my spam folder. In addition to helping out lost Nigerian relatives/friends, it appears that I’m not getting many packages delivered either. I wonder what I bought?

 

[Donald Qualls]

I wonder what I bought?

I always wonder how DHL has my (rather unusual domain) email address, but doesn't seem to have my correct street address -- and after that, who I've bought something from that could possibly be using DHL.

 

[David A. Goldfarb]

I used to have a folded piece of paper in my wallet with passwords and associated websites in tiny handwriting, and then that grew to two pieces of folded paper, which expanded to a bunch of sticky notes around my desk. Then I started worrying about accidentally posting a selfie or video at my desk with legible passwords in the background, so just this past year I upgraded to a notebook.

 

[Donald Qualls]

just this past year I upgraded to a notebook.

And now you have to worry about the notebook growing legs and taking every password you need with it. There's no right way around this; ever since Grog figured out he could just pick up Thorg's flint axe when Thorg wasn't looking, we've had this problem in one form or another.

 

[pentaxuser]

Maybe the real answer is to learn how to remember lists of passwords and be able to "attach" each one to the correct site in our heads. There have been plenty of books on it. Yes, on a few of us may ever have the ability to recall random lists or the sequence of say 20 playing cards dealt off the deck a la the "memory acts" of the old music hall performers but for a list of sites in terms of reasonable numbers thereof,it should be possible

There can't be many, if any, safer ways that are completely independent of any other party's help which involves attendant problems

pentaxuser

 

[Donald Qualls]

Most people can't or don't want to learn that skill. I, for instance, am not much interested in becoming a mnemonicist in order to be able to safely use this incredible WWW we've built over the past thirty-plus years. I've got a naturally very good memory, but the password requirements of many/most sites (must have at least one cap, small letter, number, and special symbol, or three of the four, or similar) actually push away from using strong (=long) passwords that are easy to remember ("pass phrase") -- and there's no obvious notification on the few sites that do permit pass phrases of unlimited length (after about 20 characters, there's no sense in the character type requirements anyway), but even they usually still require a mix of caps, lower case, numbers, and often a "special" character.

 

[David A. Goldfarb]

And now you have to worry about the notebook growing legs and taking every password you need with it. There's no right way around this; ever since Grog figured out he could just pick up Thorg's flint axe when Thorg wasn't looking, we've had this problem in one form or another.

True, though I work mostly from home, and the notebook rarely leaves my desk, so someone would have to break into the condo to get it. That said, I do have cameras and a copy stand. I should probably shoot a backup of it occasionally and store it in a safe location. That sounds like a good use for some way past date film.

 

[Bazza D]

Password managers programs are supposed to be the most secure way to go. You are able to create stronger passwords since you only need the master password. And you only have one password to remember. You can then pair the password manager with a security key, that is a usb or near field communication hardware (physical) device as a two factor authentication. It is basically a small key that you need to have to authenticate your password manager or log into a device. I haven't used a physical key yet but I am going to look into the physical security keys a bit more and probably go with one. It is a pain but using some type of two factor authentication is the best way to keep your info safe other than not using the internet. There are also a few other forms of two factor authentication available now a days as well. Like apps for your phone, getting text messages, and a few more.

 

[Donald Qualls]

Password managers programs are supposed to be the most secure way to go. You are able to create stronger passwords since you only need the master password. And you only have one password to remember. You can then pair the password manager with a security key, that is a usb or near field communication hardware (physical) device as a two factor authentication.

The flaws in this, though, are that without the 2FA key, an attacker need only steal the master password (via key logger, perhaps, or shoulder surfing, or spear phishing) and they have everything. And with the 2FA key, we're back to needing a Clapper (or an Airtag, to be more expensive and modern) to find the key to be able to log into anything -- and if it gets lost (dropped in the lake, for instance), you're locked out of everything, likely including any sites you might need to use to order a replacement 2FA key.

Security experts may consider this the preferred method, but to my mind it's like keeping your car inside a bank vault so thieves can't get the stereo and wheels. Sure, they can't -- but it greatly cuts into my enjoyment of those things, too, to need a half hour to open the vault to get the car out for a drive.

 

[Ces1um]

I just just received two identical email messages, proclaiming to be from Ilford Photo. The message content appears to be some scam involving transfer of funds and goods unrelated to Ilford's immediate business.

Of course these massages did not originate from Ilford, but outside of Ilford and photrio, I can not imagine another entity to draw a direct line between IlfordPhoto and my email address. I've been wondering, whether either Ilford's or photrio's stash of email addresses somehow became became accessible to miscreants.

Has anyone else here received such messages?

Three weeks ago Windows pushed a security update for a major exploit that exists in windows 10 all the way back to windows 7. They patched it (including windows 7 which officially they've dropped coverage for so that should tell you something). Had something to do with the print server had an exploit which would allow people to access your accounts and even create a "user" account on your computer of their own. I updated my computer but just a couple days later started getting spam emails, spam cell phone calls, etc.. Far more often then was the usual and customary. You may wish to run googles "password check" which compares your stored accounts to a list of known compromised accounts. You may have also noticed a lot of companies requiring you to re-sign into your accounts and asking you to update your passwords. Not saying for sure this is directly related, but it wouldn't surprise me.

 

[Bazza D]

The flaws in this

It is a pain and nothing is perfect. But this is the way things are going. Computers and phones are starting to include a security key built in. In the end it is a personal choice. Security is always a balance between hassle and convenience. If you make it a habit it is less of a hassle. Transaction encryption is fairly strong. This makes the password manger fairly strong. The weak point is the login which is a human controlled element. To be fair, the idea of password managers scare me and they seem more of a vulnerability than anything. But the reality of how technology works disagrees with my intuition. Humans are the largest security risk. If you can add a layer of technology over the human element it is generally better. If worried about losing the key, I would get one per device. And keep the key with the device. Better for the computer than a phone but a key on your key ring probably isn't that bad for the phone. I think the trend though is going to built in device with fingerprint authentication. More or less, just sharing information. Honestly, I feel similar to what you've expressed about the drawbacks.

 

[Donald Qualls]

I think the trend though is going to built in device with fingerprint authentication. More or less, just sharing information.

Fingerprint authentication, however has some legal ramifications.

Short version (in the USA, anyway), you can be forced to give up something you have without Fifth Amendment protection -- but you cannot (lawfully) be forced to reveal something you know that might lead to your incrimination. For instance, if you're arrested, you can be forced to give your fingerprints, but you cannot be forced to answer interrogation. If your phone is suspected to contain evidence against you (and isn't an Apple, which apparently contain back doors), you can't be forced to unlock it by code or gesture -- but you can be forced to touch the fingerprint pad; if that unlocks the phone, anything inside "may be used against you in a court of law." Not to say it isn't possible for someone to hack into your phone in that situation, it just isn't lawful for police or their agents to do so; evidence so obtained in inadmissible.

And on and on -- you can protect yourself from thieves, or you can protect yourself (to some extent) from police and government. Probably not both.