This article is more than 1 year old
Crooks use WannaCrypt hysteria as hook for BT-branded phishing emails
Confusingly, ISPs are also sending out genuine warnings
Scoundrels have latched on to the WannaCrypt outbreak as a theme for scam emails. Coincidentally some consumers are receiving seemingly genuine warnings from their ISPs related to suspected infection during last week's worldwide ransomware outbreak.
Action Fraud warned about a dodgy email trying to trick BT customers on Thursday.
Alert: We have fresh reports about this fake BT email that takes advantage of the global #WannaCry ransomware attack https://t.co/mOgZ3y9JY3 pic.twitter.com/ZyuhEO3sdC
— Action Fraud (@actionfrauduk) May 18, 2017
Recipients, who were falsely warned that they would be locked out of their account unless they completed a bogus "security check", commented that the emails were convincing.
Watch out for this fake BT email. Looks very realistic! https://t.co/D5xaqNzHsW
— simon read (@simonnread) May 18, 2017
Meanwhile, Virgin Media is pumping out well-intentioned emails to customers among its user base logged as visiting the WannaCrypt sinkhole domain, which was registered in order to capture malicious traffic and prevent control of computers by the criminals who infected them. This behaviour might mean that WannaCrypt attempted to infect their machine. The same warning would be generated if users visited the domain out of simple curiosity.
El Reg was forwarded a copy of one such email (which appears legit, and links to a real page on Virgin Media's site) by a reader. The email alerted Ben W that a device on his network might be infected with WannaCrypt. "I'm pretty sure this is a false positive since the only Windows machine on my network is a fully updated Windows 10 machine (and certainly not ransomwared)," Ben told El Reg.
Malwarebytes security researcher Chris Boyd, who we consulted about the suspicious email, told us that it might well be a genuine warning. "I've seen a few of these today – my first thought is perhaps the recipients have visited the sinkhole domain, either via security/news articles to see what it looks like, or they've been on a page merely linking to the sinkhole and Virgin's configuration is assuming they've 'visited' it."
Ben, in turn, responded that he might well have visited the sinkhole. "You're perhaps right about visiting the sinkhole domain (which I probably did out of interest when I saw it published)," he said.
Other recipients of the same warning message have started a thread about it on Virgin Media's forums. Almost all are VPN users, according to Ben W, a factoid that may or may not have some bearing on what's going down. ®