This will be a quick post. We have received a phishing mail to our info@lemmy.world mail address telling that they are “lemmy.world Security Team”, telling that they will “disconnect” your account from our instance. This is ofc, not us. Do not fall for it! The attached image is how the mail looks like.
~Lemmy World Team.
Legendary. I ought to scam info@microsoft.com for their microsoft account.
Hello I am Tim from Microsoft Apple Your computer has a virus and I need you to do the needful
Removed by mod
download the free robux generator
robux.exe
Jesus. Phishing emails like this have become so commonplace I actually miss the old Viagra spam emails in l33tspeak.
How do you guys know it’s not you guys?
Joke aside, i wonder why they wanna phish for user account in lemmy? Unlike the exploit like a few months ago that specifically target admin, this one seems like it target anyone, it so random.
To exploit password reuse.
Bingo!
Awesome because of the way it’s written it’s practically guaranteed that admins will know it’s a scam.
I got an almost believable phishing text yesterday from a ‘collection agency’ that wanted me to download a PDF and go to their website. It looked very official and I’m having some debt issues, but it didn’t tell me who it was representing or what I owed or anything like that, so I could tell it was phishing. But a less-savvy person could have totally been fooled by it because it looked very real.
I got a spam message that was surprisingly well written until I realized wait a minute, if this is true, why do you need me to tell you who I am?
It’s especially bad if you are half asleep and panic click on something, especially with session hijacking
Isn’t it a waste of time trying these scams on lemmy.
I could be wrong here but I would argue the vast majority of users are somewhat tech proficient since it’s not reached mass adoption and the user base is well, just us nerds?
Tech folks still fall for phishing. It takes a momentary lapse, failure to caffeinate, it happens.
Lemmy is currently full of newly registered domains with weird suffixes, the kind that traditionally have been a phishing indicator. Lemmy.world is going to be harder to phish than some of the other ones where you have to read closely.
I guess hubris can be a factor too.
Well one of the best scam hunters on YouTube lost his account to a scam. So not really a waste of time, trying Lemmy.
That sounds so crazy, who was it? What happened?
Looks like he was tricked into deleting his own channel by someone masquerading as YouTube support. https://futurism.com/the-byte/youtube-channel-hunts-scammers-gets-scammed
There’s also variable levels of sophistication for scam messages based on the desired target. If you’re looking for a whole lot of people who don’t understand technology enough to see through your premise, you go with the generic “hello sir and/or madame I am hackor send gift cards or I will delet ur phone”.
If you’re after a very specific person who is well known to be privy to the normal red flags, you’re more likely to create a custom spear phishing campaign and mimic as closely as possible the format, lexicon, domain names, etc of something reputable to avoid setting off their BS detectors.
With that said, yeah there’s enough people on lemmy that this low-effort take is worth a shot
Hello, it is I, John Security. Please respond to this message with your name and SSN or the FBI will arrest you for unpaid back taxes. Also, do you have any iTunes or Google play gift cards laying around?
Don’t forget! Lemmy automatically detects and blocks sensitive information so it’s totally safe to enter your SSN:
###-##-####
See! It works!
Hunter2
Did it work?
Why would they target Lemmy users?
Your typical Lemming (for lack of a better term) is not technologically inept and would generally not fall for a phishing scam. They’d earn a lot more money from targeting Redditors.
software devs and other highly technical IT roles fail phishing tests at my company
I study cybersecurity. Technically inept or not, people in IT fall for phishing all the dam time.
What I imagine is that they look at popular domains (in this case “lemmy.world”), turn that into a fake app name (“My Lemmy World”) and set up some kind of generic link somewhere. When you do that for enough domains, they’ll strike gold eventually.
You’re not always at 100% concentration. At some point you’re going to get an email late at night after you’ve had a few shots, or after you’ve woke up from a terrible sleep, or your baby has been waking you up every four hours and your boss is threatening to fire you if you don’t get yourself together, and you’ll make a dumb mistake.
Sure, most IT people don’t fall for the “this is the company’s password inspector please list all your passwords so I can check if they’re safe” level of scams, but phishing people is remarkably easy if you do it at scale. You send out a million email and less than one percent needs to fall for your scam for your attack to work.
What’s worse is that because of all of that knowledge, IT people tend to think they’re too smart to get scammed. That’s incredibly useful for scammers, because that means those people will justify their mistakes for longer when they do eventually fall for something like this. Plus, they’re less likely to get help, because their peers who are also Very Smart will probably make fun of them for falling victim of a scam like this. Plus, if you work in IT, you probably make a nice chunk of money, and maybe have some cryptocurrency on your super secure local wallet that an app with the right exploits can steal.
Emails are practically free and they only need a few mistakes to make a profit. Targeting IT professionals doesn’t increase your probability of success like targeting the elderly does, but it’s still a risk/reward situation that can make you money once you’ve set up your preexisting scam automation.
Probably overreach of an automated system
Your typical Lemming (for lack of a better term)
idk i like “lemming”
You’re telling me I’m not a lemon?
Attention! u/spez demands that you suckle upon his prostate like a thirsty little pig!
“OMG guys, ^ THIS!”
I’m guessing it’s sent to anyone with a custom domain, rather than lemmy specifically.
It’s weird that they target Lemmy, what would they get? Access to account that shitposts? Only important accounts are admin, even communities are small here
My guess is they did not. It doesn’t appear to be targeting Lemmy, it’s just a generic spam email.
Note the email was received at the info@lemmy.world address. The email most likely got the info@lemmy.world email address, took the domain from it, lemmy.world, and put this in their spam generator. The email doesn’t even make sense, because it says they need to install an app for their mail but it’s a custom domain.
If you imagine most of the emails on their spam list are @gmail.com or @outlook.com, etc, then the email looks like it is coming from the gmail.com security team or the outlook.com security team. The email no longer makes sense when you have a custom domain.
It’s not targeted at Lemmy. This phishing mail simply assumes that lemmy.world is an email provider, and that info@lemmy.world is a registered email account there.
Vote manipulation?
Loads of instances don’t require an email to sign up so that doesn’t make any sense.
I guess we’ve made it mainstream if that’s a consideration
RESOLVE ISSUE NOW
OR ELSE!!
Why are these sorts of things always written by somebody who can clearly barely speak English?
I read that this was to weed out savvy people. People who aren’t skeptical of poorly written emails or messages are their target audience. Could be wrong though.
Yes, exactly this. You want people who can’t see behind the simple facade. Because they are more likely to be easily fooled. You don’t want to work someone who is very sceptical or just moderately sceptical. In that time you could work through a bunch of people that can’t see behind this and pull out money from them.
Scammers want easy marks. Why wouldn’t someone make it easier for themselves by naturally filtering out people that can’t be easily fooled?
I’m sure that’s some of it, but also I think a lot of it is this is the kind of crap you do get if you run Chinese through Google translate and just copy paste the output.
It’s almost fine but then it falls apart and doesn’t really make sense.
What is unclear? All you have to do is resolve the Lemmy world app on Android and install the errors on your iPhone mail.
Yeah I’m not actually quite sure I understand what the issue they are pretending is.
Do you have plans to enable DMARC, DKIM, and SPF to make the emais more likely to be flagged as spam by email filters?
Such good English, too. How could you not trust that?
At least, it doesn’t say ‘kindly’
That’s basically means it’s not from India.
I’ve gotten an email like this before for lemdro.id. I think it’s a generic phishing email since the community links look like email addresses (and actually often are)
I wonder what they thought of when they wrote “Security Team.” I just think of security guards.
I’d love to see what domain the “resolve issue now” link points to… Somehow I doubt it’s lemmy.world. :)
Thanks for sharing!
