EEVblog Impersonation SCAM!

[EEVblog]

WARNING!
Someone is using a fake email address pretending to be me, to contact companies to elicit confidential technical information from them.
This is NOT my email address or email footer.

They got away with this and the company sent the confidential technical info requested. I only found out because the company copied my normal email address into the correspondence.

Rather clever actually.

[SilverSolder]

In the olden days, they used to put criminals' heads on spikes along the Tower Bridge in London, to discourage crime...

[chickenHeadKnob]

You may be reluctant to share more I can understand, but I remain curious. Was this phishing  trying to get information typically sought by nation state actors or more commercial in nature?

[EEVblog]

You may be reluctant to share more I can understand, but I remain curious. Was this phishing  trying to get information typically sought by nation state actors or more commercial in nature?

  not nation state level!

[Whales]

Schematics for the new Australian submarines.  For some reason all of the electrical diagrams look like organisational charts.

[EEVblog]

Does anyone know of any solution for securely signing emails automatically from within gmail?
(No, I'm not going to ditch gmail and use PGP or some other email client)

[coppercone2]

best I can think of is a VBS script or something that will put it on your copy-paste after clicking from start menu or quick start on a windows (or linux if a script can do it). So you can click a signature icon and paste. Also may be possible to put it in the browser, but I think you would need to paste. Unless you can use a hotkey macro for a shift combo to paste it in, but that might be annoying to setup

perhaps someone can make a browser plugin? Can a VBS script on windows take copied text, put it into a processing program and replace the memory with a key?

[EEVblog]

best I can think of is a VBS script or something that will put it on your copy-paste after clicking from start menu or quick start on a windows (or linux if a script can do it). So you can click a signature icon and paste. Also may be possible to put it in the browser, but I think you would need to paste. Unless you can use a hotkey macro for a shift combo to paste it in, but that might be annoying to setup
perhaps someone can make a browser plugin? Can a VBS script on windows take copied text, put it into a processing program and replace the memory with a key?

Put what in my email? A unique key?
The way I figure something like this would work is that in the footer of my email there is a unique key generated with each email that is tied to my private key. The recipient then has the option to check that code against my private key held on some secure website somewhere. Does such a thing exist?
Doesn't of course stop someone from ding exactly what they do in this case, as every recipient would have to know that I always include a verification key in the email footer for example.

[coppercone2]

I thought thats what a PGP thing was? I thought you have private seed that makes a public thing that links to some modified seed available for everyone, which you would have on your website

I just meant you make a VBS script to open the gen program, put the gen on your copy paste, and paste it (and possibly use the email contents in addition to your private seed).. so you only need to hit one button to get something you can CTRL-V.. I was thinking it could be on the quick-launch bar so its always on the screen

not sure what is the easiest most available one that has a app or web applet.. then someone would need to paste your message signature and your public key into a application to see if they correlate

you could.. put a verification program on your website (is this message from dave jones?), so people don't need to find your public key every time

problem with all of this is that most bozos that use NDA to hide things.. are probably gonna take it at face value and not check it

You might actually increase security if you keep your public key private and make your website verify the key. Not sure though. That way they can only submit a key and see if it unlocks. Maybe some algorithms are better then others for this, but I have NO idea if its considered security through obscurity or if it makes it mathematically more difficult, or how to reverse engineer a pubic key from a signature or if you can 'hash' your plaintext to make a unqiue signature (i.e. like add MD5 to it).


Just thinking about it in terms of analogies, one is some kinda thing included in a cereal box with a bunch of mathematicians, the other is sliding a message under a door and seeing if it opens.... you could randomly change the decryption machinery etc if you have no public key and use your website and signatures only. Might piss someone off lol. Does give incentive to hack your website though, since it would be a curiosity to see what the hell you are doing. But I think you could essentially use a uncrackable one time pad if you did it yourself. And it could not blog down servers, since it would just be comparing plain text to shit on a list very fast (so catchpa)

[magic]

Does anyone know of any solution for securely signing emails automatically from within gmail?
(No, I'm not going to ditch gmail and use PGP or some other email client)

The fundamental problem with signatures is that somebody has to check them. Don't ask how to create one in gmail (you probably can't anyway), ask how to create one which will be verified by every mail client that your collaborators might be using

This wouldn't have happened if those people verified as much as the address they are responding to.

[Halcyon]

Dave, I know you have a number of email addresses, but do you think it's perhaps time you use something like Google G Suite and have email connected to your own domain?

You're talking $8.40 per month for a single user and with that, you can have up to 30 aliases. For example, you might have djones@eevblog as your user, but then have aliases such as info@eevblog, store@eevblog, etc... You can even "send as" your aliases if you like and all email just gets delivered into your primary inbox.

[PA0PBZ]

Dave, I know you have a number of email addresses, but do you think it's perhaps time you use something like Google G Suite and have email connected to your own domain?

That would not help at all in this case.

[Halcyon]

Dave, I know you have a number of email addresses, but do you think it's perhaps time you use something like Google G Suite and have email connected to your own domain?

That would not help at all in this case.

Absolutely it would. Anyone can sign up for an @gmail.com address that looks half-way genuine. Only Dave can use an @eevblog.com email address.

It gives credibility to those with their own domain/business.

[nctnico]

Dave, I know you have a number of email addresses, but do you think it's perhaps time you use something like Google G Suite and have email connected to your own domain?

That would not help at all in this case.

Absolutely it would. Anyone can sign up for an @gmail.com address that looks half-way genuine. Only Dave can use an @eevblog.com email address.

It gives credibility to those with their own domain/business.

Agreed. But it is still up to the recipient to verify whether an e-mail is legit or not.

[magic]

Dave, I know you have a number of email addresses, but do you think it's perhaps time you use something like Google G Suite and have email connected to your own domain?

You're talking $8.40 per month for a single user and with that, you can have up to 30 aliases. For example, you might have djones@eevblog

I humbly propose dave@eevblog.com

https://www.eevblog.com/about/contact/

[RoGeorge]

Hello Company,

Dave from EEVblog, here.
From now on, please send any oscilloscope dumpster to RoGeorge.  PM for the exact address.

Thank you!
Sincerely, Dave (not RoGeorge)
EEVblog - Sydney, Australia
Contact:  https://www.eevblog.com/forum/pm/?sa=send;u=112927

 

[NivagSwerdna]

The email is actually from you; you have just discovered that you are a clone.... One of many Dave Jones roaming the dumpster rooms of the planet.

PS
What was the info? Candid photos of the insides of spectrum analysers with their back panels removed?

[RoGeorge]

The email is actually from you [yourself]

That was exactly my first thought, too, but slightly different:



Great movie.  Almost any line in it is quotable.

[ogden]

Right. First step of solution - avoid @aol, @google, @whatever for "official business" by any means. All mailboxes have to be on company domain only. Current situation allows very simple phishing attacks. Next time it can be goods or money redirection.

[AndyC_772]

I'm curious. What kind of information constitutes being tagged and treated as "confidential", but is nevertheless OK to send by email to a guy with a Youtube channel just because "he" asks for it out of the blue?

[ebastler]

The way I figure something like this would work is that in the footer of my email there is a unique key generated with each email that is tied to my private key. The recipient then has the option to check that code against my private key held on some secure website somewhere. Does such a thing exist?

Doesn't of course stop someone from ding exactly what they do in this case, as every recipient would have to know that I always include a verification key in the email footer for example.

I quite like the idea. You wouldn't actually need any private/public key; it would be more like a one-time pad: Generate a unique ID for each message and embed it in a link which you include in the message, in plain text. When the user clicks that link, the get directed to a web page (which would, of course, need to be on your domain, as a proof of authenticity), which displays some confirming bits of information to the recipient. Like "Yes, this is a genuine message from Dave, sent on ... at ... time to ... recipient".

The real authentication and security lies in the fact that your server is protected from 3rd party access, and that information coming from your server/domain can be clearly linked to you.

But as you say -- the weak spot is that recipients who don't even know of the existence of this scheme would still fall for phishing emails which don't include it.

[EEVblog]

I'm curious. What kind of information constitutes being tagged and treated as "confidential", but is nevertheless OK to send by email to a guy with a Youtube channel just because "he" asks for it out of the blue?

Basically it comes down to personal and business trust. Trust without a contract/NDA etc like this is done all the time in the industry.
Legally it's called Commercial-in-Confidence, and is commonly marked on company documents, even resume's etc.
Although whether or not the actual material is marked as such and how that stands legally is up to a judge to decide.

[EEVblog]

UPDATE!

Because people are inherently stupid (and my middle name is Sherlock Ohms), it didn't take me long to discover who impersonated me!
I have their real gmail address, now what ever shall I do...
I'm willing to bet it's a crime in the state of Illinois.

[RoGeorge]

Send them a glitter/stink bomb!

[mariush]

IS your email  @ eevblog.com  or @ gmail.com ?

You should be able to use gmail with your own domain.

Personally, I use fastmail.com with the 5$ a month subscription and tied that to a domain I bought, so I have several aliases ex  marius@ my domain .com  going to a single account.

fastmail as far as i know was launched by the people that made Opera, and works fine for me.