Warning: Scam email from HIDS4U
Discussion
Hi all,
Please be mindful of emails that seem to come from HIDS4U that claim they are giving you a free dash cam (because you're a loyal customer) just for the price of postage.
I've just received one, and it has a link where I can "update my address" which takes me to a hacked webpage on the website of the Orthopaedic and Neurological Rehabilitation Centre in Texas, USA. The hacked website I've no doubt would ask me for my credit card details to pay the postage.
For the techies amongst you, you can see the files that make up this hacked website by looking at
https :// www.onr-inc.com / cli / www.hids4u.co.uk / (URL mangled to protect people, even though this URL just gives a directory file listing)
It contains a file that has details of over 4000 customers, the hids4u.csv file, emails, names, delivery address and phone numbers. Doesn't seem to contain passwords though thankfully.
Maybe someone that knows PHP can pull the PHP files to bits and try and find out where they're sending the captured details?
I used 'preview' in Safari to look at the website and it looks very convincing, with my correct name, delivery address, phone number and email. I've no doubt that following pages would ask for the postage and ask for credit card numbers, etc.
I've sent a message to HIDS4U letting them know, but if you get one of these scams, ignore it, and if you have already paid the 'postage', cancel your credit card ASAP.
The email scam itself had a few thing about it that made it look fishy, there wasn't any obvious "Pay postage here" link, just one link to confirm delivery address, plus the email subject is "Special Delivery" with a reference number - how can they have a reference number for a delivery when I haven't paid for delivery yet?
Cheers,
Richard
Please be mindful of emails that seem to come from HIDS4U that claim they are giving you a free dash cam (because you're a loyal customer) just for the price of postage.
I've just received one, and it has a link where I can "update my address" which takes me to a hacked webpage on the website of the Orthopaedic and Neurological Rehabilitation Centre in Texas, USA. The hacked website I've no doubt would ask me for my credit card details to pay the postage.
For the techies amongst you, you can see the files that make up this hacked website by looking at
https :// www.onr-inc.com / cli / www.hids4u.co.uk / (URL mangled to protect people, even though this URL just gives a directory file listing)
It contains a file that has details of over 4000 customers, the hids4u.csv file, emails, names, delivery address and phone numbers. Doesn't seem to contain passwords though thankfully.
Maybe someone that knows PHP can pull the PHP files to bits and try and find out where they're sending the captured details?
I used 'preview' in Safari to look at the website and it looks very convincing, with my correct name, delivery address, phone number and email. I've no doubt that following pages would ask for the postage and ask for credit card numbers, etc.
I've sent a message to HIDS4U letting them know, but if you get one of these scams, ignore it, and if you have already paid the 'postage', cancel your credit card ASAP.
The email scam itself had a few thing about it that made it look fishy, there wasn't any obvious "Pay postage here" link, just one link to confirm delivery address, plus the email subject is "Special Delivery" with a reference number - how can they have a reference number for a delivery when I haven't paid for delivery yet?
Cheers,
Richard
r11co said:
Fishing - probably no data breach has happened.
They have the details of over 4000 customers, how would they get that information? (I noticed that a few email addresses are of the form "hids4u@<persons email address>" which is typical of people shopping somewhere taking junk email precautions, these aren't just 4000 random peoples details)Your Dad said:
Dodgy website content now removed.
Great news!Your Dad said:
@fwaggie: Have you/will you inform the ICO, as there appears to have been a breach of your personal data?
I've just had a look at the ICO website, and the closest thing I can find is "Report a Concern".Following that through it asks me:-
- Have I reported my concern?
- Have I heard anything back?
Is there a different link / category or report I can use for data breach?
Just received an email from HIDS4U warning customers about the scam emails and asking them to take action if they have entered any credit card details.
They say the data breach was from a few years ago (5 to 7 years ago), no CC details were stored, nor are they now stored, and they "introduced a number of security measures some time ago" and will look to see what can be done at this time.
Good on them for acting on it.
I'll fill in the details on that ICO form later today.
They say the data breach was from a few years ago (5 to 7 years ago), no CC details were stored, nor are they now stored, and they "introduced a number of security measures some time ago" and will look to see what can be done at this time.
Good on them for acting on it.
I'll fill in the details on that ICO form later today.
Durzel said:
Yeah, got the same email. At least they took ownership of it.
edit: Interestingly I got this email after I'd asked them to delete my account and any data they store about me, which they confirmed they had done.... so...
Hah, they'll just claim the emails were sent out before they deleted your details, and it took <whatever time period> to work their way through sending the squillions of emails!edit: Interestingly I got this email after I'd asked them to delete my account and any data they store about me, which they confirmed they had done.... so...
Gassing Station | General Gassing | Top of Page | What's New | My Stuff