Being a regular presenter and visitor at conferences and exhibitions, it is not unusual for me to get unsolicited emails with offers to acquire the “verified” list of visitors or attendees, with function and contact details. Even for conferences and exhibitions I do not attend and often do not even know exist!
Let’s not revisit the GDPR issues where private data has been sold, and over the last two years you must have read enough articles about GDPR non-compliance. The phenomenon of these offerings continues during the COVID-19 period, despite conference after conference and exhibition after exhibition postponed, cancelled or going virtual. Most likely the lists of contact details now being offered are from past events – at best from the previous year.
For example, the world’s largest mobile phone showcase, the Mobile World Congress Barcelona, better known by its abbreviation MWC, was scheduled for 24–27 February 2020.
However, on 12 February 2020 GSMA, the organizer of MWC decided to cancel the show: “With due regard to the safe and healthy environment in Barcelona and the host country today, the GSMA has cancelled MWC Barcelona 2020 because the global concern regarding the coronavirus outbreak, travel concern and other circumstances, make it impossible for the GSMA to hold the event.”
An event of this magnitude – in the last few years typically over 100,000 people attend – being cancelled for a valid reason at such a short notice creates a logistical nightmare, not only for the organizers, but also for exhibitors, presenters and delegates. However, one thing was obvious: nobody would be there. Nevertheless, the fine folk in the “leads” business continued as if nothing had happened: for example, nine days after the event was canceled, and just three days before its originally scheduled start, I received spam offering 95,890 lies… ummm, I mean supposed contact info, about those who would be attending.
However, two months after the event was scheduled, and almost three months after it had been cancelled, a version of the visitors list was still offered.
Besides the “follow-up” being from someone never heard from before, the mentioned discount must also have been in the number of lies, uhhh… visitors (16,579).
InfoSec World 2020, rather than cancelling, went virtual, as seen in these tweets:
Again, despite the in-person conference being canceled, I received several offers of attendee lists. If we look at all the different messages I received about InfoSec World 2020, some interesting artifacts are obvious:
One interesting question remaining is how these scammers and leeches – this business is clearly far from clean as it depends on sending email spam as its main sales method – obtain their information. Besides a business where they share amongst themselves, a self-generation process, we actually give away a lot of information about ourselves. Now I can hear many of you say: “I don’t do that! I am careful with my details!” But all it takes for these people is an email address to start. How many of you habitually click “Yes” to these requests from Outlook?
To be honest, one wonders why Outlook does not by default disable this feature. First of all, it can be considered a tracking feature (invading your privacy) that you have received and/or read a message. It also confirms to the sender that the email address is active and monitored, which may trigger more spam to come. But it can be misleading too. The recipient may not have read the message, is in a hurry, the above window pops up and clicks on Yes, or is typing already and hits the enter-key. Note that the default selected answer is “Yes”.
It is not difficult at all to disable that “problem”. For Outlook, it is done via the Options:
But, also looking at how many of my regular contacts do set their Out-Of-Office status messages, with details on their function, other contact details, etc. – here’s a real-life example, obfuscated for obvious reasons:
I’m currently out of the office until [%DATE%], 2020 with limited or delayed email possibilities.
If you have urgent press or media related questions please try to contact me on my mobile phone ([%CELLPHONE_NUMBER%]) or via Social Media or alternatively try to contact [%OTHER_CONTACT_NAME%]([%OTHER_CONTACT_EMAIL_ADDRESS%]).
All emails received on this account will always be kept confidential for security reasons.
[%TITLE/FUNCTION%] – [%COMPANYNAME%]
[%CELLPHONE_NUMBER%] – [%SOCIAL_MEDIA_HANDLE%]
[%COMANYNAME%] – [%COMPANY_ADDRESS%]
Despite having the best of intentions, this is giving away a lot of information: not only yours, but it gives starting information on an alternative contact. A gold mine for the aforementioned scammers.
One thing you should never do is take the scammers’ “advice”, typically presented as a footnote to their emails. The top 25 recommendations these scammers have suggested to me in the last year are:
- If this is not relevant, please reply with “Not Relevant” in the subject line
- If you are not interested in receiving our mails reply in subject line leave out or remove.
- If you do not wish to hear from us again, please respond back with “opt out” and we will honour your request.
- If you do not wish to receive further mail please reply with “Unsubscribe” in your subject line
- If you do not wish to receive future emails from us, please reply as “opt-out”
- If you do not wish to receive future emails from us, please reply as opt-out
- If you don’t want further emails, please Unsub
- If you don’t want future correspondence type “NR” in subject line
- If you don’t want to receive further emails please revert with “Take Out” in the subject
- If you don’t wish to receive email from us please reply back with Opt Out
- If you don’t wish to receive emails from us reply back with LEAVE OUT
- If you don’t wish to receive further any email please reply us with sub line ‘leave out
- If you don’t wish to receive emails from us reply back with “Unsubscribe”.
- If you don’t wish to receive our newsletters, reply back with “UN-SUBSCRIBE“ in subject line.
- If you’re not interested in mailing please reply with “Leave Out” in the subject line.
- If you’re not interested please reply subject line as “Take OFF”.
- Instead of reporting this email as spam, kindly reply “Leave-Out” or “Unsubscribe” and we will make sure that you do not receive another email from our company.
- Note: you were specifically sent this email based upon your company profile, if you do not wish to receive future emails from us, please reply as “No Requirements”.
- Note: You were specifically sent this email based upon your company profile. If for some reason this was sent in error or you wish not to receive any further messages from us please reply with subject line as “Exclude”
- To discontinue receiving email from us, reply as “Exclude”
- To remove from this mailing: reply with subject line as “leave out.”
- To remove, kindly respond with “Abolish”.
- To remove, kindly respond with “Cancel”.
- To unsubscribe from receiving future emails please send LEAVE OUT
- To unsubscribe, send us an email with the subject ‘unsubscribe’
Note the sometimes extreme similarity; we suspect this is a pathetic attempt to avoid spam filters.
By replying, you confirm your email address is valid and you may end up in more “verified email address” databases and add to the problem. And, of course, that is, if you can even read those lines at the bottom of these email messages, as rather often they are in an extremely small font or in a color very similar to, or the same as, the background color.
Sometimes, for your “convenience”, the advice includes hyperlinked text. For example:
Needless to say, you should never click on such links. In these specific cases, they are tracking links, not only confirming the validity of your email address, but also exposing more details.
Other links in scammers’ emails may point to their websites, which could be another method of tracking valid email addresses.
With so many conferences going virtual (and many for free), the lead-offering business has adopted and now offers what are presumably fake virtual attendees lists.
Interesting is that ESET was not a (virtual) exhibitor at the Black Hat 2020 Virtual Conference, but even if we had been, we would have collected information from the visitors to our “booth” ourselves. In any event, it is very unlikely that conference organizers, in the days of GDPR, are willing to share so many details.
We actually tested that with a conference ESET has a long relationship with and that is going virtual this year, asking if we could get (even just) the attendees email addresses.
The lead-offering business keeps itself booming and as long as it can find data freely (or we even hand it to them, making it (semi)verified), this will never stop. We should stop supplying them with the free information (or better, stop validating information) by volunteering data in our Out-Of-Office notifications. Most, if not all, email clients have options to use different OOO messages for contacts inside your organization and out, and for contacts in your address book and not. It makes sense to have as little information as possible in the latter groups’ OOO messages.
It is utopian to imagine we can put a halt to this business. Even if we become more sensitive and stricter about sharing (or confirming) our identifiable details, the people in the lead-offering business can continue making up their lists or (re)using old(er) details. Nevertheless, it is never too late to start taking this more seriously, so why not start right now?
written by Righard Zwienenberg, ESET We Live Security