Tens of thousands of surfers taken to Neverland

A spam email campaign purporting to come from the Bournemouth Pavilion theatre about a Christmas performance of Peter Pan has hit tens of thousands of computer users worldwide.

Tens of thousands of surfers taken to Neverland
Tens of thousands of surfers taken to Neverland

The email has been sent to recipients from the US, South Africa, Canada and elsewhere.

Convincingly, the ‘Confirmation of order' mail says the recipient has booked tickets for the 7pm performance of Peter Pan on 23 December and gives the last four digits of a MasterCard number supposedly used to make the £145 purchase.

It encourages the recipient to click on a link to print the tickets, which downloads a zipped file containing Trojan malware.

One recipient commented on a local newspaper website: “I see hundreds of these each week and I have to say that this is the most convincing phishing email that I have ever come across.”

The spam has been sent to tens or even hundreds of thousands of people.

Matt Goode, a spokesperson for BH Live, the company which operates the Pavilion theatre, told local press: “We know at least tens of thousands of emails were sent out but we don't know the exact number at this time. It's a very significant amount as far as we are concerned.”

Goode said police have been informed, adding: “We are continuing to investigate the matter because we want to understand the full scale of it.”

The theatre has been deluged with calls from concerned recipients, which started yesterday morning.  But it insists it has not suffered a data breach itself.

An advisory on the BH Live website says: “BH Live's information security teams, together with IT professionals and suppliers, have investigated the matter and confirm that its internal systems have not been breached and that the emails were sent from known spam IP addresses.

“A number of precautionary measures have been taken to ensure data, systems and networks continue to be protected.”

Commenting on the spam attack, which is now believed to have stopped, Kevin Epstein, VP of advanced security at Proofpoint, told SCMagazineUK.com via email: "Based on early reports, this appears to be a standard Trojan, similar to Dyre.”

Epstein said the estimates of up to hundreds of thousands of recipients are plausible: "While Proofpoint cannot verify exact numbers, most current long-line phishing attacks send hundreds of thousands to millions of emails in periods as short as an hour."

Epstein added: “Note - this is not a sophisticated phish. Static attachments are far easier to detect and block with gateway email detection, as opposed to URLs in email, which can vary payloads over time."

A report in The Telegraph newspaper says the attack originated from servers connected with the Belarus National Academy of Sciences and others based in France.

Epstein commented: "Attackers frequently use legitimate domains to lower the odds of phish detection; it is likely that many other compromised systems and personal computers from many IP addresses could be used as well, which would make the attack harder to detect and block."

He added: "Such attacks are often financially motivated. Since there doesn't seem to be an overt political message, and reports are that the malware appears to seek financial information; this seems to be a criminal attack."

Epstein advised recipients: “Don't click. If an email arrives claiming to be from a known website, type that website's home page directly into your browser, then navigate in appropriately. Unknown website? Avoid it. Regardless, don't use the links in email.”

BH Live said in its website advisory: “It is recommended that anyone receiving these emails update their passwords over the coming days.”