Received an email from the RAF Club this morning Dear Customer and apologising for sending an invoice for £204 a week early. An address and phone number from the supplier was in the email together with the inevitable internet link.

Subsequently an email from the real RAF Club is investigating two such messages sent to a small number of members, yeah right, and not to email or phone as they are too busy to reply.

They say the message was not believed to be from the Club server.

The other odd thing is the message was FROM the RAF Club email address when the payload was from the spammer TO Dear Customer. I guess some might click out of curiosity.

I received that too. Luckily I didn't click but it was plausible since I used the club not that long ago.

BV

Thanks for the heads up - I got 2 copies this morning, and now haven't even opened them(and won't) !!

The Club said only a small number. Would those members who have not received the emails say so please. That way we can get a cockshy at what constitutes a small number.

Received an email from the RAF Club this morning Dear Customer and apologising for sending an invoice for £204 a week early. An address and phone number from the supplier was in the email together with the inevitable internet link.

Subsequently an email from the real RAF Club is investigating two such messages sent to a small number of members, yeah right, and not to email or phone as they are too busy to reply.

They say the message was not believed to be from the Club server.

The other odd thing is the message was FROM the RAF Club email address when the payload was from the spammer TO Dear Customer. I guess some might click out of curiosity.

Received an email warning from the RAF Club. It was good to get the "Heads Up" in advance of perhaps receiving the "Duff" one. Well done Club Staff. :ok: It is never a good idea to click on any link in an email addressed to an un-named addressee.

The displayed "from:" address in an email means very little; you can set most email clients to display whatever "from:" address you want. Look at the full headers to see what the source outgoing mail server was.

Nonsense, my point was that the content was self-evidently not FROM the RAF Club but TO the club. Hugely cack handed.

I've received 2 copies of this email - both went straight to Junk, and when you look at the actual email address behind the title, it is not from the Club. The postal address at the bottom is also rogue - with a telephone number that I do not believe to be the Clubs.

Slightly worrying about the hack....

PN
In post 4 did you mean have or have not received etc ?

The originating address on my ipad shows it to be (apparently) from some Plumbing Co in WA

You shouldn't really simply junk them, if you are using hotmail / outlook etc, it has a link on the top for junk, click the down arrow next to it then click phishing scam, will report it to the relevant authorities and they will take the site it has come from down, as well as deleting it from your emails.


..

This was the email I received from the RAF Club (email address was [email protected])

Dear Customer,

Please find attached invoice INV-01823 (Amended) for 204.11 GBP.

This invoice was sent too early in error. The payment date should be 7th December 2016.
Kindly accept our apologies for the oversight and for any inconvenience caused.

The amount outstanding of 204.11 GBP is due on 07 Dec 2016.

View and pay your bill: https://in.xero.com/xWpt0unExHSOWJMXZTQ2HRa5PCscPgq5MVuAZ1a3

If you have any questions, please do not hesitate to contact us.

Kind regards,
Accounts Department
Ashwood Portable Buildings Ltd
T +44 (0) 203 633 7115

NRU, I received the same message as CGB.

Apart from the nonsense that the invoice should have been sent next week but pay now, the message is plausible as we know th ed Club has works in progress so might need a,portable building.

May I add myself to the "small list of members?"

Further, my Outlook spam filter junked it but my Android phone allowed it.

.. and me too, twice.

Of course, the big question is how did the scammer get the list of email addresses, or was he/she just lucky. Also is it just email addresses?

I posted this under the Royal Air Force Club about the same time as you PN. Being a new name here it had to be cleared by the mods so sorry for the duplication.

So yes. One is one of the few! Exactly as quoted by CGB. Twice. No I didn't open the link either. I did contact the Club. Sorry, but someone had to. Guess there were many.

+1 for getting the spam.

Gmail automatically flagged it as malicious and dropped it into the spam folder.

The Club saying "a small number" is not the same as saying a small percentage.

Even if the hack exposed every member email it would still be a "small number" when compared to, say, the talk talk hack.

Also, saying the email didn't come from the Club server is technically true if you take that to mean the Club SMTP server did not transmit the spam, but that's not the same as saying the Club server was not the source of the leak in the first place.

I strongly suspect the Club server was compromised and the entire membership database has been taken.

I was one of the "small number" - got the message about the invoice twice around 10am, with neither message being caught by the spam filter. Tried to warn the Club but the phone lines were (not surprisingly) busy and then received the Club's warning message.

Stuff, good point.

Hasta, I got through not long after 9

Savannah, no problem, I just thought a separate thread specific to the hack. Of course being moderated would have delayed you anyway.

+1 here too. Picked it up on my phone, surprised it got round the spam filter.

But more to the point, if the RAF Club's accounts / servers have been hacked, what personal data other than email addresses are now compromised? It would be a reasonable assertion for anyone with malicious intent to assume that there will be a fair number of members who are currently serving as well as retired. Are their home addresses now compromised? Would be worth the RAF Club investigating the extent to which their systems have been compromised in case it was a deliberate attempt rather than a lucky spamming operation.

I received this email too, but as I had just checked out of the club I knew immediately that it was fake. For interest, the actual smtp server it came from was:

Received: from mail80.suw17.mcsv.net ([198.2.181.80]:31442) by mx04.mail.eu.clara.net

Fortunately not received this SPAM yet. On the other hand had a great stay at the Club last week. It keeps getting better, though bookings need to be made much earlier.

+1 for getting the spam.

Gmail automatically flagged it as malicious and dropped it into the spam folder.

Same here.

RAF Club members emailed fake invoices. Has it been hacked? ? The Register (http://www.theregister.co.uk/2016/12/01/raf_club_fake_invoice_emails/)

This was posted a short while ago

My father is staying with me this week and we (both members) received the spam early this morning. As far as spam goes it is moderately plausible in form if not substance - it seems dad in a pre-caffeine morning daze was nearly fooled into clicking on the link.

I stayed at the Club around 4 weeks ago but it sounds as if there is no obvious nexus between those affected and recent use of the facilities.

It is extremely easy to identify people who belong to various MOD organisations or have links to them from the past.....many people put details of past and current careers on the likes of LinkedIn or Facebook and a simple organisation search reveals that, and most importantly their email address...

Scammers will also gather phone numbers from these sites or CV's that people have previously listed on jobsites and will check them against sites such as www.truecaller.com (check your own number) it will list your phone network provider and in some cases your personal details which makes spam texting even easier to spoof.

I dont have any connection with the club but this would appear that ex military and members of the club are being targeted as part of an organised effort to get you all to "click a link" and enter your login details or install ransomware, just be extra cautious of suspicious emails.

I would urge you all to report all suspicious emails to Action Fraud (http://www.actionfraud.police.uk) (the right hand link) so that a true picture can be established or simply forward them to

[email protected]

I would doubt the club has been hacked but someone has done some harvesting of email addresses.

you can also read up more in the little book of cyber scams published on the Met Police website here http://www.met.police.uk/docs/little-book-cyber-scams.pdf

Gmail picked mine up as well.

Just as an example i searched "People who work (or used to work) at Royal Air Force" on linkedin and it came up with 32,465 examples...many of those have emails, simple scraping software will easily create a database to email from

This is one example https://www.atompark.com/web-email-extractor/extract-form-linkedin/

+1 as well (twice)

That small number of members affected is getting larger!!

LJ

RAF Club members emailed fake invoices. Has it been hacked? ? The Register (http://www.theregister.co.uk/2016/12/01/raf_club_fake_invoice_emails/)

This was posted a short while ago

This extract was just received from the Club which might be of help:-

"We believe it is solely email address data that has been compromised, with no address, membership, financial or personal details at risk. The fraudulent email originated from the email address: [email protected]. This is NOT a Club email address.

The Club has sought advice from an independent anti-fraud specialist (Club member) and the recommendation to members as a precautionary measure is to:
• Change the password on any email accounts (work or personal) associated with their RAF Club membership profile
• Change the password on their RAF Club online account at www.rafclub.org.uk
• Be vigilant for any unusual online activity or unexpected emails
• Ensure any Anti-Virus software is up to date

The matter is under Police investigation and has been reported to the National Cyber Security Centre (NCSC)."

Well as the National Lottery users were hacked and I would think their site was a lot more secure, it does not surprise me.

The apparent leak of the email list is bad but if the membership list has been accessed, the details of many hundreds of serving and former RAF officers and airmen could now be in the hands of criminals – or worse. At the moment, however, there is no indication that this incident involves more than just the RAF Club's email list

From PN's post, I would doubt there was many of those on the list.

Hope no one is out of pocket.

Vp if you responded to the email, one fears the beers are sadly on you in some scumbag corner of this world be live in. :(

FWIW all the information in an e-mail header can be manipulated by an unscrupulous person. The club have been very good in being open and honest about this straight away, many organisations would not be as proactive in letting their customers/clients know of the possible breach.

The link in the e-mail loads a javascript file that identifies as ransomware on my virus scanner. If you have clicked on it then I would make sure you have a valid backup of your important data and roll back to prior to clicking the link if you are able.

Find out where else your details might have been leaked here:

https://haveibeenpwned.com

I got it too....

The Club appreciates your concern and is continuing to work with the authorities to get more information and Club Members will be advised if anything further comes to our attention.

MPooley, for those that don't know, is the Club Secretary.

I got the scam email, but haven't used the club recently.

I got it but MacAfee Total protection quarantined the e mail immediately as a security risk, then I deleted it, thus no problem. Then I got the official RAF club e mail stating that there had been a problem.

In contrast Mailwasher flagged it as good and Zone Alarm passed it. Naturally I didn't click the link but my first reaction had been that the Club had sent me a genuine but erroneous bill for a previous but cancelled visit. My Club dues are not for that amount and are not yet due.

Having attended the club the previous Friday and the fact that I was awaiting email confirm from them for a room cancellation, it did not occur to me that it was a fake/scam. Straight into my inbox with no indication it may be suspect and duely opened. The clubs constant engaged tone indicated it wasn't just me that had the issue. I did eventually leave a message, no one came back and I don't think I had the email from the club until later in the day,confirming a scam etc. Major breach one would suspect and we need to be told, why, how, where from and preventative measures.

I received the two emails but the language seemed wrong and even though I stayed last week and paid a similar size bill, I avoided the initial temptation to open it. Hope there are no other personal details that have been compromised.