Wednesday 6 May 2015

Email from Transport for London

It isn't, of course. But it's an interesting email.

First, I notice that it's apparently from, and it really is from, I checked the header. Genuine emails from TfL (Transport for London) aren't. But they've gone to the trouble of registering the domain name, and given to the domain registrar, the true name, address and email for TfL,; 50 Victoria Street, London.

But they could have made the from-address look as if it had come from Maybe they don't know how? It's easy, and they should have done it to make their email look more realistic.

The payload of the email is a DOC file, and the email advises you to open is with Microsoft Word. The first DOC file virus was Winword.concept, and that came out in 1995, 20 years ago. Would you believe that Microsoft Word, 20 years later, is still open to this sort of attack? Well, now you know. It is.

The DOC file isn't a virus, but it is malware. It downloads "Dridex", which grabs information when you access your bank. So someone else gets your bank login information. There's a huge long list of banks that it looks for, including Lloyds, Barclays and Natwest.

The last few lines reassure you that "This email has been scanned by the Symantec Email service." I've never understood why genuine companies put this sort of thing in their emails, when it's easy for malicious emailers to do the same thing. Are you reassured by seeing this? You shouldn't be, because it's just another thing that malicious emailers lie about.

Only Windows computers are at risk from this. Aren't you glad you're running Linux? But just in case you're not, be very very careful about emails that you get. Even if they seem to be from TfL.


  1. This article draws some incorrect conclusions and should probably be corrected, it may be confusing readers.

    Legitimate congestion charging emails DO originate from The spoof email is based on a real one, including headers. As such you are seeing headers and content from the real email along with more relating to the send of the spoof.

    The legitimate email is a PDF whereas the spoof is a DOC, that's the main distinction that should help the recipient decide.

  2. This comment has been removed by the author.