Hi @MFTnhs, I received an SMS from an unknown number purporting to be "From Manchester University Foundation Trust". It may be a phishing attack. But there are hints it might be genuine. A thread. #Phishing #SMishing 1/20
@MFTnhs Yesterday, I received an SMS from 07860 039092: Here's a screenshot (with personal details redacted)... 2/20 
@MFTnhs This looks to be taken verbatim from page 2 of the playbook of how to scam an unwary person. #MadeUpBook but you get my point. See e.g. moneyadviceservice.org.uk/blog/how-to-sp… 3/20
@MFTnhs ... or which.co.uk/consumer-right… 4/20
@MFTnhs The reason I didn't immediately ignore this is that the /exact/ same SMS arrived on my wife's phone -- now why would that be? It is perhaps the _only_ immediate indication that this SMS might in fact be genuine. 5/20
@MFTnhs So here follows my breakdown of what I think is wrong with this picture... 6/20
@MFTnhs There is no easy way to verify the number the message is sent from. (SMS numbers are easy to fake; there are a number of websites which provide this service; No, I'm not going to link them here.) 7/20
@MFTnhs Even if you can trust the number (the CLI--Caller Line Identity) the message I received comes from a number I've never seen before. I don't know who it's from and I can't know who it's from anyway. 8/20
@MFTnhs This SMS contains a link. I might click on it while scrolling. That's annoying, yes, but the worst is yet to come... 9/20
@MFTnhs The link is a site in this domain: nhs.my. NB NOT nhs.uk but https://t.co/yzPlbuwllZ. The UK domain https://t.co/cEcGKKmkv6 is registered (in the UK) through Nominet. You can see the NHS owns it. That looks good and is as it should be. 10/20
@MFTnhs This domain, the Malaysian domain: nhs.my. This is NOT registered in the UK. It is registered in Malaysia (.my is the Top Level Domain for Malaysia). This,,, is a Malaysian domain. 11/20
@MFTnhs At this moment, nhs.my points to a server in London which also serves 348 other websites from the Microsoft cloud. 12/20
@MFTnhs If I follow the link (carefully) I am redirected to a site called my.drdoctor.co.uk . What's that? I've never heard of it! Sounds more like it's come from 1001 Jokes For Kids: Dr Doctor I can't tell if my traffic is getting through. Oh I see, try some TCP. 13/20
@MFTnhs The domain my.drdoctor.co.uk resolves to an IP address. A server running in the cloud in this case Microsoft's Azure. 14/20
@MFTnhs After much dig-ging I think I believe that this probably always resolves to a UK server based in London. Points for Data Residency. (Probably). 15/20
@MFTnhs The website my.drdoctor.co.uk has an X.509 certificate issued by Sectigo Limited. But the certificate is only a Domain Validation. This is the lowest validation out there. 16/20
@MFTnhs There is no Organisational or Extended Validation (OV/EV). Anyone can buy a domain like drdoctor.co.uk from 99p. And a domain validation certificate can be obtained without further proof of anything. I still do not know anything about my.drdoctor.co.uk 17/20
@MFTnhs When I eventually process all of this and point my browser at the page I get an NHS branded page asking me to enter personal data. 18/20
@MFTnhs So when I receive a text from an unknown unverifiable source, containing a Malaysian URL purporting to be the NHS. Pointing to an NHS branded web page but it's not nhs.uk and I've never heard of it. Do I really enter my personal details? 19/20
@MFTnhs AND @WeAreDrDoctor doesn't even have a blue tick! You might be forgiven for wondering why there's so much identity theft out there on the interwebs. Here is an example of personal necessity trumping good internet hygiene. Now wash your hands. Message ends. 20/20
PS, @MFTnhs, I asked my GP to find out if this was indeed an authentic SMS. I'm still waiting. Why couldn't you just carve off some part of the nhs.uk domain and delegate? You trust your outsourcing & I trust you. drdr.nhs.uk'd be much more authentic.
PPS @MFTnhs @WeAreDrDoctor, This is what the National Cyber Security Centre, @NCSC, has to say on the matter. Read it! Their advice is likely to be more up-to-date than the witterings of a grumpy old self-acclaimed cybersecurity expert. ncsc.gov.uk/guidance/suspi…
PPPS the SMS in question triggers at least 3 of the 5 telltale signs of a fraudulent SMS. In my case: Authority, Emotion, and Current Events. And one could easily imagine that Scarcity and Urgency are always relevant in any health related communication.
Got a response from my GP. They've not heard of drdoctor. So I've tried the @MFTnhs PALS email🤞. Unfortunately I likened this to the recent HMRS scams. *#HMRS* damn! I'm pretty sure Historical Model Railway Society isn't going to be the target of £'000000+ of fraud. #NoOffence
@MFTnhs Data Wars the saga continues... (another thread) 1/22
It's a week later. I managed to get in touch with the @MFTnhs's Patient Liaison Service (PALS). They have been very helpful. 2/22
They were in the process of forwarding my mistrust of the entire system to their IT dept and Data Governance dept. #GoodResult. 3/22
They also wanted to speak. We had a telephone conversation. . o O ( Telephones, remember them I can dial your number and be reasonably certain I'm speaking to the right person/office. ) 4/22
They were able to see that an appointment letter had been issued on the same day as the original SMS. OK, so this is still not a guarantee that Drdr isn't a rogue site... 5/22
Or even that,if legitimate, parts of Drdr's site haven't been compromised. But with the story so far, some internet rummaging, and an anecdote from one of their officers who had used the system. 6/22
I'm starting to believe. 7/22
I'm building up a web of trust (It's an odd one certainly but that's what it smells like). I decide to risk the Drdoctor site. 8/22
So, I follow the link, and give up my DOB, name and postcode. 9/22
Then this (I had to zoom out to capture all the detail in 3 separate screenshots!). 10/22
I know with all this focus on data protection, this is the world we now live in, but my goodness! Do I really need to have a law degree to accept a letter from the @NHS! 11/22
...What the hell even is "Legitimate Interest"? 12/22
...I get that you promise not to "sell" my data to third parties but a few lines later you detail how you may "share" it with some third parties. 13/22
...I presume the contract you have with them is watertight? That they may not pass on data that you have shared with them about me? 14/22
...Formstack LLC, MessageBird Ltd, Twilio inc, Mandrill/Mailchimp, Other technology services, Google Analytics, Welcome to the party! 15/22
...Or is this a divergent rabbit hole? Does everyone share my data with everyone else now? 16/22
Oh and if you sell-yourselves/get-sold to some other company then they will see my data! Does that constitute selling my data? If I sell a cookie jar of cookies, am I not selling the cookies too? 17/22
As I implied above, I don't have a legal degree. All these terms are baffling and not a little scary, and this is just to press the doorbell to see what might lie beyond. 18/22
So to summarise (1/2), Dangerous SMS from unknown number leads to foreign site directing me to unknown company dressed as @NHS asking for personal data to see letter I'm not expecting, but nevertheless one that I want to see. 19/22
Summary cont. (2/2) To proceed I *must* "Accept" a monolithic set of terms and conditions which I don't really understand so I can read said letter from my doctor asking me to come to an appointment. 20/22
I couldn't press "Agree" at this point. I might bring myself to press an "Agree under duress" button. 21/22
I went back to the original SMS and replied "PRINT" to request a printed copy. What the heck they have my number now. 22/22
PS. A letter, in 2021. I bet it comes by fax!
Maybe @DaveGorman has the answer
https://twitter.com/DaveGorman/status/1397492788481122304
• • •
Missing some Tweet in this thread? You can try to
force a refresh
