No announcement yet.

has been hacked, change your password ASAP

This topic is closed.
  • Filter
  • Time
  • Show
Clear All
new posts

  • has been hacked, change your password ASAP

    I have seen hundreds of these emails, it is obvious that this is spam, why are they getting through with a score of 0?


    A​s ​yo​u ​ma​y ​ha​ve​ n​ot​ic​ed​, ​I ​se​nt​ t​hi​s ​em​ai​l ​fr​om​ y​ou​r ​em​ai​l ​ac​co​un​t ​(i​f ​yo​u ​di​dn​'t​ s​ee​, ​ch​ec​k ​th​e ​fr​om​ e​ma​il​ i​d)​. ​In​ o​th​er​ w​or​ds​, ​I ​ha​ve​ f​ul​lc​ce​ss​ t​o ​yo​ur​ e​ma​il​ a​cc​ou​nt​.

    I​ i​nf​ec​te​d ​yo​u ​wi​th​ a​ m​al​wa​re​ a​ f​ew​ m​on​th​s ​ba​ck​ w​he​n ​yo​u ​vi​si​te​d ​an​ a​du​lt​ s​it​e,​ a​nd​ s​in​ce​ t​he​n,​ I​ h​av​e ​be​en​ o​bs​er​vi​ng​ y​ou​r ​ac​ti​on​s.​

    T​he​ m​al​wa​re​ g​av​e ​me​ f​ul​l ​ac​ce​ss​ a​nd​ c​on​tr​ol​ o​ve​r ​yo​ur​ s​ys​te​m,​ m​ea​ni​ng​, ​I ​ca​n ​se​e ​ev​er​yt​hi​ng​ o​n ​yo​ur​ s​cr​ee​n,​ t​ur​n ​on​ y​ou​r ​ca​me​ra​ o​r ​mi​cr​op​ho​n ​an​d ​yo​u ​wo​n'​t ​ev​en​ n​ot​ic​e ​ab​ou​t ​it​.

    ​I ​al​so​ h​av​e ​ac​ce​ss​ t​o ​al​l ​yo​ur​ c​on​ta​ct​s.

    ​Wh​y ​yo​ur​ a​nt​iv​ir​us​ d​id​ n​ot​ d​et​ec​t ​ma​lw​ar​e?​
    I​t'​s ​si​mp​le​. ​My​ m​al​wa​re​ u​pd​at​es​ i​ts​ s​ig​na​tu​re​ e​ve​ry​ 1​0 ​mi​nu​te​s,​ a​nd​ t​he​re​ i​s ​no​th​in​g ​yo​ur​ a​nt​iv​ir​us​ c​an​ d​o ​ab​ou​t ​it​.

    ​I ​ma​de​ a​ v​id​eo​ s​ho​wi​ng​ b​ot​h ​yo​u ​(t​hr​ou​gh​ y​ou​r ​we​bc​am​) ​an​d ​th​e ​vi​de​o
    ​yo​u ​we​re​ w​at​ch​in​g ​(o​n ​th​e ​sc​re​en​) ​wh​il​e ​sa​ti​sf​yi​ng​ y​ou​rs​el​f.
    W​it​h ​on​e ​cl​ic​k,​ I​ c​an​ s​en​d ​th​is​ v​id​eo​ t​o ​al​l ​yo​ur​ c​on​ta​ct​s ​(e​ma​il​, ​so​ci​al​ n​et​wo​rk​, ​an​d ​me​ss​en​ge​rs​ y​ou​ u​se​).​

    ​Yo​u ​ca​n ​pr​ev​en​t ​me​ f​ro​m ​do​in​g ​th​is​.
    ​To​ s​to​p ​me​, ​tr​an​sf​er​ $986​ t​o ​my​ b​it​co​in​ a​dd​re​ss​.
    ​If​ y​ou​ d​o ​no​t ​kn​ow​ h​ow​ t​o ​do​ t​hi​s,​ G​oo​gl​e ​- ​"B​uy​ B​it​co​in​".​

    ​My​ b​it​co​in​ a​dd​re​ss​ (​BT​C ​Wa​ll​et​) ​is 1JYn9ayLDQdQSXKWkPECugjShKYqWzm7LA

    ​Af​te​r ​re​ce​iv​in​g ​th​e ​pa​ym​en​t,​ I​ w​il​l ​de​le​te​ t​he​ v​id​eo​,
    ​an​d ​yo​u ​wi​ll​ n​ev​er​ h​ea​r ​fr​om​ m​e ​ag​ai​n.
    Y​ou​ h​av​e ​48​ h​ou​rs​ t​o ​pa​y.​ S​in​ce​ I​ a​lr​ea​dy​ h​av​e ​ac​ce​ss​ t​o ​yo​ur​ s​ys​te​m
    I​ n​ow​ k​no​w ​th​at​ y​ou​ h​av​e ​re​ad​ t​hi​s ​em​ai​l,​ s​o ​yo​ur​ c​ou​nt​do​wn​ h​as​ b​eg​un​.

    ​Fi​li​ng​ a​ c​om​pl​ai​nt​ w​il​l ​no​t ​do​ a​ny​ g​oo​d
    ​be​ca​us​e ​th​is​ e​ma​il​ c​an​no​t ​be​ t​ra​ck​ed​.
    ​I ​ha​ve​ n​ot​ m​ad​e ​an​y ​mi​st​ak​es​.

    I​f ​I ​fi​nd​ t​ha​t ​yo​u ​ha​ve​ s​ha​re​d ​th​is​ m​es​sa​ge​ w​it​h ​so​me​on​e ​el​se​, ​I ​wi​ll​ i​mm​ed​ia​te​ly​ s​en​d ​th​e ​vi​de​o ​to​ a​ll​ o​f ​yo​ur​ c​on​ta​ct​s.​

    ​Ta​ke​ c​are

  • #2
    What is the SPAM event show for this email? /admin/
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email [email protected]


    • #3
      These emails also get past O365 spam filter even though we do not see hundreds of them, just occasionally. I think the reason is that there's not much wrong with them. There's no links or anything other suspicious about those emails. They are just simple text messages. So as long as the senders reputation is not flagged they will probably get through.


      • #4
        For me a good portion of these messages come with links in them, so I have mailflow rules there to nuke all of those.

        But the above? Users forward them to me from time to time, no attachments, no links... not much to make an automatic decision on, but it also means the user has to be smart enough to use a bitcoin wallet, but dumb enough to fall for the scam. Thus far, all I've been getting are users confused as to how to get a bitcoin wallet.

        I suppose this will be a larger problem in the future if more people start using bitcoin.

        I suppose you COULD filter based on bitcoin, and BTC Wallet, but that might be an issue in the future.
        Rob Sandling, BS:SWE, MCP, Microsoft Certified: Azure Administrator Associate
        Phone: 866-794-8879 x201
        Email: [email protected]


        • #5
          On further examination it looks as though they made it look like it was coming from our mail server.


          • #6
            Well then, why is your server accepting unauthenticated mail from authoritative domains? That's something it shouldn't do!

            And something you can and should fix!
            Rob Sandling, BS:SWE, MCP, Microsoft Certified: Azure Administrator Associate
            Phone: 866-794-8879 x201
            Email: [email protected]


            • #7
              We've been seeing more of these recently too. They do get past O365, Google, and even our 3rd party spam filter.

              I've looked at the headers for quite a few of these, they're not being relayed by the real mail server but are coming from compromised servers. In a lot of the cases they seem to be from compromised wordpress sites or poorly configured mail relays. They're basically spoofing the header.

              Whats interesting is we & most of our clients have spf records with hard fail and they still seem to slip through occasionally.


              • #8
                Originally posted by KnightWolf View Post
                I've looked at the headers for quite a few of these, they're not being relayed by the real mail server but are coming from compromised servers.
                This doesn't matter. You know who the authorized senders are for your domain, and you can configure those server to reject messages that claim to originate with your domain but don't actually come from one of those authorized servers.

                Probably the best way to accomplish this is to making sure all of your authorized servers DKIM sign their messages, and then publish a DKIM Reject policy in DNS for anything that's not signed. This can also produce a nice bump in your spam score, such that messages your organization sends to others are also much more likely to reach their destinations.
                Last edited by jcoehoorn; 05-22-2019, 01:02 PM.
                Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5.2 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty


                • #9
                  I suppose, now is the time to give away more valuable information...

                  So, if you're using Exchange 2016+ or Office 365, you need to open your admin panel for exchange, click mail flow on the left and make a new rule.

                  Name: Email Spoof Protection
                  Apply this rule if: Outside the organization
                  The sender's domain is:
                  Do the following: Generate incident report and send it to... whatever mailbox you want to get these reports
                  Deliver the message to the hosted quarantine
                  Except if: Feed this a list of /32 IP addresses you want to be able to send without authenticating, I use these so MOPIERS can scan to mail without mucking about with authenticating, it removes support tickets.
                  The sender's domain is: Insert list service domains that send on your behalf so your people can get the test mails.

                  Everyone should have such a rule... EVERYONE. And yeah, if you use Exchange via O365 and you don't have DKIM setup, you need to do that too, it's two DNS records... chop chop!

                  You can see here an example of this rule protecting an O365 user from the sort of spam listed in this OP, on Friday 5-17

                  This email was automatically generated by the Generate Incident Report action.
                  Message Id: <[email protected]>
                  Sender: [email protected]
                  Subject: Hackers know password from your account. Password must be changed now.
                  Recipients: [email protected]
                  To: [email protected]
                  Properly configured mail servers > than spam filtration... these things don't happen by accident, it's our job to get it done people.

                  Oh and when you're making the mail flow rule don't forget to click the more options link at the bottom... FIRST... bad UI is bad, but that's the way it is.

                  But the bottom line is, no mail server should ever accept a message "from" a domain it's authoritative for, unless it's via an authenticated session. If it does, you open this door. Now you can't actually close this with O365, but you can use the rule above to ensure the messages are quarantined. You can also use this on more recent on premise Exchange servers instead of locking out things at the connector level, this provides some visibility.
                  Last edited by sky-knight; 05-22-2019, 03:26 PM.
                  Rob Sandling, BS:SWE, MCP, Microsoft Certified: Azure Administrator Associate
                  Phone: 866-794-8879 x201
                  Email: [email protected]