Jump to content
Sign in to follow this  
SpamCopAdmin

Phishing For Webmail

Recommended Posts

One of the webmail users has had his SpamCop Email account compromised and it has been sending spam. The user reacted immediately to change his password so the spammers can't get in anymore, and the spam has stopped.

I don't have any details, but it appears that a Phishing scam is in progress trying to get SpamCop Email Service users to reveal their password.

Jeff and Trevor on top of things.

- Don D'Minion - SpamCop Admin -

Share this post


Link to post
Share on other sites
Unbelieveble!

I got one (Phishing attempt)

http://www.spamcop.net/sc?id=z1815251962zd...;action=display

Pays to use a password saver like the freeware (for 20 passwords) one I suggest in my signature below

(webmail allows up to 30 alphanumeric keystrokes for a password this program will randomly create one for you

Example "GUeCUbPM3y9YiHGPzucNFv9a8tkzAK" this equates to 256 bit encryption)

Even if your computer (or others) is infected with spyware and keyloggers you passwords remain secure

This is a German program I'm just a user of

Ideally have it run from a USB type drive and you can securely access any password protected site from any windows computer

Edited by petzl

Share this post


Link to post
Share on other sites

I'm kind of at a loss here. I don't see any evidence of a compromised SpamCop.net e-mail account in your Tacking URL example. I assume the munged portion in the body was once a URL, so would agree with the phishing attempt.

What I think is happening here is that Don described multiple issues .. one, a compromised account ... the other being the phishing spam. The spam being discussed over in the newsgroups allegedly from the compromised account is a Lottery type spam.

Share this post


Link to post
Share on other sites

What I think is happening here is that Don described multiple issues .. one, a compromised account ... the other being the phishing spam. The spam being discussed over in the newsgroups allegedly from the compromised account is a Lottery type spam.

Rarely look in "newsgroups"

What I received was Phishing spam asking for password (so dumb I doubt if it would fool anyone?)

Compromised accounts are usually got by Trojans/zombies and even with all the precautions I take I still get the odd "backdoor" program finding its way onto my computer (I become aware when firewall alerts me but are often on a timedelay activation) I also have them uncovered by occasional check by alternate detectors such as Search & Destroy I presently use windows Live onecare OK when I first got it but now just become bloatware (still works well/effectively but now too system heavy. Not a help with a aging Laptop I'm hanging out for a quad laptop)

At any-rate I do not believe it is safe to store passwords on a windows computer anymore and strongly recommend better protection such as Password Depot

*so far* cannot be accessed by "backdoor" spyware/keyloggers on any windows computer

(IMO the one to beat and it is freeware for 20 passwords of easy to use and can be of very high complexity. Limited only by the restrictions of password complexity offered by "URL" with webmail it is 30 alphanumeric lower/Uppercase (not sure about "=" keys etc)

Edited by petzl

Share this post


Link to post
Share on other sites
I don't see any evidence of a compromised SpamCop.net e-mail account in your Tacking URL example.

Here's something that may or may not be related....for those who can, do a reporting History lookup on the IP of the host that transmits mail from SC email users: 216.154.195.49

I just found the following items reported by SC reporting users attributed to that IP, which is the one I use to send most of my email from!

Submitted: Tuesday, April 22, 2008 5:47:32 AM -0700:

Funds Willed To You(Contact My Bank)

* 3046170822 ( 216.154.195.49 ) To: mailsys#admin.spamcop.net[at]devnull.spamcop.net

* 3046170821 ( 196.3.61.4 ) To: stf[at]starcomms.com

* 3046170820 ( 196.3.61.4 ) To: abuse[at]starcomms.com

Submitted: Tuesday, April 22, 2008 5:45:56 AM -0700:

I Have Donated My Everything, Contact My Bank Now

* 3046165682 ( 87.106.129.206 ) To: postmaster[at]oneandone.net

* 3046165680 ( 87.106.129.206 ) To: abuse[at]schlund.com

* 3046165672 ( 87.106.129.206 ) To: abuse[at]schlund.de

* 3046165669 ( 87.106.129.206 ) To: abuse[at]oneandone.net

* 3046165667 ( 87.106.129.206 ) To: abuse[at]1and1.com

* 3046165666 ( 216.154.195.49 ) To: mailsys#admin.spamcop.net[at]devnull.spamcop.net

Submitted: Tuesday, April 22, 2008 4:18:19 AM -0700:

Delivery Status Notification (Failure)

* 3045926780 ( 216.154.195.49 ) To: mailsys[at]admin.spamcop.net

Submitted: Tuesday, April 22, 2008 12:46:30 AM -0700:

HELLO

* 3045431467 ( 216.154.195.49 ) To: mailsys[at]admin.spamcop.net

Submitted: Monday, April 21, 2008 10:00:39 PM -0700:

*******YOUR EMAIL WAS SELECTED*******

* 3045108700 ( 216.154.195.49 ) To: mailsys[at]admin.spamcop.net

Submitted: Monday, April 21, 2008 8:21:04 PM -0700:

Funds willed to you (Please Contact my Bank)

* 3044957490 ( 65.49.14.21 ) To: abuse[at]rogers.com

* 3044957487 ( 216.154.195.49 ) To: mailsys#admin.spamcop.net[at]devnull.spamcop.net

Submitted: Monday, April 21, 2008 8:21:04 PM -0700:

Funds willed to you (Please Contact my Bank)

* 3044957185 ( 216.154.195.49 ) To: mailsys#admin.spamcop.net[at]devnull.spamcop.net

* 3044957173 ( 196.3.61.4 ) To: stf[at]starcomms.com

* 3044957167 ( 196.3.61.4 ) To: abuse[at]starcomms.com

Submitted: Monday, April 21, 2008 6:17:19 AM -0700:

REFERENCE NUMBER: MA/02/453876752/NL

* 3047098875 ( 216.154.195.49 ) To: mailsys[at]admin.spamcop.net

Submitted: Monday, April 21, 2008 6:17:15 AM -0700:

REFERENCE NUMBER: MA/02/453876752/NL

* 3047097752 ( 216.154.195.49 ) To: mailsys[at]admin.spamcop.net

So those of us who are paying to use SC webmail and SMTP services are being associated with that kind of outbound spew! Not good. :excl:

DT

Share this post


Link to post
Share on other sites

Do we have any info on what is the trojan, so we can find if our antivirus is ready for it?

I changed my password a couple of weeks ago, when I thought the last login time and node looked fishy.

But my "antivir" has still not found any problem since then... and I haven't noticed a recurrence.

--Richard

Share this post


Link to post
Share on other sites
Do we have any info on what is the trojan, so we can find if our antivirus is ready for it?

I changed my password a couple of weeks ago, when I thought the last login time and node looked fishy.

I don't think anyone has been looking further into the problem. As for the junk that's being reported as coming from the SpamCop email system, I'm guessing that a SpamCop email customer has an infected computer that is bouncing messages through the SMTP to spamtrap addresses. If that's the case, you wouldn't see a "login" on the webmail associated with the problem.

DT

Share this post


Link to post
Share on other sites
I don't think anyone has been looking further into the problem.

Hard to discern from this side of the screen, but the devnull address does tend to suggest that there aren't any notifications being made to the paid staff.

As for the junk that's being reported as coming from the SpamCop email system, I'm guessing that a SpamCop email customer has an infected computer that is bouncing messages through the SMTP to spamtrap addresses. If that's the case, you wouldn't see a "login" on the webmail associated with the problem.

Based on the timing involved from the current History of user Reports, that doesn't seem to be a hard to make interpretation. This would seem to be an action item for both sides of the SpamCop.net system to get involved with ... Don/Deputies checking for the Received stuff, JT/Trevor on the outgoing. I recall asking a while back on changing the Reporting address for one of JT's servers, the datacenter was listed as the Reporting target, but have received no feedback on whether that happened or not.

Share this post


Link to post
Share on other sites
One of the webmail users has had his SpamCop Email account compromised and it has been sending spam. The user reacted immediately to change his password so the spammers can't get in anymore, and the spam has stopped.

Except that now it has started up again, with a vengenance! Mail sent from our SpamCop Email System accounts was being actively blocked by Barracuda Networks (they sell and support spam firewalls) due to a new flow of spam coming from what appears to be a compromised SC email account. See my other thread on this topic.

DT

Share this post


Link to post
Share on other sites
a new flow of spam coming from what appears to be a compromised SC email account.
That's exactly what is happening.

Another SpamCop Email user has responded to the phishing spam and given up his password. The spammer has been logging into the user's account and sending spam.

This is the same problem as before.

Jeff is on top of things.

- Don D'Minion - SpamCop Admin -

Share this post


Link to post
Share on other sites
Jeff is on top of things.

Glad to hear it....but it would be nice if he could respond to the trouble ticket I opened yesterday morning about this issue, given that I got Barracuda Networks to unblock the SpamCop server.

update: I just received a phone call from one of the admins at Barracuda Networks, clarifying their recent blocking of the SpamCop Email System IP. Seems there's a bit of sensitivity WRT blocking a competitor (Ironport) so they wanted to make sure I was fully informed.

another update: Jeff responded today with a "thanks" for my intervention with Barracuda.

DT

Edited by DavidT

Share this post


Link to post
Share on other sites
What I received was Phishing spam asking for password (so dumb I doubt if it would fool anyone?)

I just received one of these phishing emails. The phishing is so obvious (especially being sent to a relatively savvy audience), I wonder if the purpose is to sow mistrust of SC's webmail login which is included as an alternative to replying to that bogus support account. I know it took me a while to be sure the link was not a phishing link. Perhaps this is a psy-op attack?

Share this post


Link to post
Share on other sites
Except that now it has started up again, with a vengenance! Mail sent from our SpamCop Email System accounts was being actively blocked by Barracuda Networks (they sell and support spam firewalls)

Based on the bounced spam I am receiving I'm not that empressed with Barracuda. A large number of the current blow-back is coming from one of their products.

Share this post


Link to post
Share on other sites
Based on the bounced spam I am receiving I'm not that empressed with Barracuda. A large number of the current blow-back is coming from one of their products.

Those "products" are being misused. I know that the Barracuda recommends configuring their boxes *not* to send backscatter. I've read that they've changed the default settings to prevent backscatter. Here's the WP link:

http://en.wikipedia.org/wiki/Barracuda_Networks

I've used Barracuda boxes at two different providers and am thrilled with the reduction in spam.

DT

Share this post


Link to post
Share on other sites
I've used Barracuda boxes at two different providers and am thrilled with the reduction in spam.

I guess how thrilled you are depends which side of who's screen you are on. But I have received evidence to support Barracuda's reductions of spam for their clients.

Share this post


Link to post
Share on other sites
I just received one of these phishing emails. The phishing is so obvious (especially being sent to a relatively savvy audience), I wonder if the purpose is to sow mistrust of SC's webmail login which is included as an alternative to replying to that bogus support account. I know it took me a while to be sure the link was not a phishing link. Perhaps this is a psy-op attack?

Yep spammer is Phishing again

http://www.spamcop.net/sc?id=z1875821902zc...;action=display

A lot of SpamCop users are children so what is obvious to most may fool some kids

Share this post


Link to post
Share on other sites
...A lot of SpamCop users are children so what is obvious to most may fool some kids
Good point - I didn't know that.
... I wonder if the purpose is to sow mistrust of SC's webmail login which is included as an alternative to replying to that bogus support account. I know it took me a while to be sure the link was not a phishing link. Perhaps this is a psy-op attack?
Looking at petzl's example1 I think the log-in alternative method is just human factors engineering - "I can log in at (what I recogize as) the real log-in address, this must be real, I think I'll save time/do it now and fill in the blanks and hit reply!" Same reasoning behind the copyright symbol - to allay suspicion. Proof of the pudding ... it works - a little bit. They don't need many successess to do enough to needle SC, affect trust with other networks. Presumably Yahoo, at least, would understand since they provide the drop box for this phish.

1Buggers still can't spell, can they, even with spelling and style tools just a click away? Characteristic of the breed.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×