Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Community > MacNN Lounge > Continuing problems after a phishing attack

Continuing problems after a phishing attack
Thread Tools
Posting Junkie
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status: Offline
Reply With Quote
Jul 14, 2014, 09:15 AM
 
At some point, my wife succumbed to a phishing attack, giving someone her gmail account details. Since then we've changed passwords and set up 2-step verification with Google, but the issues persist. Whoever got into her account pulled her whole address book, and occasionally sends more phishing emails to people from that address book with my wife's email address as the return path, so now everyone thinks the emails are coming from her.

When the phishing attack first happened, I was able to find the IP address that accessed her account but since then no one else has accessed it. Clearly they just pulled her name, email address, and address book and they're hitting it sporadically.

Here's what part of the header looks like:

Code:
Return-Path: <[wife]@gmail.com> Received: from webmail.eracom.ch (webmail.eracom.ch. [62.220.129.11]) by mx.google.com with ESMTP id ex5si9328362wib.25.2014.07.13.23.53.04 for <multiple recipients>; Sun, 13 Jul 2014 23:53:05 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning [wife]@gmail.com does not designate 62.220.129.11 as permitted sender) client-ip=62.220.129.11; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning [wire]@gmail.com does not designate 62.220.129.11 as permitted sender) smtp.mail=[wife]@gmail.com; dmarc=fail (p=NONE dis=NONE) header.from=gmail.com
So it looks like Google knows the message is a fake, and when viewing the message in Gmail's webmail, it's able to warn users that the email is not legit, but in any other mail client there's no such warning and we have no idea who's getting these emails.

Is there any solution to this besides creating a new email address and telling her entire address book to disregard the old one? Emails are going to friends, neighbors, family, and professional contacts with her name on them.
     
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Jul 14, 2014, 03:24 PM
 
We won't judge you for falling for it Lam. No reason to throw the wife under the bus.
     
Games Meister
Join Date: Aug 2009
Location: Eternity
Status: Offline
Reply With Quote
Jul 14, 2014, 03:26 PM
 
Originally Posted by subego View Post
We won't judge you for falling for it Lam. No reason to throw the wife under the bus.
     
Administrator
Join Date: Jun 2000
Location: California
Status: Offline
Reply With Quote
Jul 14, 2014, 06:40 PM
 
All contacts will continue to get fake emails from your wife for a long time. If even one buys something, the email volume will increase to everyone.

Yes, get her a new address and notify everyone. Except Aunt Edna, who sends all those links for you to (not) read. Keep the old account in case she registered with any services through it. At least until you are certain you've updated all such services to the new email.
     
Addicted to MacNN
Join Date: Feb 2008
Location: Standing on the shoulders of giants
Status: Offline
Reply With Quote
Jul 16, 2014, 04:13 PM
 
Contact the abuse mailbox, they might be able to do something.

62.220.129.11/webmail.eracom.ch IP Address Whois | DomainTools.com
     
Laminar  (op)
Posting Junkie
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status: Offline
Reply With Quote
Sep 7, 2014, 09:47 AM
 
Just got hit again.

Code:
Received: from BN1AFFO11FD013.protection.gbl (2a01:111:f400:7c10::111) by BLUPR05CA0074.outlook.office365.com (2a01:111:e400:855::44) with Microsoft SMTP Server (TLS) id 15.0.1024.12 via Frontend Transport; Sun, 7 Sep 2014 13:23:56 +0000 Received: from vps.winterhost.com (207.58.164.49) by BN1AFFO11FD013.mail.protection.outlook.com (10.58.52.73) with Microsoft SMTP Server (TLS) id 15.0.1019.14 via Frontend Transport; Sun, 7 Sep 2014 13:23:56 +0000 Received: from [37.140.119.36] (port=50838 helo=thebicycleaccident.com) by vps.winterhost.com with esmtpa (Exim 4.82) (envelope-from <wife@gmail.com>) id 1XQcRf-0000WL-2o; Sun, 07 Sep 2014 09:23:55 -0400
The email contained nothing but a link:
Code:
http://secure.hostexper.com/wc/mqfkejazwak.hnxhxxx
(I added "xxx" onto the end of the link. If you really want to click it, remove those.)
( Last edited by Laminar; Sep 7, 2014 at 03:36 PM. )
     
Laminar  (op)
Posting Junkie
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status: Offline
Reply With Quote
Sep 7, 2014, 09:50 AM
 
So really, there is no good solution here. We can create a new email address and transfer everything over to that address without too much issue. We would then have to email every single person in her contact list and let them know to disregard the old email address. I'm not sure what the take % on that would be, but I assume not great.

She would start using her new email address, but there's no guarantee contacts wouldn't still try to email her old address (I guess we could set up forwarding). The attackers would still send emails to her contacts care of her old address, and there's no guarantee that anyone would remember to disregard it if it only happens once every few months.

So basically we're shit out of luck.
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Sep 7, 2014, 01:26 PM
 
Laminar: one reason why having a you@yourdomain.com as a redirect to another account is nice.
     
Administrator
Join Date: Jun 2000
Location: California
Status: Offline
Reply With Quote
Sep 7, 2014, 01:36 PM
 
Originally Posted by Laminar View Post
Just got hit again.

The email contained nothing but a link:
Notice that the link contains a random sequence of characters? (mqfkejazwak) Each person they spam gets a link with a slightly different URL. So they can match clicks vs email addresses. By clicking it, you just confirmed her email address is 'hot' - read by a real person. Posting it here means lots more people may click that exact link. Expect more spam.

Don't follow links in spam. Not even unsubscribe links, unless it's a major retailer or someone she's done business with before.
     
Laminar  (op)
Posting Junkie
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status: Offline
Reply With Quote
Sep 7, 2014, 03:41 PM
 
I didn't click the link, and I just edited my last post to alter the link text. I really don't care about getting spam - Gmail and Mail.app filter well enough that I see nothing. I'm not worried about security - with two factor authentication and some brains, I have no issue steering clear of phishing attacks.

The biggest issue is the ongoing emails sent on her behalf, with no real solution for solving them. Like I said before, even if we get a new address for her and tell all 300+ of her contacts to ignore the old email address, Aunt Sally and Sorority Sister Jill will probably forget the warning after about 10 seconds and continue receiving emails.
     
Laminar  (op)
Posting Junkie
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status: Offline
Reply With Quote
Sep 7, 2014, 03:42 PM
 
Originally Posted by besson3c View Post
Laminar: one reason why having a you@yourdomain.com as a redirect to another account is nice.
Could you explain a little more about how this works? We're probably going to end up setting up a new account, and I'm not above getting my own domain and a little bit of hosting, especially if it gives me any more control over this sort of stuff.
     
P
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status: Offline
Reply With Quote
Sep 7, 2014, 04:00 PM
 
Originally Posted by Laminar View Post
Could you explain a little more about how this works? We're probably going to end up setting up a new account, and I'm not above getting my own domain and a little bit of hosting, especially if it gives me any more control over this sort of stuff.
Register your domain with someone. Add email. Tell the registrar to park the domain and forward all mails from it to some other address. Most registrars do this, but one I have heard a lot of good about is hover.com. They apparently charge $5/year for the mail forward service, plus whatever the domain cost (com is $15/year).
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Sep 7, 2014, 04:06 PM
 
Laminar, would you like a free laminar@besson3c.com account?
     
Laminar  (op)
Posting Junkie
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status: Offline
Reply With Quote
Sep 7, 2014, 05:03 PM
 
And then this new email is what I use for every web service/site that I use? Emails have to pass through that server to get to my real address. Because I only log in to sites with a "fake" front-end address, if I fall victim to phishing, the attacker gets those front end credentials and not my actual email address, so they can't access my actual phone book. Is that how it works?

In this case, she was sent a fake link to a Google Doc from a known contact. In an attempt to open that Google doc, it asked for her Google credentials. In this case, having a fake front-end address wouldn't help, because it wasn't asking for an email address, but the keys to her whole Google account. Or am I missing something?
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Sep 7, 2014, 05:12 PM
 
Originally Posted by Laminar View Post
And then this new email is what I use for every web service/site that I use? Emails have to pass through that server to get to my real address. Because I only log in to sites with a "fake" front-end address, if I fall victim to phishing, the attacker gets those front end credentials and not my actual email address, so they can't access my actual phone book. Is that how it works?
Yes, and while pointing your TLD (top level domain) at a different email account won't stop the spam if they have latched onto using this address, if your provider starts slipping at flagging the spam you have the ability to try another without having to notify everybody of another address change.

In this case, she was sent a fake link to a Google Doc from a known contact. In an attempt to open that Google doc, it asked for her Google credentials. In this case, having a fake front-end address wouldn't help, because it wasn't asking for an email address, but the keys to her whole Google account. Or am I missing something?
In this case, if you were to create a you@yourwife.com address and get people to start using it, you could point it at another Google/GMail account, and eventually ditch the old one once everybody has made the jump.

TL;DR: you@yourwife.com will eliminate having to retrain people to send email to a new address whenever you want to make changes as to where mail is routed.
     
Administrator
Join Date: Jun 2000
Location: California
Status: Offline
Reply With Quote
Sep 7, 2014, 06:27 PM
 
What stops the spammers from finding you@yourwife.com and spamming the hell out of it?

Being able to silently change the final address might be convenient, but it opens two spamming routes to your wife. And the one that's easy to change would be the one that's not publicly exposed, and therefore least likely to draw spam.
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Sep 7, 2014, 06:41 PM
 
Originally Posted by reader50 View Post
What stops the spammers from finding you@yourwife.com and spamming the hell out of it?

Being able to silently change the final address might be convenient, but it opens two spamming routes to your wife. And the one that's easy to change would be the one that's not publicly exposed, and therefore least likely to draw spam.
Yes, but of course changing addresses requires getting all sorts of people to jump ship. My solution is, to me, the best way to handle not having to deal with that.

I will add though that if you went this route it would be very smart to be extremely selective about who you give your you@yourwife.com address to. Use the throwaway GMail address it is pointing to whenever you are in doubt about something, like any sort of signup deal or when dealing with complete strangers.
     
Laminar  (op)
Posting Junkie
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status: Offline
Reply With Quote
Sep 7, 2014, 07:09 PM
 
Since my contact list lives on my Gmail account, if an attacker got my Gmail credentials they have a list of legit email addresses that will trust an email coming from me. So would I choose a Gmail address that can't actually be tied to me? Something like "blazeit420bro@gmail.com", so that if they try and use that as a mailto address people won't recognize it?
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Sep 7, 2014, 07:34 PM
 
Originally Posted by Laminar View Post
Since my contact list lives on my Gmail account, if an attacker got my Gmail credentials they have a list of legit email addresses that will trust an email coming from me. So would I choose a Gmail address that can't actually be tied to me? Something like "blazeit420bro@gmail.com", so that if they try and use that as a mailto address people won't recognize it?
That's not a bad idea, although I think some people are used to the fact that spoofing and backscatter is pretty normal, and that the from address is not the be-all-end-all (although they probably don't know exactly why to not take the from address at face value other than vague concepts of hackers).
     
Laminar  (op)
Posting Junkie
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status: Offline
Reply With Quote
Sep 7, 2014, 10:58 PM
 
Well, the next issue I see is that because my wife's email is in my address book, both my Win7 Outlook client and the iPad automatically put her name in the "From" field, and the spammer made her full name the subject line.

I'm certainly not against setting something like this up, but the more I think about it, the less effective it seems to me.

If I'm sending an email to a personal contact, do I send it straight from my Gmail or do I route it through the me@me.com mail server so that no one ever sees my Gmail address?
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Sep 7, 2014, 11:18 PM
 
Originally Posted by Laminar View Post
If I'm sending an email to a personal contact, do I send it straight from my Gmail or do I route it through the me@me.com mail server so that no one ever sees my Gmail address?
If the account is just a redirect, you'll have no SMTP authentication to your you@you.com account.

Everything as it stands today would be identical, you'd just change your from address to you@you.com when sending to the GMail SMTP servers. You could setup multiple identities within your email account so that you can send as either your GMail or you@you.com address.
     
   
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Top
Privacy Policy
All times are GMT -4. The time now is 10:02 AM.
All contents of these forums © 1995-2015 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2015, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2