Someone on this list has been hacked
Hi folks, looks like someone on this list had their PC and/or mailbox hacked, I got a "reply" to one of my mails trying to make me open some link (probably malware). This stuff is pretty common, but it feels a bit weird that it happened through someone who's active in anti-abuse and presumably not a noob :-) This is what I got (since the link does not include an URL scheme, I consider it fairly safe to post here)
HI THERE,
The data file you wanted is available down below.
1)eddieserotica.com/eu/uocfqimediifa
Please tell me in case you have any questions.
Cheers, Hans-Martin
Hi Hans-Martin,
looks like someone on this list had their PC and/or mailbox hacked, I got a "reply" to one of my mails trying to make me open some link (probably malware). This stuff is pretty common, but it feels a bit weird that it happened through someone who's active in anti-abuse and presumably not a noob :-)
I received a similar message on Monday supposedly ‘in reply to’ a message I sent to the list nearly two years ago. It may not be a list subscriber’s mailbox that has been hacked, it may just be using a public archive of the list. Whilst the “real name” in the From: field was indeed the person I was replying to at the time (Suresh), the sender’s email address did not match the name. In my case the spam message originated from:
Received: from beatingart.com ([62.113.107.99])
The sending IP address matches the SPF record for beatingart.com and from a quick check doesn’t seem to be on the major block lists, so it could well be a user in that domain has been compromised via phishing or some other means… I must admit I had just deleted the message at the time, but perhaps worth following up with <abuse@ionos.com>, assuming your message matches the details of mine. Cheers, Rob
It’s one of the more recent tactics being used by the “lovely” scumbags. It’s happening against multiple public mailing lists both RIPE and LINX ones so far .. probably others -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Rob Evans <rhe@nosc.ja.net> Date: Thursday, 14 April 2022 at 09:19 To: Hans-Martin Mosner <hmm@heeg.de> Cc: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] Someone on this list has been hacked [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Hi Hans-Martin,
looks like someone on this list had their PC and/or mailbox hacked, I got a "reply" to one of my mails trying to make me open some link (probably malware). This stuff is pretty common, but it feels a bit weird that it happened through someone who's active in anti-abuse and presumably not a noob :-)
I received a similar message on Monday supposedly ‘in reply to’ a message I sent to the list nearly two years ago. It may not be a list subscriber’s mailbox that has been hacked, it may just be using a public archive of the list. Whilst the “real name” in the From: field was indeed the person I was replying to at the time (Suresh), the sender’s email address did not match the name. In my case the spam message originated from:
Received: from beatingart.com ([62.113.107.99])
The sending IP address matches the SPF record for beatingart.com and from a quick check doesn’t seem to be on the major block lists, so it could well be a user in that domain has been compromised via phishing or some other means… I must admit I had just deleted the message at the time, but perhaps worth following up with <abuse@ionos.com>, assuming your message matches the details of mine. Cheers, Rob -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
On 14 Apr 2022, at 12:23, Michele Neylon - Blacknight via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
It’s one of the more recent tactics being used by the “lovely” scumbags. It’s happening against multiple public mailing lists both RIPE and LINX ones so far .. probably others
Also some private mailing lists with tight controls on membership and with no public archives. It’s presumably either compromised end users or phished IMAP credentials. Cheers, Steve
-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ <https://www.blacknight.com/> https://blacknight.blog/ <https://blacknight.blog/> Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ <https://michele.blog/> Some thoughts: https://ceo.hosting/ <https://ceo.hosting/> ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net <mailto:anti-abuse-wg-bounces@ripe.net>> on behalf of Rob Evans <rhe@nosc.ja.net <mailto:rhe@nosc.ja.net>> Date: Thursday, 14 April 2022 at 09:19 To: Hans-Martin Mosner <hmm@heeg.de <mailto:hmm@heeg.de>> Cc: anti-abuse-wg@ripe.net <mailto:anti-abuse-wg@ripe.net> <anti-abuse-wg@ripe.net <mailto:anti-abuse-wg@ripe.net>> Subject: Re: [anti-abuse-wg] Someone on this list has been hacked
[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources.
Hi Hans-Martin,
looks like someone on this list had their PC and/or mailbox hacked, I got a "reply" to one of my mails trying to make me open some link (probably malware). This stuff is pretty common, but it feels a bit weird that it happened through someone who's active in anti-abuse and presumably not a noob :-)
I received a similar message on Monday supposedly ‘in reply to’ a message I sent to the list nearly two years ago.
It may not be a list subscriber’s mailbox that has been hacked, it may just be using a public archive of the list. Whilst the “real name” in the From: field was indeed the person I was replying to at the time (Suresh), the sender’s email address did not match the name.
In my case the spam message originated from:
Received: from beatingart.com ([62.113.107.99])
The sending IP address matches the SPF record for beatingart.com and from a quick check doesn’t seem to be on the major block lists, so it could well be a user in that domain has been compromised via phishing or some other means…
I must admit I had just deleted the message at the time, but perhaps worth following up with <abuse@ionos.com>, assuming your message matches the details of mine.
Cheers, Rob
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit:https://lists.ripe.net/mailman/listinfo/anti-abuse-wg <https://lists.ripe.net/mailman/listinfo/anti-abuse-wg>--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg <https://lists.ripe.net/mailman/listinfo/anti-abuse-wg>
participants (4)
-
Hans-Martin Mosner -
Michele Neylon - Blacknight -
Rob Evans -
Steve Atkins