Dangerous scam email claim from RIPE NCC
Hi I have attached the email, I didn’t click on it. I think RIPE NCC should immediately make a member based wide announcement and clarification on registry assisted check should look like. Think what happen to LIR account last year, this is very scary. -- Kind regards. Lu
RIPE already sent out comms about this yesterday -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 I have sent this email at a time that is convenient for me. I do not expect you to respond to it outside of your usual working hours. From: Lu Heng <h.lu@anytimechinese.com> Date: Wednesday, 9 October 2024 at 14:22 To: members-discuss@ripe.net <members-discuss@ripe.net> Subject: [members-discuss] Dangerous scam email claim from RIPE NCC [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Hi I have attached the email, I didn’t click on it. I think RIPE NCC should immediately make a member based wide announcement and clarification on registry assisted check should look like. Think what happen to LIR account last year, this is very scary. [cid:3D1DBEBB-CA97-4D97-8602-2F3494D6AAE2] -- Kind regards. Lu
Dear Lu, all, We would like to re-share an announcement we made on 7 October on the RIPE NCC Announce mailing list concerning a phishing email targeting RIPE NCC members, with the subject “RIPE NCC Audit - Resource Discrepancies Detected” [1]. The email contains a false message stating that the LIR account has been “selected for an audit” and urges the recipient to download a file in order to review their resources within 48 hours. Please do not download or open the attachment shared in that email. The email in question does not originate from the RIPE NCC. Expanding the sender information will demonstrate that the email is not sent from an “@ripe.net” email address. How to identify official communications from the RIPE NCC: - Emails from the RIPE NCC are sent from the official domain (@ripe.net). - Important member communications are shared on the RIPE NCC Announce and/or Members-Discuss mailing lists. - Important communications are shared as news items on the website (www.ripe.net). - When we invite members for Assisted Registry Checks (ARCs), we do not ask you to download files. Instead, we share information that is publicly available in the RIPE Database related to your LIR account, and ask you to log into your LIR Portal account to verify the information. - Furthermore, we do not set 48-hour or similar deadlines. As a member, you can select the date and time of the ARC yourself through our ARC scheduling tool available on our website. If you have any doubts about the legitimacy of an email from the RIPE NCC, or have security-related questions, please contact us at security@ripe.net. For any other questions concerning your resources, please contact ncc@ripe.net or open a ticket via the LIR portal. Regards, Eleonora Petridou Chief Information Security Officer RIPE NCC [1]https://mailman.ripe.net/archives/list/ncc-announce@ripe.net/thread/AXINKSFQ... On Wed, 9 Oct 2024 at 16:28, Michele Neylon - Blacknight via members-discuss <members-discuss@ripe.net> wrote:
RIPE already sent out comms about this yesterday
--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
I have sent this email at a time that is convenient for me. I do not expect you to respond to it outside of your usual working hours.
From: Lu Heng <h.lu@anytimechinese.com> Date: Wednesday, 9 October 2024 at 14:22 To: members-discuss@ripe.net <members-discuss@ripe.net> Subject: [members-discuss] Dangerous scam email claim from RIPE NCC
[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources.
Hi
I have attached the email, I didn’t click on it.
I think RIPE NCC should immediately make a member based wide announcement and clarification on registry assisted check should look like.
Think what happen to LIR account last year, this is very scary.
-- Kind regards. Lu
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
Hi, On Wed, 09 Oct 2024 at 15:27:29 +0300, Lu Heng wrote:
I think RIPE NCC should immediately make a member based wide announcement and clarification on registry assisted check should look like.
They did two days ago on the ncc-announce list: https://mailman.ripe.net/archives/list/ncc-announce@ripe.net/message/AXINKSF... Kind regards, -- Benjamin Collet
Moin,
I have attached the email, I didn’t click on it.
I would like to raise some attention to the nicely placed yellow checkmark next to TLS, under the point 'Security'; This is likely there because the delivering MTA submitted with STARTTLS. I would bet that some phishing mail with S/MIME from an attacker controlled domain, or possibly even just DKIM alignment might net this a green version. What webinterface is this? Outlook/M365? Gmail workspaces? In any case, whoever designed this, clearly seems to have a heart for making phishing easier. With best regards, Tobias
It's being sent from mailxxxxxx.megamailservers.com, where xxxxx is changing. The whole IP range (69.49.96.0/19) is allocated to Internet Names For Business Inc. from CA, USA. I have already reported this to the abuse contact associated with this IP range. -- Kind regards, David Brůha Virtis s.r.o. U Boroviček 255/8 Praha 6, 163 00 e-mail: d.bruha@virtis.cz Dne středa 9. října 2024 18:01:23 CEST, Tobias Fiebig via members-discuss napsal(a):
Moin,
I have attached the email, I didn’t click on it.
I would like to raise some attention to the nicely placed yellow checkmark next to TLS, under the point 'Security'; This is likely there because the delivering MTA submitted with STARTTLS.
I would bet that some phishing mail with S/MIME from an attacker controlled domain, or possibly even just DKIM alignment might net this a green version.
What webinterface is this? Outlook/M365? Gmail workspaces?
In any case, whoever designed this, clearly seems to have a heart for making phishing easier.
With best regards, Tobias ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/members-discuss.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
participants (6)
-
Benjamin Collet -
David Brůha -
Eleonora Petridou -
Lu Heng -
Michele Neylon - Blacknight -
Tobias Fiebig