Jump to content
You are a guest user Click to join the site

Welcome Guest

Welcome to drugbuyersguide, like most online communities you must register to view or post in our community, but don't worry this is a simple free process that requires minimal information for you to signup. Be apart of Drug Buyers Guide Forum by signing in or creating an account.

  • Start new topics and reply to others
  • Subscribe to topics and forums to get email updates
  • Get your own profile page and make new friends
  • Send personal messages to other members.

Protonmail warning message


Recommended Posts

  • V.I.P Member
DoomKitty
Just now, sweetmelissa589 said:

@lookinforthebiscuits  Changed my password.. nothing fishy on my account so far...  Fingers crossed!

Highly recommend setting up 2-Factor Authentication as well if you haven't already!!

Link to post
Share on other sites
  • Replies 135
  • Created
  • Last Reply

Top Posters In This Topic

  • DoomKitty

    21

  • milex

    13

  • sweetmelissa589

    11

  • Mushy

    10

Top Posters In This Topic

Popular Posts

Hi, I'm just wondering if the admin who posted the warning message about protonmail being unsafe to use could elaborate more please? As a web developer, the issue outlined in the warning mak

I have no idea how the attack is happening especially since so little information is known (i have soooo many questions lol), but a couple basic things that should happen imo: If you're using TAI

Just to update this thread, I want members to know that this is still happening every once in awhile, but not with the former frequency.  There was one incident where our safety measure of checki

Posted Images

  • Sapphire Sponsor
lookinforthebiscuits
8 minutes ago, DoomKitty said:

 

@lookinforthebiscuits  The problem with the theory that it's simply a compromised password associated with a vendor account is the same as i mentioned above: the scam emails are within existing email threads but come from an entirely different email address and provider.  If it was a mere account takeover the hacker would just send from the account as normal which we've seen a lot recently in the RC community. 

@DoomKitty I take your point, but on the basis the attacker has access to the compromised account, wouldn't they be able to spoof a reply in the thread by simply copying the subject line and sending to the compromised account from a similar looking or completely spoofed email address?

Link to post
Share on other sites
  • Members
Electrikoolaid

I received these phishing emails this week too. My protonmail has only been used on android.  

Link to post
Share on other sites
  • V.I.P Member
DoomKitty

@lookinforthebiscuits There’s too little info so it’s hard to wrap my brains around it, but Im not sure that method would show up in the same thread in Protonmail that way. I mean i don’t have enough info from the reporting member who got scammed to really know what the format looked like but generally protonmail treats each new response as its own entity so a copy/paste of the entire convo with a spoofed email wouldn’t work as it would reduce the whole thread to just one response if that makes sense.   In the way you’re thinking it, is the vendor or the customer compromised?

edit: I forgot protonmail looks different on phones and each reply in a thread is completely separate and not tied to the others visibly so in that case a spoofed email might work. The member said the response with the fake btc address happened "almost immediately" so that has to be a well executed spoof if that's the case

Edited by DoomKitty
Link to post
Share on other sites
  • Emerald Sponsor

I have received these Spoof emails this week also. What is good alternative secured email service? 

Link to post
Share on other sites
  • Opal Sponsor
23 minutes ago, DoomKitty said:

@lookinforthebiscuits There’s too little info so it’s hard to wrap my brains around it, but Im not sure that method would show up in the same thread in Protonmail that way. I mean i don’t have enough info from the reporting member who got scammed to really know what the format looked like but generally protonmail treats each new response as its own entity so a copy/paste of the entire convo with a spoofed email wouldn’t work as it would reduce the whole thread to just one response if that makes sense.   In the way you’re thinking it, is the vendor or the customer compromised?

 

With a man-in-the-browser exploit it would be the customer who is compromised. The MITB exploit is basically the same as an XSS exploit but executed via malware on the customer computer rather than a security flaw in the protonmail platform. It could allow the scammer to change the dashboard source-code within the users browser so all emails are BCC'd to the scammers own email address. The customer and legitimate vendor could create an email thread and the scammer could jump in at any time without the legitimate vendor knowing and without breaking the thread,... This is all speculation mind, I'm just a web developer and not a cyber security expert. I'd also be surprised if Windows Defender wasn't able to detect and quarantine MITB malware, plus modern browsers should prevent an exploit like that from running, it would take a REALLY sophisticated bit of malware to pull off an exploit like that. I'm sure there's a much simpler explanation to all this, but for anyone using protonmail to contact vendors I'd suggest using the mobile app and being very cautious until we know more.

Edited by milex
Link to post
Share on other sites
  • Sapphire Sponsor
lookinforthebiscuits

@DoomKitty The way I'm thinking it, initially the vendor(s) was compromised, then the customer. The customer still doesn't know s/he's compromised but the scammer can see their email account and correspondence with the vendor and is now masquerading as the vendor by inserting themselves into the thread using the same subject line by emailing the customer from a spoofed or similar looking email address.

Convoluted I know, but, assuming the member's report is correct (I know which report you're referring to, I saw it as well) I can't see how else that could be accomplished beyond some very sophisticated malware, or Protonmail being compromised which seems very unlikely. I know what you're saying about Protonmail treating each new response as its own entity (I don't know if that's the case at this point), but, assuming that's correct, it still doesn't explain what happened to the reporting member, since the reply they received was from a different, but albeit similar looking email address, which should have created a new thread.

Anyway, as you say, best to wait for some more reports to come in. If anyone has experienced any loss as a result of this current problem, please post in this thread in as much detail as possible (obviously without compromising anyone's security). Better to keep it here than in the vendor threads.

Link to post
Share on other sites
  • Moderators.

PS this has been a problem reported to me by several people, not just a single incident and it is regards to various vendors as well with the common thread being Protonmail.

I'm getting all kinds of crazy emails on there myself, but have not initiated any orders . One that a few of us have received is from [email protected] titled "confidential email ".

Then I am also getting "please confirm your DHL deliveries", "please confirm your email " and I am just swiping them directly to trash, but I can see that they are all from Tutanota addresses.

Link to post
Share on other sites
  • Sapphire Sponsor
lookinforthebiscuits

@2earls Exactly the same here. First ones purported to be from Protonmail ("Upgrade Your Account"), then the lockandload ones, then the DHL one. lockandload were apparently from tutanota. The DHL apparently from a Protonmail account. All of them went straight to the trash.

 

Link to post
Share on other sites
  • Opal Sponsor

@2earls if someone created a new account on a different computer and still had the same issues then it must be the vendors protonmail account that is compromised. Do you have a count on how many vendors this is happening with?

Link to post
Share on other sites
  • Members
Medicine Seeker

@lookinforthebiscuits I've gotten these emails too. Mine went to the trash as well.

11 minutes ago, lookinforthebiscuits said:

@2earls Exactly the same here. First ones purported to be from Protonmail ("Upgrade Your Account"), then the lockandload ones, then the DHL one. lockandload were apparently from tutanota. The DHL apparently from a Protonmail account. All of them went straight to the trash.

 

 

Link to post
Share on other sites
  • Members

I posted about this because I lost ~130 due to this.

 

I was receiving/sending email to —@protonmail.com about my order and when I received the original btc address to send to from the real vendor email, the btc address didn’t work so I requested a new one.

My new btc address came almost instantly which shoulda set off a flag but I assumed vendor was on their email at that moment.  I send btc to address and they say I can double the order for only $100 more that I didn’t have and I declined and never heard back since.

Looked back just today since I hadn’t heard from [email protected], and noticed the second btc address was sent from [email protected](scammer).

All in the same single thread of emails originating from the real vendor. 
 

I haven’t heard back since emailing the real vendor about what happened, no hard feelings obviously as it was my fault.  I am not sure if vendor hasn’t seen my emails yet or maybe has lost contact with that email/deleted it IDK as of right now

.

This is far beyond my comprehension, I’m just explaining what went down and how.

 

EDIT: I haven’t received any of the above mentioned emails however, only the tutanota email mirroring the protonmail vendor.

Edited by Ruger2506
Link to post
Share on other sites
  • Moderators.

@milex I believe it originated with the customer, but once he emailed the vendor they were able to get into that account. Judging from the number of us who received these emails it seems like the scammer got ahold of one of our vendor's contacts list. He believes that they cannot originate contact from the vendor email, only respond to emails sent and that's when they give the false bitcoin address. 

Link to post
Share on other sites
  • Sapphire Sponsor
lookinforthebiscuits

@Ruger2506 Thanks for your post and sorry about your loss. It was your report to which myself and @DoomKitty were referring earlier in the thread.

Have you taken all the obvious precautions like changing your email password, enabling 2FA and checking your device is free from malware? If not, you should do that asap.

Link to post
Share on other sites
  • Admin pinned this topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...