Jump to content

Welcome to Drugbuyersguide

milex

Protonmail warning message

Recommended Posts

pixiechic
51 minutes ago, lookinforthebiscuits said:

@2earls Exactly the same here. First ones purported to be from Protonmail ("Upgrade Your Account"), then the lockandload ones, then the DHL one. lockandload were apparently from tutanota. The DHL apparently from a Protonmail account. All of them went straight to the trash.

 

59 minutes ago, 2earls said:

I'm getting all kinds of crazy emails on there myself, but have not initiated any orders . One that a few of us have received is from lockandload@tutanota.com titled "confidential email ".

Then I am also getting "please confirm your DHL deliveries", "please confirm your email " and I am just swiping them directly to trash, but I can see that they are all from Tutanota addresses.

These are the emails I received as well. I reported some as phishing/spam and others I just deleted.

 

Share this post


Link to post
Share on other sites
milex

@Ruger2506 were you using the mobile app to contact the vendor?

Share this post


Link to post
Share on other sites
Ruger2506

@milex Yes mobile app on iPhone.

 

Ive only reset my phone to factory and have changed pass but will most likely make new email.

Share this post


Link to post
Share on other sites
milex
43 minutes ago, Ruger2506 said:

@milex Yes mobile app on iPhone.

 

Ive only reset my phone to factory and have changed pass but will most likely make new email.

That is completely bizarre. iPhones can’t be infected with malware. The vendors account must have been compromised, but assuming the scammer had control of the vendors account, why send the false btc address from a different email? And how? I can’t wrap my head around it, but it seems like vendors are being phished and having their accounts compromised. I think it’s important that all vendors using any email service be made aware, change their passwords, enable 2FA, check their email activity logs, scan for malware etc... I still don’t believe there’s an issue with protonmail as a service, I believe it to be safe and secure, but both vendors and customers alike should be on high alert and extremely vigilant when it comes to account security and suspicious emails.

I’m sorry you lost money because of this 😕 it could have happened to anyone.

Edited by milex

Share this post


Link to post
Share on other sites
xxSlappy

Egad, DHL thinks I work in theatre.

image.png.17870ed935263caaa5c4465a475867e8.png

  • Haha 2

Share this post


Link to post
Share on other sites
Ruger2506

@milex Yeah the way it happened was so smooth it was very easy to fall for.  
 

In hindsight, I could have and should have paid more attention to the email address and noticed when it changed.  
 

I wonder if the scammer can only mimic the vendors email by using @tutanota.com or if they are actually sending from the vendors @protonmail.com email.  So the only thing you’d have to look out for is if you suddenly receive emails from an address that differs from the vendors.

Edited by Ruger2506

Share this post


Link to post
Share on other sites
xxSlappy

Might not be a bad idea to check proton authentication logs and sessions under Settings > Security. The logs can be wiped, but if they have, that could also be telling.

  • Like 2

Share this post


Link to post
Share on other sites
sweetmelissa589

@DoomKitty  Thank you.. will do.  So far, I've only been talking to 1 vend0r and have not had any suspicious links.  Even if I did.. I would never click on them.

Share this post


Link to post
Share on other sites
veggieragz

@GungHo i got exactly the same emails

Share this post


Link to post
Share on other sites
booms

I got these emails. The one looks exactly like proton mail sign in page and wants you to sign in with your info. I followed some bread crumbs and one of them was linked to a Paxful email account besides the tarantula ones. Ive been reporting them all  to proton and they have responded back saying they are phishing emails but nothing else yet.

Edited by booms

Share this post


Link to post
Share on other sites
drjimmy1964
3 hours ago, milex said:

That is completely bizarre. iPhones can’t be infected with malware. The vendors account must have been compromised, but assuming the scammer had control of the vendors account, why send the false btc address from a different email? And how? I can’t wrap my head around it, but it seems like vendors are being phished and having their accounts compromised. I think it’s important that all vendors using any email service be made aware, change their passwords, enable 2FA, check their email activity logs, scan for malware etc... I still don’t believe there’s an issue with protonmail as a service, I believe it to be safe and secure, but both vendors and customers alike should be on high alert and extremely vigilant when it comes to account security and suspicious emails.

I’m sorry you lost money because of this 😕 it could have happened to anyone.

This is ALL IMO I am clearly not as smart as Milex,   but I think the thug put a malicious program on the vendors computer who I was working with.  I think that when i emailed the vendor and asked them for a bitcoin ( and all previous emails ) address,   they were coming from me to vendor then bouncing to thug - then thug immediately replied to me with his tutonata account,  hoping I wouldn't notice the change in domains after 5-7 emails between me and the vendor 

Once the email that he was waiting for  to jump in came,  he sent his email, hoping I wouldn't notice it wasn't from Protonmail.   And he won, because I asked for btc address,  got one in a few minutes,  and never looked at the domain.   Very few people would I imagine.  

Check it out - this is a copy paste from my Proton email account - the bottom email was from me to vendor asking about BTC ( name edited cause its only available for donations ) yet it shows the header as vendors meaning all the vendors incoming emails from me were going to the thug,  

The reply came showing time as about 18 hours ahead however....I wish it was just 12 so it would look obvious to be maybe Asia somewhere.  That I can't pinpoint,  but the header seems to give it away ( to me but I am no expert on viruses )  that all the vendors emails were bounced right to the thug.  Probably had a field day going from vendor to vendor. Maybe as stated,  not even Proton related,  unless we know lockandload was sent to more than just Proton accounts ??  

 

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Saturday, January 18, 2020 3:29 AM, VENDORNAME,   <VENDORNAME@tutonata.com> wrote:

> bitcoin address: xxxxxxxxxxxxxxx

> ------- Original Message -------
> On Friday, January 17, 2020 9:28 AM, VENDOR,   VENDORNAME@protonmail.com wrote:
> do you take bitcoin ? I was curious if you did because  I'd like to use what I have in my ....

  • Like 1

Share this post


Link to post
Share on other sites
Fenrir

Mad situation this. Hopefully nobody loose anymore money. What a world we live in. Everything will probably be done on computer or phones one day.

Share this post


Link to post
Share on other sites
milex

Here’s my theory as to what may have been happening:

A hacker most probably phished a DBG vendor. Once they had the vendors ProtonMail password they used an API to access their account, extract their contact list and send out phishing emails to everyone in it. The hope being that a DBG customer would fall for the phishing scam and hand over their account details. The same API would then be used to send out phishing emails to everyone in the customers ProtonMail contact list, which would likely contain more DBG vendors. A vendor falls for the phishing scam and the process is repeated over and over. The hacker is collecting phished ProtonMail addresses and passwords and looking out for vendor accounts that have fallen victim to the phishing scam. Once they have a vendors account info they create a tutonata account that mirrors the vendors real address, and they use an API to monitor email communications to all compromised vendor accounts, looking out for keywords or phrases sent by customers such as “btc address”, at which point the API deletes the customers email enquiring about a btc address from the vendors inbox and the API replies automatically from the fake tutonata account setup for that vendor with false btc information (this would explain why victims have reported receiving instant replies from the fake tutonata accounts) and maybe even use the API to block the customer from being able to contact the vendor again, so they can’t let them know something is wrong. The hacker could set the API to reply from the vendors real account, but if the vendor noticed this they would realise something was wrong, change their password and the game would be up.

ProtonMail addresses are being targeted because that’s largely the email service of choice here, and there’s a few unofficial APIs available for ProtonMail which would allow a hacker to do all this and keep the scam largely automated. It’s a very elaborate setup, but I think it could be possible, and of course there’s a lot to gain... but this is just a theory. The best course of action is still for ProtonMail vendors to change their passwords and increase their account security, as well as for all ProtonMail users to remain vigilant of suspicious emails.

  • Like 3

Share this post


Link to post
Share on other sites
DoomKitty

I REALLY hope vendors effected by this aren't just only changing their emails!!  If this is a case of just a compromised email account then everything associated with that account is  burned and anything on that account should be assumed to have been compromised (personal info, addresses, passwords etc) and the account should be deleted completely.  If this is a sophisticated MitB or BitB attack then the computer needs to be THOROUGHLY checked for offending malware, all passwords need to be changed, and anything they did on the internet in the last while needs to be really thought about.  Its highly unlikely that the only site that could be viewed by the attacker would be Protonmail.  Perhaps the only email site he could manipulate and injected in was Protonmail, but view? Unlikely.  Either way completely deleting account (very easy with protonmail!) needs to happen IMO.  Also any vendor associated needs to practice waaaaaaay better opsec.  For instance, no vendor should ever have been clicking on links other than privnote or temp.pm ones and even then they need to check those links prior to clicking to make sure that's actually where they are directing to.   Also no one legit will EVER EVER EVER send you something that requires you to log in to something to view it.  Sorry if I'm salty, this is just rather unsettling as I assumed vendors here would be waaay more careful than this suggests, and if up to 5 vendors were effected that's very disturbing to me.   I HIGHLY recommend to all customers that they always send their personal info in a one-time-view way via temp.pm as this will prevent any personal info from being stolen from a compromised vendor account. 

@milex Thanks SO much for the expertise with this.  From the looks of the email that @drjimmy1964 posted an automated API does is extremely likely, though I'm still confused how it shows up in the same email thread as that's something the Protonmail program itself would control i would assume.   @Ruger2506 Did the scam email you received have the same format/wording?

Edited by DoomKitty
  • Like 1
  • Thanks 1

Share this post


Link to post
Share on other sites
pixiechic

Trying to think of a possible way to verify a vendor's new email address when they send them to us (as will hopefully happen since they would surely want to no longer use their compromised email).
So, say a vendor emails and tells you that their new address is vendor@wherever , how will will know that it isn't still a scammer using our email addresses from when they stole them from the vendors whose accounts were hacked?  I mean we could say not to trust emails from tutan0ta but what if they start using a different email server to contact us? 
I guess we could ask them a question that only the real vendor would know the answer to, but other than that does anyone have any thoughts on this? Would it help to ask the vendor to PM the customer a password on here help with this? So when they email you, you (the buyer) could then ask "what is the password you sent me?" to verify it was a legit new email. I am probably overthinking all of this LOL. 🙃
Or should I be deleting my email account and starting fresh as well??

Edited by pixiechic

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...