Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Psychz mail system seems to be hacked....
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Psychz mail system seems to be hacked....

PhantomPainPhantomPain Member
edited May 2021 in Providers

Is anyone else who received the phishing email with title 'SERVER TERMINATION' from Psychz?

«1

Comments

  • NeoonNeoon Community Contributor, Veteran
    edited May 2021

    Just because you get a phishing email dosen't mean the mail server of psychz is compromised.
    Check the headers/source of the email.

  • DPDP Administrator, The Domain Guy

    Phishing != "mail system hacked".

  • I just got this (and posted it) and it freaked me out. Checking the headers, it baffles me that it passed SPF and landed on my Inbox.

  • MeanServersMeanServers Member, Host Rep

    Received the same email (we have Psychz services), not 100% sure if it is just a targeted phishing campaign or something worse.

  • bacloudbacloud Member, Patron Provider

    Yeah, got one with attachment. Antivirus was not very happy.

    Thanked by 1valk
  • sibapersibaper Member

    any one can post the email header?

  • @sibaper said:
    any one can post the email header?

    Return-Path: <[email protected]>
    Received: from compute2.internal (compute2.nyi.internal [10.202.2.42])
         by sloti37d1t10 (Cyrus 3.5.0-alpha0-519-g27a961944e-fm-20210531.001-g27a96194) with LMTPA;
         Mon, 31 May 2021 06:44:00 -0400
    X-Cyrus-Session-Id: sloti37d1t10-1622457840-922412-2-16425216322047351825
    X-Sieve: CMU Sieve 3.0
    X-Spam-known-sender: no
    X-Spam-sender-reputation: 1000 (email)
    X-Spam-score: 0.0
    X-Spam-hits: ME_SC_SENDERREP -100, ME_SENDERREP_ALLOW -4, SHORTCIRCUIT -0.0001,
      SPF_HELO_PASS -0.001, SPF_PASS -0.001, SUBJ_ALL_CAPS 0.5,
      LANGUAGES enfrca, BAYES_USED none, SA_VERSION 3.4.2
    X-Spam-source: IP='216.99.144.35', Host='mail.psychz.net', Country='US', FromHeader='net',
      MailFrom='net'
    X-Spam-charsets: plain='utf-8'
    X-Attached: document230134.xlsx
    X-Resolved-to: my_email@address
    X-Delivered-to: my_email@address
    X-Mail-from: [email protected]
    Received: from mx3 ([10.202.2.202])
      by compute2.internal (LMTPProxy); Mon, 31 May 2021 06:44:00 -0400
    Received: from mx3.messagingengine.com (localhost [127.0.0.1])
        by mailmx.nyi.internal (Postfix) with ESMTP id CC5111F400FF
        for <my_email@address>; Mon, 31 May 2021 06:43:59 -0400 (EDT)
    Received: from mx3.messagingengine.com (localhost [127.0.0.1])
        by mx3.messagingengine.com (Authentication Milter) with ESMTP
        id 5647C1D3699;
        Mon, 31 May 2021 06:43:59 -0400
    ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm2; t=
        1622457839; b=pJjQidyJgBZdkWTitO3fmiUZ/kWO+C2QM/WaB11/Rsj0+3XVK7
        g+LhIcg59HmxjwI8EEtgQ+mujtoGxuMpoCIQtrdDtm4cije1nWIfhPlxUX+N8q02
        WWbW/7iQ4q4RgcKJLmfF2AERirwQ8NLKTGGTREQaENfqatO4ioK4ZAxjNaiz8m31
        rI6BojR4Oq1KlZen1oMUpDjfLXcORsFhIax851bLArhG2vsNtH1a3rcSeLFTaVfj
        RDsiCM8hY5lF4lrZ+tWyp0hpi2FCFJDl5bCt1Pq2ovneOI6AJun5Xol1YJnPKvGO
        GrPqXdT0FEr3tmAihV/1WrNyh2+l7f6HXFKg==
    ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
        messagingengine.com; h=from:to:subject:date:message-id
        :mime-version:content-type; s=fm2; t=1622457839; bh=Mczb7jtw6fh4
        4Wb8Loz+KdHju8e6NMy8VmBxadZySRg=; b=qsYmOJksbv0CxFVvapdGWc3kwVRq
        zNDKXOkbLy7WafNp5S2jhfsuQF5824uyIcKUyPOlA42KNmXc32vL/jqho8qFi7w5
        p8VA4WRDxzje9R1GHFVyKoNeBiy6+RVQ4zut7Y6GhJ39HkkEQMRCByv9mvy1VV5R
        vkJsttwJtU28iQj91DDrmLg1xRicuYmCL1BcQht80ymOfTJyW1v0MMw9ko0Lw5ax
        3j4za0rIvyPzD3e6oz2c2GVyrHloKocgnYJvlI1YGg1VyNtcnH9FG0qjDfv+MTLJ
        XRB6j5SiYb38drKVwYnp3iFMnaqCn97KOl7BN1HEHsB++2fnmC1qlmxZ3g==
    ARC-Authentication-Results: i=1; mx3.messagingengine.com;
        arc=none (no signatures found);
        bimi=skipped (DMARC Policy is not at enforcement);
        dkim=pass (2048-bit rsa key sha256) header.d=psychz.net
        [email protected] header.b=c1PS0gNp header.a=rsa-sha256
        header.s=default x-bits=2048;
        dmarc=pass policy.published-domain-policy=none
        policy.published-subdomain-policy=none policy.applied-disposition=none
        policy.evaluated-disposition=none (p=none,sp=none,d=none,d.eval=none)
        policy.policy-from=p header.from=psychz.net;
        iprev=pass smtp.remote-ip=216.99.144.35 (mail.psychz.net);
        spf=pass [email protected] smtp.helo=psychz.net;
        x-aligned-from=pass (Address match);
        x-csa=none;
        x-me-sender=none;
        x-ptr=fail smtp.helo=psychz.net policy.ptr=mail.psychz.net;
        x-return-mx=pass header.domain=psychz.net policy.is_org=yes
        (MX Records found: mail.psychz.net);
        x-return-mx=pass smtp.domain=psychz.net policy.is_org=yes
        (MX Records found: mail.psychz.net);
        x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384
        smtp.bits=256/256;
        x-vs=clean score=0 state=0
    Authentication-Results: mx3.messagingengine.com;
        arc=none (no signatures found);
        bimi=skipped (DMARC Policy is not at enforcement);
        dkim=pass (2048-bit rsa key sha256) header.d=psychz.net
          [email protected] header.b=c1PS0gNp header.a=rsa-sha256
          header.s=default x-bits=2048;
        dmarc=pass policy.published-domain-policy=none
          policy.published-subdomain-policy=none policy.applied-disposition=none
          policy.evaluated-disposition=none (p=none,sp=none,d=none,d.eval=none)
          policy.policy-from=p header.from=psychz.net;
        iprev=pass smtp.remote-ip=216.99.144.35 (mail.psychz.net);
        spf=pass [email protected] smtp.helo=psychz.net;
        x-aligned-from=pass (Address match);
        x-csa=none;
        x-me-sender=none;
        x-ptr=fail smtp.helo=psychz.net policy.ptr=mail.psychz.net;
        x-return-mx=pass header.domain=psychz.net policy.is_org=yes
          (MX Records found: mail.psychz.net);
        x-return-mx=pass smtp.domain=psychz.net policy.is_org=yes
          (MX Records found: mail.psychz.net);
        x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384
          smtp.bits=256/256;
        x-vs=clean score=0 state=0
    X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgeduledrvdelfedgfedvucetufdoteggodetrfdotf
        fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu
        rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvffuff
        fkgggtsehmtdefvcdttdejnecuhfhrohhmpehsuhhpphhorhhtsehpshihtghhiidrnhgv
        thenucggtffrrghtthgvrhhnpeeigfeiffeivefgtdfhjeeiieekveevgfelieefjeffje
        fgfedtteeijeevudeuudenucffohhmrghinhepthifihhtthgvrhdrtghomhdpfhgrtggv
        sghoohhkrdgtohhmnecukfhppedvudeirdelledrudeggedrfeehpdeghedrudegjedrvd
        dvkedrgeejnecuvehluhhsthgvrhfuihiivgepudenucfrrghrrghmpehinhgvthepvddu
        iedrleelrddugeegrdefhedphhgvlhhopehpshihtghhiidrnhgvthdpmhgrihhlfhhroh
        hmpeeoshhuphhpohhrthesphhshigthhiirdhnvghtqe
    X-ME-VSScore: 0
    X-ME-VSCategory: clean
    X-ME-CSA: none
    Received-SPF: pass
        (psychz.net: 216.99.144.35 is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'mx' matched))
        receiver=mx3.messagingengine.com;
        identity=mailfrom;
        envelope-from="[email protected]";
        helo=psychz.net;
        client-ip=216.99.144.35
    Received: from psychz.net (mail.psychz.net [216.99.144.35])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mx3.messagingengine.com (Postfix) with ESMTPS
        for <my_email@address>; Mon, 31 May 2021 06:43:59 -0400 (EDT)
    DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=psychz.net;
        s=default; h=Content-Type:MIME-Version:Message-ID:Date:Subject:To:From:Sender
        :Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
        Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
        In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
        List-Post:List-Owner:List-Archive;
        bh=Mczb7jtw6fh44Wb8Loz+KdHju8e6NMy8VmBxadZySRg=; b=c1PS0gNpj3hb/gB5SD6Ag0tcKw
        kALYcVKXYXWhjpIwAXfObXqSVab7ViyNS+WPQkiHs8GqMx+5LOStL6X4iNQsgptQy6B8RU6xJYYLS
        V8v9jekcZldPDi+SZxpsTXeubXfGyyqMQLcX/XqfaY43BPg6mNVwmSR9SrTOsINYYLWaViM9on4Cn
        coRo65MHNXeLG2JWTHdPo+RqyIrBqEoNPSl6YK+Rfnv/aPYZtn6IZu6lyZB6k9J9fcrGEoxvxwGzh
        HP5sUaIF5pY0wVM5U9E1zs3g4o4TU6aOh42Eevjtg0Vdqh9+wPlKtI4MbqhDO3FOK8jJ1Z5TTI0mT
        bOCUgvtw==;
    Received: from [45.147.228.47] (port=64590)
        by psychz.unixbsd.info with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        (Exim 4.94.2)
        (envelope-from <[email protected]>)
        id 1lnfOj-0008CM-Rv
        for my_email@address; Mon, 31 May 2021 10:43:56 +0000
    
    Thanked by 1sibaper
  • letboxletbox Member, Patron Provider

    Well,

    Maybe we will see some kind of a lot credit cards Payment attempting soon!

    Regards

  • ploxhostploxhost Member, Patron Provider

    Yep… got the same email here. I’m still questioning how they got our emails?

  • deankdeank Member, Troll

    An employee sold the list is the likely case.

  • @deank said:
    An employee sold the list is the likely case.

    It's not just the mail list.
    Because the emails are SPF verified it is more likely there mail servers are being hacked.

  • jarjar Patron Provider, Top Host, Veteran
    edited May 2021

    Yeah. I got it too. It's not good:

    2021-05-31 10:45:28 1lnfQ7-00014E-VF <= [email protected] H=mail.psychz.net (psychz.net) [216.99.144.35] P=esmtps X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=950905 DKIM=psychz.net [email protected] T="SERVER TERMINATION" from <[email protected]> for [email protected]

    jarlanddonnell@Jarlands-MacBook-Pro ~ % dig MX psychz.net +short
    0 mail.psychz.net.

    jarlanddonnell@Jarlands-MacBook-Pro ~ % host 216.99.144.35
    35.144.99.216.in-addr.arpa domain name pointer mail.psychz.net.

    jarlanddonnell@Jarlands-MacBook-Pro ~ % host mail.psychz.net
    mail.psychz.net has address 216.99.144.35

    Email: https://paste.mxrouteapps.com/?39162409d0985990#F7W52GNNbcPdom9nHDD6yAbRZgqHiGs7KjHAJ7JxUJG7

    Attachment: https://www.virustotal.com/gui/file/16b1d0cbb8eb4804ccedaed0abd454606f0d237abe3d4f8ac212ff3a027270c7/detection

    Initial suggestion that they've been compromised at some level is justified. Every email account that received one at MXroute looks like an address that may have been signed up for Psychz at some point.

    Thanked by 2ploxhost Daniel15
  • popcorn yummy :#

  • This corn be popping!

  • iHavenoNameiHavenoName Member
    edited May 2021

    Yes and according to Psychz:

    Hello,

    That email came from a spoof account using the email name of a JR tech of ours. The attachment has a virus/trojan that compromises the Windows OS workstation that opens it, so we recommend running malware and virus scan ASAP! Delete the email as well.

    Our security department is currently investigating the root of this spoof, so any emails requesting personal information or payment under this email account are not official PSYCHZ billing/sales, so we ask you to delete them.

    ProtonMail didn't catch it, because it's using the Psychz servers:

    Parsing header:
    0: Received: from psychz.net (mail.psychz.net [216.99.144.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailin021.protonmail.ch (Postfix) with ESMTPS id 4FtsCt1csBz3hhcs for <x>; Mon, 31 May 2021 10:36:42 +0000 (UTC)
    Hostname verified: mail.psychz.net
    Protonmail received mail from sending system 216.99.144.35
    
    1: Received: from [45.147.228.47] (port=64545) by psychz.unixbsd.info with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <[email protected]>) id 1lnfHg-0004qg-G4 for x; Mon, 31 May 2021 10:36:39 +0000
    No unique hostname found for source: 45.147.228.47
    Possible forgery. Supposed receiving system not associated with any of your mailhosts
    Will not trust this Received line.
    Tracking message source: 216.99.144.35:
    Routing details for 216.99.144.35
    [refresh/show] Cached whois for 216.99.144.35 : [email protected]
    Using abuse net on [email protected]
    abuse net psychz.net = [email protected], [email protected]
    Using best contacts [email protected] [email protected]
    Reports disabled for [email protected]
    Using noc#[email protected] for statistical tracking.
    [email protected] bounces (37 sent : 19 bounces)
    Using postmaster#[email protected] for statistical tracking.
    Message is 6 hours old
    216.99.144.35 not listed in cbl.abuseat.org
    216.99.144.35 not listed in dnsbl.sorbs.net
    216.99.144.35 not listed in accredit.habeas.com
    216.99.144.35 not listed in plus.bondedsender.org
    216.99.144.35 not listed in iadb.isipp.com
    
    Please make sure this email IS spam:
    From: [email protected] (SERVER TERMINATION)
    View full message
    
    Report Spam to:
    Re: 216.99.144.35 (Administrator of network where email originates)
     To: postmaster#[email protected] (Notes)
     To: noc#[email protected] (Notes)
    

    Total fucking bullshit. They still haven't sent out notices to customers, telling people to ignore those emails. I have to reply to them to be told "oh sorry, we've been compromised by a pissed off employee...please don't open those emails."

    Thanked by 1jar
  • jarjar Patron Provider, Top Host, Veteran

    @iHavenoName said: That email came from a spoof account using the email name of a JR tech of ours

    Yeah, no it wasn't. It's not spoofing when someone sends an email from your mail server.

  • jackbjackb Member, Host Rep
    edited May 2021

    @jar said:
    Initial suggestion that they've been compromised at some level is justified. Every email account that received one at MXroute looks like an address that may have been signed up for Psychz at some point.

    Headers I saw earlier looked like their mailserver might be relaying for unauthenticated users, or an authenticated user on their mailserver was compromised.

    Does that sound realistic to you?

  • @jar said:
    Yeah, no it wasn't. It's not spoofing when someone sends an email from your mail server.

    Exactly. They have a pissed off ex-employee, who fired off some emails before their creds were locked.

    Thanked by 1jar
  • jarjar Patron Provider, Top Host, Veteran
    edited May 2021

    @jackb said: Headers I saw earlier looked like their mailserver might be relaying for unauthenticated users, or an authenticated user was compromised.

    Depends whether these headers were written by 45.147.228.47 or 216.99.144.35:

    X-Get-Message-Sender-Via: psychz.unixbsd.info: authenticated_id: [email protected]

    X-Authenticated-Sender: psychz.unixbsd.info: [email protected]

    I'd propose it was written by 216.99.144.35, writing the name given by the connecting system and the login address used to authenticate at 216.99.144.35.

  • jarjar Patron Provider, Top Host, Veteran
    edited May 2021

    I would also propose that psychz.unixbsd.info is owned by Psychz. Possibly an old staging server. The unixbsd.info domain has some connection to them (ex. https://ipinfo.io/108.171.246.252), someone else might notice more connection than I do.

  • Hi All -

    We're still investigating the situation and will know more about the extent of the damage once we conduct a full investigation with our vendors.

    At the moment we can see the what is compromised is what ever the entry level tech had access to. Essentially his workstation was compromised with a virus thus giving the hacker access to our portal system. They then used his personal email account to send emails out to those seen above.

    This is one of the challenges with the pandemic when techs are working from home instead of the office. Policies were in place to prevent this such as running Ubuntu or self wipe system when working on windows system. Unfortunately that was not followed thus we need to re-visit the policies internally for all employees.

    From what we can see so far is 5% of our of our clients were emailed the email seen above. Right now we have shutdown his workstation and doing a full forensics on his machine.

    We're sending emails to those that were sent an email to ensure they did not open the attachment.

    In terms of billing information being compromised those are highly unlikely.

    1. Our database server is locked down and show no evidence of entry or downloads.
    2. Server credentials are required to be changed at the first provision of server. (Thus server compromised / data are highly unlikely)
    3. Router/Switches are not provided to entry level techs
    4. IPMI/Router/Switches are all private networks there is no way to connect it via entry points

    Right now the concern is to those who receive those emails and not to open them. While we conduct further investigation we'll know the extent of the damage.

    Those that were sent the email and have concerns please reach out to our support team or DM me and we'll do the best we can to assist.

    Thanked by 3jar Swiftnode Daniel15
  • @jar said: Every email account that received one at MXroute looks like an address that may have been signed up for Psychz at some point.

    Do you think it's fair to look up at incoming emails of your customers?

    Amazing...

  • jarjar Patron Provider, Top Host, Veteran
    edited May 2021

    @alexvolk said: Do you think it's fair to look up at incoming emails of your customers?

    Absolutely. I do log audits every day in my efforts to protect customers from spam, viruses, and phishing emails. My customers demand that I look out for them in this way, and tying my hands behind my back doesn't help. It's part of my privacy policy and has been for as long as I can recall.

    We do monitor email logs and login activity so that we might be proactive in response to any issues whether technical or security. We do not read your email unless instructed by you to do so

    MXroute is a managed service provider, I am not hands-off.

    Thanked by 2catatonic chihcherng
  • serv_eeserv_ee Member

    I rarely see eye to eye with @alexvolk but in this case I do, don't think telling people that you're actually checking emails is the best way to go. Just imho. Some of that responsibility must stay on the end user as well.

    Thanked by 1lentro
  • jarjar Patron Provider, Top Host, Veteran
    edited May 2021

    @serv_ee said: don't think telling people that you're actually checking emails is the best way to go

    [root@gateway] ~ # darun grep 216.99.144.35 /var/log/exim/mainlog

    Is the exact command I ran. If you you want to be over dramatic, I guess feel free.

    I'm merely noting that the logs I observed appear to have a correlation to service providers. This is not new behavior for me, nor is making public the result of my work new. You should see this huge privacy violation where I list botnet IPs: https://github.com/mxroute/the_botnet

    Thanked by 1desperand
  • serv_eeserv_ee Member

    @jar said:

    @serv_ee said: don't think telling people that you're actually checking emails is the best way to go

    [root@gateway] ~ # darun grep 216.99.144.35 /var/log/exim/mainlog

    Is the exact command I ran. If you you want to be over dramatic, I guess feel free.

    I'm merely noting that the logs I observed appear to have a correlation to service providers.

    Dont think I was being over dramatic but if you feel that way I'm sorry.

    I never thought anything bad by that as I would never think you had any malicious intent with it but again like I said, some internet safe keeping responsibility should stay with the end user instead of you needing to look up emails.

  • jarjar Patron Provider, Top Host, Veteran
    edited May 2021

    @serv_ee said: some internet safe keeping responsibility should stay with the end user instead of you needing to look up emails

    That's not what my customers ask of me though, they believe it is my responsibility to keep them safe. Examining the impact of a virus email coming from a major service provider, which also was a former MXroute vendor, and then attempting mitigation if appropriate is absolutely something my customers would task me with.

    I have no desire to hide the findings from my daily work, where my findings are removed from any specific customer information. Please feel free to benefit from it:

    https://github.com/mxroute/rspamd_rules

    https://mxrbl.com/

  • serv_eeserv_ee Member

    @jar said:

    @serv_ee said: some internet safe keeping responsibility should stay with the end user instead of you needing to look up emails

    That's not what my customers ask of me though, they believe it is my responsibility to keep them safe. Examining the impact of a virus email coming from a major service provider, which also was a former MXroute vendor, and then attempting mitigation if appropriate is absolutely something my customers would task me with.

    I have no desire to hide the findings from my daily work, where my findings are removed from any specific customer information. Please feel free to benefit from it:

    https://github.com/mxroute/rspamd_rules

    https://mxrbl.com/

    If that's what your customers want then of course, sorry to get involved.

    Have a nice day :)

    Thanked by 1jar
  • deankdeank Member, Troll

    A provider admits a possible fault. Thus, eliminating the need of responsibility from his customers.

    Then, LE user argues back, stating that users should bear some responsibility.

    Cannot please everyone.

    Thanked by 1jar
Sign In or Register to comment.