New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Psychz mail system seems to be hacked....
PhantomPain
Member
Is anyone else who received the phishing email with title 'SERVER TERMINATION' from Psychz?
Comments
Just because you get a phishing email dosen't mean the mail server of psychz is compromised.
Check the headers/source of the email.
Phishing != "mail system hacked".
I just got this (and posted it) and it freaked me out. Checking the headers, it baffles me that it passed SPF and landed on my Inbox.
Received the same email (we have Psychz services), not 100% sure if it is just a targeted phishing campaign or something worse.
Yeah, got one with attachment. Antivirus was not very happy.
any one can post the email header?
Well,
Maybe we will see some kind of a lot credit cards Payment attempting soon!
Regards
Yep… got the same email here. I’m still questioning how they got our emails?
An employee sold the list is the likely case.
It's not just the mail list.
Because the emails are SPF verified it is more likely there mail servers are being hacked.
Yeah. I got it too. It's not good:
2021-05-31 10:45:28 1lnfQ7-00014E-VF <= [email protected] H=mail.psychz.net (psychz.net) [216.99.144.35] P=esmtps X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=950905 DKIM=psychz.net [email protected] T="SERVER TERMINATION" from <[email protected]> for [email protected]
jarlanddonnell@Jarlands-MacBook-Pro ~ % dig MX psychz.net +short
0 mail.psychz.net.
jarlanddonnell@Jarlands-MacBook-Pro ~ % host 216.99.144.35
35.144.99.216.in-addr.arpa domain name pointer mail.psychz.net.
jarlanddonnell@Jarlands-MacBook-Pro ~ % host mail.psychz.net
mail.psychz.net has address 216.99.144.35
Email: https://paste.mxrouteapps.com/?39162409d0985990#F7W52GNNbcPdom9nHDD6yAbRZgqHiGs7KjHAJ7JxUJG7
Attachment: https://www.virustotal.com/gui/file/16b1d0cbb8eb4804ccedaed0abd454606f0d237abe3d4f8ac212ff3a027270c7/detection
Initial suggestion that they've been compromised at some level is justified. Every email account that received one at MXroute looks like an address that may have been signed up for Psychz at some point.
popcorn yummy
This corn be popping!
Yes and according to Psychz:
ProtonMail didn't catch it, because it's using the Psychz servers:
Total fucking bullshit. They still haven't sent out notices to customers, telling people to ignore those emails. I have to reply to them to be told "oh sorry, we've been compromised by a pissed off employee...please don't open those emails."
Yeah, no it wasn't. It's not spoofing when someone sends an email from your mail server.
Headers I saw earlier looked like their mailserver might be relaying for unauthenticated users, or an authenticated user on their mailserver was compromised.
Does that sound realistic to you?
Exactly. They have a pissed off ex-employee, who fired off some emails before their creds were locked.
Depends whether these headers were written by 45.147.228.47 or 216.99.144.35:
X-Get-Message-Sender-Via: psychz.unixbsd.info: authenticated_id: [email protected]
X-Authenticated-Sender: psychz.unixbsd.info: [email protected]
I'd propose it was written by 216.99.144.35, writing the name given by the connecting system and the login address used to authenticate at 216.99.144.35.
I would also propose that psychz.unixbsd.info is owned by Psychz. Possibly an old staging server. The unixbsd.info domain has some connection to them (ex. https://ipinfo.io/108.171.246.252), someone else might notice more connection than I do.
Hi All -
We're still investigating the situation and will know more about the extent of the damage once we conduct a full investigation with our vendors.
At the moment we can see the what is compromised is what ever the entry level tech had access to. Essentially his workstation was compromised with a virus thus giving the hacker access to our portal system. They then used his personal email account to send emails out to those seen above.
This is one of the challenges with the pandemic when techs are working from home instead of the office. Policies were in place to prevent this such as running Ubuntu or self wipe system when working on windows system. Unfortunately that was not followed thus we need to re-visit the policies internally for all employees.
From what we can see so far is 5% of our of our clients were emailed the email seen above. Right now we have shutdown his workstation and doing a full forensics on his machine.
We're sending emails to those that were sent an email to ensure they did not open the attachment.
In terms of billing information being compromised those are highly unlikely.
Right now the concern is to those who receive those emails and not to open them. While we conduct further investigation we'll know the extent of the damage.
Those that were sent the email and have concerns please reach out to our support team or DM me and we'll do the best we can to assist.
Do you think it's fair to look up at incoming emails of your customers?
Amazing...
Absolutely. I do log audits every day in my efforts to protect customers from spam, viruses, and phishing emails. My customers demand that I look out for them in this way, and tying my hands behind my back doesn't help. It's part of my privacy policy and has been for as long as I can recall.
We do monitor email logs and login activity so that we might be proactive in response to any issues whether technical or security. We do not read your email unless instructed by you to do so
MXroute is a managed service provider, I am not hands-off.
I rarely see eye to eye with @alexvolk but in this case I do, don't think telling people that you're actually checking emails is the best way to go. Just imho. Some of that responsibility must stay on the end user as well.
[root@gateway] ~ # darun grep 216.99.144.35 /var/log/exim/mainlog
Is the exact command I ran. If you you want to be over dramatic, I guess feel free.
I'm merely noting that the logs I observed appear to have a correlation to service providers. This is not new behavior for me, nor is making public the result of my work new. You should see this huge privacy violation where I list botnet IPs: https://github.com/mxroute/the_botnet
Dont think I was being over dramatic but if you feel that way I'm sorry.
I never thought anything bad by that as I would never think you had any malicious intent with it but again like I said, some internet safe keeping responsibility should stay with the end user instead of you needing to look up emails.
That's not what my customers ask of me though, they believe it is my responsibility to keep them safe. Examining the impact of a virus email coming from a major service provider, which also was a former MXroute vendor, and then attempting mitigation if appropriate is absolutely something my customers would task me with.
I have no desire to hide the findings from my daily work, where my findings are removed from any specific customer information. Please feel free to benefit from it:
https://github.com/mxroute/rspamd_rules
https://mxrbl.com/
If that's what your customers want then of course, sorry to get involved.
Have a nice day
A provider admits a possible fault. Thus, eliminating the need of responsibility from his customers.
Then, LE user argues back, stating that users should bear some responsibility.
Cannot please everyone.