New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Fake Hetzner Invoice Notification Email
Hi everyone, I recently received a fake email claiming to be from Hetzner about an unpaid invoice, asking me to update payment details via a suspicious link. Clearly a phishing attempt!
I'm also curious—how do you think scammers are getting our emails?
Stay safe!
Thanked by 1JasonM
Comments
You may have left it on a forum or with some other services provider, which was hacked or something. Difficult to say and not worth wasting your energy on. This one is obvious at least, love .fr domain
Mass email or leak?
Share full email headers.
I saw a notification about phishing emails recently for HETZNER seems these are targeting them which makes sense for such a big company, can always check their status page for info on some of them for example
https://status.hetzner.com/incident/2e715748-fddd-427b-a07b-b34a5a9edee3
As mentioned check the headers for who is sending the emails and contact the provider
You can check exactly where your email was leaked at https://haveibeenpwned.com
Recently, the Internet Archive's 'The Wayback Machine' suffered a data breach, exposing 31 million records.
wow.... welcome to the internet.... news from the 90s....
if you have $20k you can just buy a hacked whmcs database.
that being said, there's been several email leak in lowend* (only remember tempest, cloudie, ihostart, alexhost)
I don't use this email in any service !
I think its targeted attack.
Return-Path: Support@tiralarc-cd93.fr
Received: from
by with LMTP
id WNZNKfmbGGdXQyEAg/Uozw
(envelope-from Support@tiralarc-cd93.fr); Wed, 23 Oct 2024 08:47:21 +0200
Return-path: Support@tiralarc-cd93.fr
Envelope-to:
Delivery-date: Wed, 23 Oct 2024 08:47:21 +0200
Received: from mta.tiralarc-cd93.fr ([]:44275)
by with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.98)
(envelope-from Support@tiralarc-cd93.fr)
id 1t3V9E-000000099xG-2LDZ
for
Wed, 23 Oct 2024 08:47:21 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=1729660531.cd93; d=tiralarc-cd93.fr;
h=Content-Type:MIME-Version:From:To:Subject:Date:Message-ID:List-Unsubscribe;
[email protected];
bh=ZT5zRDNJDrFcrAEpiYo4fA64VSOwQw4mBuiAt7zA0M4=;
b=tGRV9eldFZc+Xct5QhIhTjVPnEOOVkbjyAEezT9y6qrD3jxQSXWdkiECmO0PIVMUM1oAXLjvcBwI
vc+wxjrAg/xBwscIoyLO0RsGhNj4kJwbqp9PwdFTSSx9dInt2gwRKJT+co5tmXRpU5MujGfl7Jpq
SHKnANt4+g2d0GyyCxs=
Content-Type: multipart/mixed; boundary="===============5198484465431758356=="
MIME-Version: 1.0
From: Support-Hetzner Support@tiralarc-cd93.fr
To:
Subject: Unpaid Invoice Notification
Date: Wed, 23 Oct 2024 06:46:32 +0000
Message-ID: <172966599260.12960.3939346944779587473@WIN-UQ5FMEP9ISF>
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Mozilla Thunderbird
X-Auto-Response-Suppress: All
Precedence: bulk
List-Unsubscribe: unsubscribe@tiralarc-cd93.fr
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin (version 3.4.0)
X-Spam-Status: No, score=2.3
X-Spam-Score: 23
X-Spam-Bar: ++
X-Ham-Report: Spam detection software, running on the system "",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: Urgent: Payment Method Update Required Dear Client,
Content analysis details: (2.3 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE: The query to
zen.spamhaus.org was blocked due to usage of an
open resolver. See
https://www.spamhaus.org/returnc/pub/
[listed in zen.spamhaus.org]
0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The
query to Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243
for more information.
[listed in sa-trusted.bondedsender.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URI: mega-fun.nl]
[URI: tiralarc-cd93.fr]
0.0 URIBL_DBL_BLOCKED_OPENDNS ADMINISTRATOR NOTICE: The query to
dbl.spamhaus.org was blocked due to usage of an
open resolver. See
https://www.spamhaus.org/returnc/pub/
[URI: tiralarc-cd93.fr]
[URI: hetzner.mega-fun.nl]
0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243
for more information.
[listed in sa-accredit.habeas.com]
-0.0 SPF_PASS SPF: sender matches SPF record
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
1.6 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
X-Spam-Flag: NO
Yes I think they are targeting the email servers hosted on Hetzner
Thank you but its not listed in this list thats why I think its a targeted attack
xD
I don't think the email is leaked
You used your current email on something who had a breach. Enjoy
No I didn't use this email in any service
impossible, or-- your computer is hijacked.
This is a common occurring theme where users randomly are sent emails with hopes some will consider this a normal invoice and pay up.
Doesn't matter if the provider has a breach or otherwise.
I get weekly emails for bestbuy/ anti virus orders
Yes I'm 100% sure that I don't use that email but the email server itself on hetzner
I get these regularly. They're all sent to the info@ e-mail address that's on the contact page of a domain that's hosted on the dedi. They're probably just trawling something like the letsencrypt logs for a list of possible domains and then crawling for e-mail addresses on IPs owned by Hetzner.
The e-mails are so obviously fake (for instance, they're not even attempting to use plausible sounding domain names for the sender e-mail), I'm surprised anyone could be even taken in by them.
Yes I think this is how they get the email, from the dedicated server IP lookup since its hosted on Hetzner, but not all people focus on the email address sent from providers and I'm not saying this is a good thing because most of them are from mailchimp, noreply@hell etc
i too got it 3 days ago. Actually mine renewal is on 30th, so why this early and i was supicious and then saw the link to third-party malicious site.
Seems the email/domain is hosted on Ionos, just forward the email to there abuse team and be done