New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Anyone got Metamask Phishing mail on your Berohost specific Email
Helo Yurier
I gor this
Title: Bank-Level Protection for Your Wallet {Noreply} #274164787
Sender is: "metamask.io | [email protected]"
This mail was sent to my email that was specifically only for berohost
I have asked 2 different LET users, and they both recived the same email on their Berohost exclusive mailbox
I cannot provide any header since its forwarded mail. But probably other can do this
Anyone got this too?
Comments
Can I have your seed please
From my outlook email that received it directly: https://fumo.me/api/snippet/OPbnPgyunuhS/raw
Anything but public obscene allow. But my DM always open for that
Can you leaks mail, regards
[email protected]
Can you send me time they send that mail ? Im unable to find one mail like that from both spambox or inbox
yes, just got that too. also on my bero-host specific alias.
"This email failed anti-phishing checks when it was received by SimpleLogin, be careful with its content. More info on anti-phishing measure"
From what i saw on @beanman109 . Bro got around
13:08:00 +0000. I got on13:25:00 +00.00I received it at 6:08AM PST
Gotta do what you gotta do, hardware aint cheap @berohost 22k btc in my friends wallet please email [email protected]
hello I confirm I receive mine at 2:24 PM Central European Time today
I have dedicated email alias for Bero, so it's definitely from them in some way. Hopefully not the customer DB and instead just some newsletter list 🙃
I have not received it, but iirc I had opted out of newsletters.
+1 on this. I received the same phishing email today on my specific berohost only alias.
What's more concerning: I just dug through my spam folder and found another similar email sent to this exact alias on February 17th that I completely missed until today. So, it looks like this leak isn't a new development and their list has been compromised for over a month now.
I've already contacted berohost support about the leak but haven't received any answer so far. Really hoping they step in here soon to explain exactly what happened and what data was accessed.
@berohost any statement on this tho
So far, we have no information indicating that any data has been stolen. We ask affected customers to notify us via a support ticket so that we can investigate the matter further.
I also saw a similar email in the spam mail. It seems like everyone is the same
Um i didnt get it, but im option out of newsletter so I probably same as @655
They prob got api leaked ?
Actually @655, do your email have alias ? postfix +
Yeah I got it to the email I use in my berohost account. 4 hours ago at 13:21 +00.00
Looking at headers I don't see any specific mailling list / software used? So kinda uhmmm fucked?
Well they probably pulled the customer emails (and other stuff) from Berohost and sent just usual spam.
Some don't add any extra identifying headers.
Also never considered that if they had access to the mailing software they could've just exported the list and sent it using something else?
I didn't opt in to newsletter and didn't receive the email. My account is relativly new tho
also got it, mail was used only for bero.
I was not subscribed to the newsletter
yes it does
Are you guys sure this is something new?
Bero-host has been using lottie-player@latest (2.0.12) for some time, but lottie-player versions 2.0.5–2.0.7 had a similar security issue more than a year ago, where hackers were targeting MetaMask and other wallets in phishing attacks.
I think those who were affected saw a strange popup when they visited a website that used lottie-player.
Your email addresses might have been scraped through that vulnerability back then.
Be aware that the email headers posted in the thread show that the email was sent using compromised AWS SES credentials belonging to scep.gob.gt (Guatemalan government)*. Because it’s sent from a high-reputation AWS IP, basic spam filters are bypassed.
Earlier, similar phishing emails sent from less trusted IP addresses might have been filtered, deleted, or rejected before they reached your inbox.
In other words, it might be an old email address leak that have been fixed a long time ago.
*I haven’t looked into this, but IP addresses belonging to scep.gob.gt have some security issues where you can download PHP code etc and might be why their mail server is/was compromised.
Edit: I just noticed that AWS SES is not authorized as a sender, but DMARC is set to p=none (monitor only). It's not a scep.gob.gt server who send the phishing mail. It might still be an old leak.
I also got the phishing mail, same sender etc.
Someone def. breached something.
Received same email, a few hours ago. I don't have an unique email, but I usually don't get any spam to this one ._.
something's sure going on and @berohost doesn't seem to care much as per their previous comment.