Apparent new phishing attack on the forums

For topics that do not fit in another sub-forum.

Moderators: Oberlus, Oberlus

Post Reply
Message
Author
Elethiomel
Krill Swarm
Posts: 13
Joined: Fri Apr 30, 2004 11:18 am

Apparent new phishing attack on the forums

#1 Post by Elethiomel » Wed Sep 14, 2011 8:06 pm

I got an e-mail on my mail account that's connected with these forums today, addressing me by "#uname" and informing me that I had a new private message. There was a link to a forum that looks exactly like this one, but addressed by IP address rather than through dns. I do not have a new private message on these forums. It seems apparent that this is a phishing scam, and I thought I'd post this as a warning.

User avatar
Geoff the Medio
Programming, Design, Admin
Posts: 12642
Joined: Wed Oct 08, 2003 1:33 am
Location: Munich

Re: Apparent new phishing attack on the forums

#2 Post by Geoff the Medio » Wed Sep 14, 2011 8:50 pm

Elethiomel wrote:I do not have a new private message on these forums.
You probably actually did have a private message, but it was deleted when I deleted the user that sent it, before you had a chance to read it.

I think I've limited pms to 3 recipients for most forum members, so similar spamming should be more difficult in future.

Elethiomel
Krill Swarm
Posts: 13
Joined: Fri Apr 30, 2004 11:18 am

Re: Apparent new phishing attack on the forums

#3 Post by Elethiomel » Wed Sep 14, 2011 8:54 pm

That makes more sense than someone going to the trouble of setting up another version of this forum just to get our passwords. This forum is pretty small fry, and I can understand bots going at it, but I was baffled at what seemed like actual effort.

User avatar
Geoff the Medio
Programming, Design, Admin
Posts: 12642
Joined: Wed Oct 08, 2003 1:33 am
Location: Munich

Re: Apparent new phishing attack on the forums

#4 Post by Geoff the Medio » Wed Sep 14, 2011 8:56 pm

The link to an IP address is still a bit odd, though. There are automated emails you can configure the forum to send for PMs, though I don't use them, so I don't know what they would normally look like. Perhaps it was just a local DNS oddity for you?

Also, it's probably possible to set up a redirecting server to capture login attempts but otherwise relay page requests to the actual freeorion.org server, along with many other phpBB-hosting domains, without need to set up anything special beyond an entry in a list of domains to relay to. We don't use https, so I suppose there's nothing stopping someone from implementing man-in-the-middle attacks of that sort...

Sai
Pupating Mass
Posts: 94
Joined: Sat Feb 23, 2008 9:15 pm

Re: Apparent new phishing attack on the forums

#5 Post by Sai » Thu Sep 15, 2011 2:49 am

I can confirm that I have also received this e-mail. I've included the header, in case one of you feels like digging into the source. The IP used in the e-mail does seem to be this board, so there may simply be some bug going on.

Code: Select all

Return-path: <[email protected]>
Received: from smtp20.tb.mail.iss.as9143.net ([212.54.42.152])
 by mta2z1.tb.mail.iss.as9143.net
 (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit))
 with ESMTP id <[email protected]> for
 [CENSORED]; Wed, 14 Sep 2011 17:35:50 +0200 (CEST)
Received: from mx9.tb.mail.iss.as9143.net ([212.54.42.108])
 by smtp20.tb.mail.iss.as9143.net with esmtp (Exim 4.71)
 (envelope-from <[email protected]>)	id 1R3rV6-0003Gb-Q5	for [CENSORED]; Wed,
 14 Sep 2011 17:35:48 +0200
Received: from irazu.pair.com ([209.68.3.253])	by mx9.tb.mail.iss.as9143.net
 with smtp (Exim 4.71)	(envelope-from <[email protected]>)
 id 1R3rV5-0006ZF-4L	for [CENSORED]; Wed, 14 Sep 2011 17:35:47 +0200
Received: (qmail 38298 invoked by uid 65534); Wed, 14 Sep 2011 15:35:45 +0000
Date: Wed, 14 Sep 2011 09:20:18 -0400
From: [email protected]
Subject: =?UTF-8?B?TmV3IHByaXZhdGUgbWVzc2FnZSBoYXMgYXJyaXZlZA==?=
Sender: [email protected]
To: =?UTF-8?B?U2Fp?= <[CENSORED]>
Reply-to: [email protected]
Message-id: <[email protected]>
MIME-version: 1.0
X-MIMEOLE: phpBB3
X-Mailer: phpBB3
Content-type: text/plain; charset=UTF-8
Content-transfer-encoding: 8BIT
X-Priority: 3
X-MSMail-priority: Normal
X-phpBB-Origin: phpbb://209.197.90.23/forum
X-ZiggoMX-MailScanner-Information: Please contact the ISP for more information
X-ZiggoMX-MailScanner-ID: 1R3rV5-0006ZF-4L
X-ZiggoMX-MailScanner: Found to be clean
X-ZiggoMX-MailScanner-SpamCheck: geen spam
X-ZiggoMX-MailScanner-From: [email protected]
X-ZiggoSMTP-MailScanner-Information: Please contact the ISP for more information
X-ZiggoSMTP-MailScanner-ID: 1R3rV6-0003Gb-Q5
X-ZiggoSMTP-MailScanner: Found to be clean
X-ZiggoSMTP-MailScanner-SpamCheck: geen spam, SpamAssassin (niet cached,
	score=-0.42, vereist 5, BAYES_00 -1.90, CM_CTENC_8BIT 0.10,
	FREEMAIL_FROM 0.50, NORMAL_HTTP_TO_IP 0.00, NO_REAL_NAME 0.10,
	SPF_NEUTRAL 0.78)
X-ZiggoSMTP-MailScanner-From: [email protected]
Original-recipient: rfc822;[CENSORED]
X-Spam-Status: No

Post Reply