Apparent new phishing attack on the forums
Moderator: Oberlus
-
- Krill Swarm
- Posts: 13
- Joined: Fri Apr 30, 2004 11:18 am
Apparent new phishing attack on the forums
I got an e-mail on my mail account that's connected with these forums today, addressing me by "#uname" and informing me that I had a new private message. There was a link to a forum that looks exactly like this one, but addressed by IP address rather than through dns. I do not have a new private message on these forums. It seems apparent that this is a phishing scam, and I thought I'd post this as a warning.
- Geoff the Medio
- Programming, Design, Admin
- Posts: 13587
- Joined: Wed Oct 08, 2003 1:33 am
- Location: Munich
Re: Apparent new phishing attack on the forums
You probably actually did have a private message, but it was deleted when I deleted the user that sent it, before you had a chance to read it.Elethiomel wrote:I do not have a new private message on these forums.
I think I've limited pms to 3 recipients for most forum members, so similar spamming should be more difficult in future.
-
- Krill Swarm
- Posts: 13
- Joined: Fri Apr 30, 2004 11:18 am
Re: Apparent new phishing attack on the forums
That makes more sense than someone going to the trouble of setting up another version of this forum just to get our passwords. This forum is pretty small fry, and I can understand bots going at it, but I was baffled at what seemed like actual effort.
- Geoff the Medio
- Programming, Design, Admin
- Posts: 13587
- Joined: Wed Oct 08, 2003 1:33 am
- Location: Munich
Re: Apparent new phishing attack on the forums
The link to an IP address is still a bit odd, though. There are automated emails you can configure the forum to send for PMs, though I don't use them, so I don't know what they would normally look like. Perhaps it was just a local DNS oddity for you?
Also, it's probably possible to set up a redirecting server to capture login attempts but otherwise relay page requests to the actual freeorion.org server, along with many other phpBB-hosting domains, without need to set up anything special beyond an entry in a list of domains to relay to. We don't use https, so I suppose there's nothing stopping someone from implementing man-in-the-middle attacks of that sort...
Also, it's probably possible to set up a redirecting server to capture login attempts but otherwise relay page requests to the actual freeorion.org server, along with many other phpBB-hosting domains, without need to set up anything special beyond an entry in a list of domains to relay to. We don't use https, so I suppose there's nothing stopping someone from implementing man-in-the-middle attacks of that sort...
Re: Apparent new phishing attack on the forums
I can confirm that I have also received this e-mail. I've included the header, in case one of you feels like digging into the source. The IP used in the e-mail does seem to be this board, so there may simply be some bug going on.
Code: Select all
Return-path: <[email protected]>
Received: from smtp20.tb.mail.iss.as9143.net ([212.54.42.152])
by mta2z1.tb.mail.iss.as9143.net
(Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit))
with ESMTP id <[email protected]> for
[CENSORED]; Wed, 14 Sep 2011 17:35:50 +0200 (CEST)
Received: from mx9.tb.mail.iss.as9143.net ([212.54.42.108])
by smtp20.tb.mail.iss.as9143.net with esmtp (Exim 4.71)
(envelope-from <[email protected]>) id 1R3rV6-0003Gb-Q5 for [CENSORED]; Wed,
14 Sep 2011 17:35:48 +0200
Received: from irazu.pair.com ([209.68.3.253]) by mx9.tb.mail.iss.as9143.net
with smtp (Exim 4.71) (envelope-from <[email protected]>)
id 1R3rV5-0006ZF-4L for [CENSORED]; Wed, 14 Sep 2011 17:35:47 +0200
Received: (qmail 38298 invoked by uid 65534); Wed, 14 Sep 2011 15:35:45 +0000
Date: Wed, 14 Sep 2011 09:20:18 -0400
From: [email protected]
Subject: =?UTF-8?B?TmV3IHByaXZhdGUgbWVzc2FnZSBoYXMgYXJyaXZlZA==?=
Sender: [email protected]
To: =?UTF-8?B?U2Fp?= <[CENSORED]>
Reply-to: [email protected]
Message-id: <[email protected]>
MIME-version: 1.0
X-MIMEOLE: phpBB3
X-Mailer: phpBB3
Content-type: text/plain; charset=UTF-8
Content-transfer-encoding: 8BIT
X-Priority: 3
X-MSMail-priority: Normal
X-phpBB-Origin: phpbb://209.197.90.23/forum
X-ZiggoMX-MailScanner-Information: Please contact the ISP for more information
X-ZiggoMX-MailScanner-ID: 1R3rV5-0006ZF-4L
X-ZiggoMX-MailScanner: Found to be clean
X-ZiggoMX-MailScanner-SpamCheck: geen spam
X-ZiggoMX-MailScanner-From: [email protected]
X-ZiggoSMTP-MailScanner-Information: Please contact the ISP for more information
X-ZiggoSMTP-MailScanner-ID: 1R3rV6-0003Gb-Q5
X-ZiggoSMTP-MailScanner: Found to be clean
X-ZiggoSMTP-MailScanner-SpamCheck: geen spam, SpamAssassin (niet cached,
score=-0.42, vereist 5, BAYES_00 -1.90, CM_CTENC_8BIT 0.10,
FREEMAIL_FROM 0.50, NORMAL_HTTP_TO_IP 0.00, NO_REAL_NAME 0.10,
SPF_NEUTRAL 0.78)
X-ZiggoSMTP-MailScanner-From: [email protected]
Original-recipient: rfc822;[CENSORED]
X-Spam-Status: No