Jump to content

[Important] Beware Of Blesta Phishing Scam

Michael

By Michael
in News

 Share

Recommended Posts

Paul Rising Star

Paul

Posted
Posted

If you received an email like this, ignore it. The email contains an encoded admin_login.php file, DO NOT UPLOAD IT TO YOUR SERVER.

 

From: Blesta Support <blesta.com@gmail.com>
Date: 2014-09-24 18:26 GMT+02:00
Subject: Zero-day exploit \ Hotfix

 

Hi First Last!

A hotfix has been released for Blesta that addresses a bug discovered in
3.2.2.

This hotfix is very IMPORTANT and should be installed immadiately, because
otherwise your admin area is not secure.

We are sorry that we cannot give more information about this hotfix, but it
is very safety-critical.

You can find the hotfix in attachment, please upload it to /app/controllers
and replace the existing file.

Please logout after installing it and login again into the staff area,
because the hash algorithm changed.

As usual, a big thanks to everyone who reported and confirmed this bug, we
appreciate your help.

Best Regards
Paul Phillips
Blesta CEO

 

PauloV Newbie

PauloV

Posted
Posted

If you received an email like this, ignore it. The email contains an encoded admin_login.php file, DO NOT UPLOAD IT TO YOUR SERVER.

 

 

I have not recived to peak at the code. If anyone uploads that file, what does it do?

If we "fingerprint" the code we can trie to see the source of the malware (underground foruns, blogs, irc, etc..) and know whois responsible for this :)

Paul Rising Star

Paul

Posted
Posted

I have not recived to peak at the code. If anyone uploads that file, what does it do?

If we "fingerprint" the code we can trie to see the source of the malware (underground foruns, blogs, irc, etc..) and know whois responsible for this :)

 

I have the file, but my attempt to decode it using a popular service failed. My guess is that it probably captures your login credentials and emails the attacker.

PauloV Newbie

PauloV

Posted
Posted

I have the file, but my attempt to decode it using a popular service failed. My guess is that it probably captures your login credentials and emails the attacker.

 

If you want we can trie to decode it we have some powerfull decoding tools ;)

ModulesBakery Newbie

ModulesBakery

Posted
Posted

Lol, used to see such kiddies trying to get Facebook accounts using phishing ...  but now it is Blesta, i suppose the users of such software are not that naive to fall for this one ... most of them are hosting providers ... I guess.

 

It is also not hard to check the sender email address if it is Blesta's official email address then go for it otherwise it is an obvious scam

PauloV Newbie

PauloV

Posted
Posted

I emailed you a copy from our phillipsdata gmail.

 

Every tool we tested didnt decrypt the file :( I think is encoded with the latest ioncube encoderes and and we only support IC <=7 and PHP <=5.3 to decode, we will trie to to get the lastest decoders and post it back :)

Joseph H Apprentice

Joseph H

Posted
Posted

So tempted to get a small vps testing server and install Blesta and check the logs daily lol

 

That's clever was thinking of the same... lol   :D .... By the way thanks for Informing us

Cody Newbie

Cody

Posted
Posted

Lol, used to see such kiddies trying to get Facebook accounts using phishing ...  but now it is Blesta, i suppose the users of such software are not that naive to fall for this one ... most of them are hosting providers ... I guess.

 

It is also not hard to check the sender email address if it is Blesta's official email address then go for it otherwise it is an obvious scam

 

It's easy to spoof from addresses. You should never trust emails like this, regardless of who they look like they're from. We will never send patches via email.

wfitg Newbie

wfitg

Posted
Posted

This is how to tell it is a fake:

"We are sorry that we cannot give more information about this hotfix, but it is very safety-critical."

I don't know any developer that would NOT give the reason for a hotfix.

Michael Apprentice

Michael

Posted
  • Author
Posted

This is how to tell it is a fake:

"We are sorry that we cannot give more information about this hotfix, but it is very safety-critical."

I don't know any developer that would NOT give the reason for a hotfix.

 

It's like WHM** they and cPanel do a fix and release more information two weeks later so people don't get effected. What the idiot who sent it forgot was Blesta doesn't send emails and they announce what it sort of is and who found it if someone did outside the team.

wfitg Newbie

wfitg

Posted
Posted

If you received an email like this, ignore it. The email contains an encoded admin_login.php file, DO NOT UPLOAD IT TO YOUR SERVER.

It takes balls to sign your name to their scam. heh...

I am glad that we have to log in to our blesta account to get patches, betas and new versions. This keeps them safer.

cloudrck Newbie

cloudrck

Posted
Posted

I have the file, but my attempt to decode it using a popular service failed. My guess is that it probably captures your login credentials and emails the attacker.

Can you email me the file, I'd like to take a stab at manually decoding it.

Michael Apprentice

Michael

Posted
  • Author
Posted

It takes balls to sign your name to their scam. heh...

I am glad that we have to log in to our blesta account to get patches, betas and new versions. This keeps them safer.

 

The patches and new versions are public and can be downloaded by anyone, ourselves we upload them to our download manager to save customers time if they wish to use them, but they are only for logged in users as the best place to get them is direct. Except beta's which are closed to Blesta customers only.

 Share
Go to topic listing
×
×
  • Create New...