ARCHIVE: Australian Ham Radio Discussion Forum ( AHRDF )
Hack attempt ?? Locking out WIA.ORG.AU email ?? - Printable Version

+- ARCHIVE: Australian Ham Radio Discussion Forum ( AHRDF ) (https://www.ahrdf.net/forum)
+-- Forum: GENERAL (https://www.ahrdf.net/forum/forum-29.html)
+--- Forum: General Discussion (https://www.ahrdf.net/forum/forum-9.html)
+--- Thread: Hack attempt ?? Locking out WIA.ORG.AU email ?? (/thread-995.html)



Hack attempt ?? Locking out WIA.ORG.AU email ?? - VK4ADC - 09-10-2020

I received an intriguing email this morning. Subject was 'Your email Vk4adc@wia.org.au account will be blocked'.

The body of the email :
 
'Your email Vk4adc@&domain& account will be blocked from your Domain wia.org.au  in response to a complaint received by the administration.

According to provision 13.3 of Terms and Conditions, wia.org.au Admin may at any time, terminate its Services for your account and all your data will be lost


To re-validate your account Download setup configuration below and update to οrgαnιzed mαilbοx to αvοid being De-actιvαted

Thanks
wia.org.au  Admin will continue to provide these additional steps to keep your account safe.


and it had a .htm attachment named 'CLICK-HERE-TO-UPGRADE-vk4adc@wia.org.au.htm'

This would seem to be a poorly constructed hack of some type - so poor that I didn't click on the .htm attachment - but I did save it and viewed the html source. Nothing dangerous was immediately evident but the coded blocks could contain anything. 

The details in the properties of the email were interesting too :
'Received: from mf01.add.adl.fog.net.au (mf.add.adl.fog.net.au [223.25.224.80] (may be forged))

by wia.org.au (8.14.7/8.14.7) with ESMTP id 098EeHAt025078
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL)
for <vk4adc@wia.org.au>; Fri, 9 Oct 2020 01:10:17 +1030
Received: from moneyyy.vps-ams1.blazingfast.io (moneyyy [5.206.224.57])
by mf01.add.adl.fog.net.au  with ESMTP id 098EbWxg006305-098EbWxh006305
for <vk4adc@wia.org.au>; Fri, 9 Oct 2020 01:07:32 +1030
Received: by moneyyy.vps-ams1.blazingfast.io (Postfix, from userid 33)
id E4601C40C0; Thu,  8 Oct 2020 14:02:41 +0000 (UTC)'

moneyyy.vps-ams1.blazingfast.io  ??  

Scam ? I think so !!  And definitely not from the WIA....


TO BE SAFE, IGNORE AND DELETE !!!!


RE: Hack attempt ?? Locking out WIA.ORG.AU email ?? - VK3RX - 09-10-2020

Thanks for the heads up.

I gather from "And definitely not from the WIA" you informed them. They've had no other reports?


RE: Hack attempt ?? Locking out WIA.ORG.AU email ?? - VK5TM - 09-10-2020

The received from address 'moneyyy......' traces back to a Chinese hacking site and the ip address after that comes up as an invalid address also - definitely a hack attempt.


RE: Hack attempt ?? Locking out WIA.ORG.AU email ?? - VK4ADC - 09-10-2020

Damien

No, I haven't advised the WIA because it is literally nothing to do with them. 
Sure, it is a hack attempt via their email redirection facility and unless they can put spam or IP filtering in place on redirections then they can do nothing to stop them.  I know that I can't do either of those on my mail server, and who is to say the IP will remain constant anway.

I considered the best idea was to promulgate/expose the hack message for what it was.

Doug


RE: Hack attempt ?? Locking out WIA.ORG.AU email ?? - VK3RX - 09-10-2020

I think the WIA would like to know though.

They might then issue something to members to make them aware of the issue and that the emails are not from them.


RE: Hack attempt ?? Locking out WIA.ORG.AU email ?? - VK2CSW - 10-10-2020

Rather than a "hacking" attempt I would characterise this as a phishing or 'layer 8' attempt.

I imagine the .htm page would have then either asked for or redirected you to a page that asked you to re-enter your credentials and possibly account, bank or credit card details.

Further I would not entirely rule out a delivery of a malware package in the process.

As general rule, one should never click on any link or attachment until you are satisfied that you know where the email came from and that it is legitimate.

I would, as a courtesy, inform the WIA, however I suspect the bad guys are not running this through or anywhere near the WIA, they have just harvested your email address and are sending hundreds of the same (although customised) email to hundreds of different email addresses via a spoofed source address.