Protonmail warning message

[milex]

Hi,

I'm just wondering if the admin who posted the warning message about protonmail being unsafe to use could elaborate more please?

As a web developer, the issue outlined in the warning makes very little sense. I have a feeling that the admin who issued the message may be the victim of a "man-in-the-browser" attack (MITB). This is caused by malware running on the users local machine, most likely created by someone targeting DBG.

Protonmail uses end-to-end encryption, so the concept of emails being intercepted by a scammer is impossible unless a man-in-the-browser attack is being used or vendors have had their protonmail passwords phished and accounts compromised, but this seems extremely unlikely on a wide scale.

Another possibility could be a data breach and leak of protonmail accounts and passwords, but this would have been widely reported on in the tech community, plus protonmail uses bcrypt to hash user passwords, so passwords being leaked in plain text would be next to impossible even if a data breach had occurred.

I'd recommend using Malwarebytes to scan for MITB malware on your machine.

 

[DoomKitty]

@milex Agree with everything you said! The problem is highly unlikely with Protonmail itself and most definitely with vendors who’ve been targets of phishing attacks and had their emails compromised and all their contacts stolen.  Protonmail by default adds anyone you email to your contact list so getting all contacts is very easy.  This has been happening to a lot of RC vendors lately and was only a matter of time to happen here.  Selling those email addresses or continuing to phish using those addresses would be the obvious next step for a hacker.   It is mostly happening with protonmail users here because that’s the email most people use on here.  The problem seems to be isolated to here because i have received phishing attempts but only to an email i use solely with vendors here, and it’s not the email associated with my user account here.  Not trying to argue or contradict anyone especially Admin but Protonmail seems extraordinarily safe, but human error like falling for a phishing attack (or any social engineering tactic) is where all security breaks down and is the basis of 90% of all hacks.  

Stay safe y’all!

 

[milex]

If the scammer is using protonmail contact lists to try and phish customers, I've emailed several high profile vendors using their protonmail accounts in the past (most vendors from the email sources thread) and I haven't received any phishing emails to my protonmail account. So I think it's safe to assume this is probably localised to a very small number of DBG vendors (perhaps just one) and isn't cause to abandon using protonmail all together, but rather just be vigilant of suspicious emails.

More information is needed on which vendor account(s) have been compromised though.

 

[xxSlappy]

I received a couple of these a few days ago and reported the phishing attempt to ProtonMail. In both cases the emails appear to be from protonmail.com addresses, though the "from" header also references a tutanota address.

The body of the message contained a tinyurl link which redirected to a fake ProtonMail authentication page, including hotlinked assets from protonmail.com.

So, aside from the fact that the emails are tailored to collecting ProtonMail credentials, I don't see anything that differentiates them from other phishing emails. Of course it would be interesting to know how the target email addresses are being collected, but at this point I don't think there is any inherent danger in using ProtonMail.

As always, stay safe. Choose really good passwords, rotate them periodically, don't share passwords across accounts, use VPN or Tor, be aware of what plugins run in your browser (and what permissions they have), use encryption, etc.

Just my 2 cents.

 

[milex]

I think it's best to wait for the admins to contact all vendors with protonmail accounts to confirm which vendor(s) have had their accounts compromised. But instructing all vendors with protonmail accounts to change their email seems unnecessary in my opinion though. Protonmail is still a very safe and secure platform, the admins just need to identify the compromised account(s) and warn the vendor(s).

But that's just my opinion, I don't mean to step on anyone's toes. I'm sure we'll be updated soon.

 

[GungHo]

I have received two bogus emails in my Proton Mail account this past week.  The first one was the tutanota email with the bitly link that others received, and the other one appeared to be from DHL asking me to login to track and verify a package shipment.  It was bogus as well since I have not ordered anything being shipped by DHL.  

I do know I've given my Proton Mail address to only one person, a vendor on this site, in the past 6 to 8 months and that was about two weeks ago.  I am not saying this specific vendor shared/sold my address because I have no proof, but it would be interesting to find out how many others had the same experience after giving out their email address. 

If Proton Mail was aware of a large scale scamming operation on their sites, they would have at least asked everyone to change their passwords.  I've received no communication from them, but I did change my password to something a good bit stronger and turned on 2-Password Authentication.   You used to be required to implement 2-Password on Proton Mail but they removed that requirement over a year ago.  BTW, this is a little off topic, but almost ALL system hacks occurred because of compromised passwords.  

 

[milex]

@GungHo That seems pretty conclusive. It might be best to PM an admin to let them know which vendor it was. If this leak of DBG users is down to one vendor it could save a lot of time and hassle.

 

[GungHo]

@GungHo That seems pretty conclusive. It might be best to PM an admin to let them know which vendor it was. If this leak of DBG users is down to one vendor it could save a lot of time and hassle.

My thoughts exactly  Thanks!

 

[DoomKitty]

Someone just reported that they got scammed via this protonmail situation.  Apparently the hacker responded to an email reply from within the same thread but from seemingly an entirely different email address.  Not near enough info to understand what's happening yet, but definitely a warning to check sender headers on all emails and/or hold off on ordering altogether until this gets figured out and aired out....stay safe everyone!

 

[Dixiechic]

Question:  for those of us who have received the phishing/scam emails (myself included),  would it be wise to at least change our pr0ton mail address since the scammer could theoretically continue to use our leaked email address even at a future time? I am thinking that is what the warning is telling us to do, but I am wondering if still using pr0ton is ok if I change the address? 

I thought that pr0ton mail in itself seemed to be a safe email provider. It seems that the leak of a lot of our addresses could have happened with any email provider if the vendor who was hacked/scammed clicked a bogus link or was hacked in some other way?  Or am I incorrect about that? Genuinely asking as I do not know.

I am glad that the warning is posted on DBG as it seems like there may be people who do not know about phishing methods/ scam links and so on. I know I have a LOT more to learn and plan on reading up!!  I am thankful that the admins are on it and are sharing the info for our protection!! Just trying to decide whether to switch to tutan0ta or just a new pr0tonmail address...

 

[DoomKitty]

Mere speculation but if it's true that a malicious agent is capable of responding within an email thread from an entirely different email address (and email provider!) then I would say Protonmail itself has been in some way compromised, possibly just at the browser level but still compromised.  I mean only a user that's been phished (i assume as i haven't heard of this particular attack) could be compromised but that could be any vendor (or member) at any time, which would effectively make Protonmail unsafe in terms of this specific attack, hence Admins warning.  Has anyone heard of this kind of attack?!

 

[milex]

Mere speculation but if it's true that a malicious agent is capable of responding within an email thread from an entirely different email address (and email provider!) then I would say Protonmail itself has been in some way compromised, possibly just at the browser level but still compromised.  I mean only a user that's been phished (i assume as i haven't heard of this particular attack) could be compromised but that could be any vendor at any time, which would effectively make Protonmail unsafe, hence Admins warning.  Has anyone heard of this kind of attack?!

I could well be an elaborate Man-in-the-browser attack (MITB) setup by someone in the DBG community. First phishing a vendor account to obtain a contact list of DBG users, then sending out phishing emails which install the MITB malware. I don't understand exactly how it would work, but MITB malware can be used to modify webpages and possibly hijack email exchanges (making you think you're sending an email to one account when actually it's been sent to another). I'd urge anyone who has clicked on a suspicious link they received in their protonmail account to download Malwarebytes and run a scan.

However if this is happening when using the protonmail iPhone/Android app then that is very scary indeed.

 

[lookinforthebiscuits]

Only just saw this thread, but I'm reposting below what I posted in the other thread on this:

I've also been receiving the phishing emails in my Protonmail account. There were quite a few at the end of last week and a few this week.

I stand to be corrected on this, but it's very unlikely that Protonmail itself has been compromised. That would be big news if it had. What's far more likely is that a vendor(s) email account was compromised, the email addresses contained in the address book were harvested and those addresses were spammed with these phishing emails. Clicking on any of the links/opening any of the attachments in those emails likely means either your device was infected with malware and/or your Protonmail account has been compromised. Either way, it's a big problem for all of us.

All members (and vendors for that matter) should ensure they are free of malware and change their mail account passwords asap.

 

[sweetmelissa589]

@lookinforthebiscuits  Changed my password.. nothing fishy on my account so far...  Fingers crossed!

 

[DoomKitty]

@milex An MitB attack does sound likely but why would they have to use a different email address to send within protonmail? Why not just hijack the browser and send from browser as normal?  I am not up to date on a lot of existing attacks, tho i know theres been a lot of work on trying to fully compromise Protonmail as its one of the preferred email of choice of a lot of human rights activists....

@lookinforthebiscuits  The problem with the theory that it's simply a compromised password associated with a vendor account is the same as i mentioned above: the scam emails are within existing email threads but come from an entirely different email address and provider.  If it was a mere account takeover the hacker would just send from the account as normal which we've seen a lot recently in the RC community. 

 

[DoomKitty]

@lookinforthebiscuits  Changed my password.. nothing fishy on my account so far...  Fingers crossed!

Highly recommend setting up 2-Factor Authentication as well if you haven't already!!

 

[lookinforthebiscuits]

@lookinforthebiscuits  The problem with the theory that it's simply a compromised password associated with a vendor account is the same as i mentioned above: the scam emails are within existing email threads but come from an entirely different email address and provider.  If it was a mere account takeover the hacker would just send from the account as normal which we've seen a lot recently in the RC community. 

@DoomKitty I take your point, but on the basis the attacker has access to the compromised account, wouldn't they be able to spoof a reply in the thread by simply copying the subject line and sending to the compromised account from a similar looking or completely spoofed email address?

 

[Electrikoolaid]

I received these phishing emails this week too. My protonmail has only been used on android.  

 

[DoomKitty]

@lookinforthebiscuits There’s too little info so it’s hard to wrap my brains around it, but Im not sure that method would show up in the same thread in Protonmail that way. I mean i don’t have enough info from the reporting member who got scammed to really know what the format looked like but generally protonmail treats each new response as its own entity so a copy/paste of the entire convo with a spoofed email wouldn’t work as it would reduce the whole thread to just one response if that makes sense.   In the way you’re thinking it, is the vendor or the customer compromised?

edit: I forgot protonmail looks different on phones and each reply in a thread is completely separate and not tied to the others visibly so in that case a spoofed email might work. The member said the response with the fake btc address happened "almost immediately" so that has to be a well executed spoof if that's the case