Protonmail warning message

I have received these Spoof emails this week also. What is good alternative secured email service? 

 
DoomKitty said:
@lookinforthebiscuits There’s too little info so it’s hard to wrap my brains around it, but Im not sure that method would show up in the same thread in Protonmail that way. I mean i don’t have enough info from the reporting member who got scammed to really know what the format looked like but generally protonmail treats each new response as its own entity so a copy/paste of the entire convo with a spoofed email wouldn’t work as it would reduce the whole thread to just one response if that makes sense.   In the way you’re thinking it, is the vendor or the customer compromised?
Click to expand...
With a man-in-the-browser exploit it would be the customer who is compromised. The MITB exploit is basically the same as an XSS exploit but executed via malware on the customer computer rather than a security flaw in the protonmail platform. It could allow the scammer to change the dashboard source-code within the users browser so all emails are BCC'd to the scammers own email address. The customer and legitimate vendor could create an email thread and the scammer could jump in at any time without the legitimate vendor knowing and without breaking the thread,... This is all speculation mind, I'm just a web developer and not a cyber security expert. I'd also be surprised if Windows Defender wasn't able to detect and quarantine MITB malware, plus modern browsers should prevent an exploit like that from running, it would take a REALLY sophisticated bit of malware to pull off an exploit like that. I'm sure there's a much simpler explanation to all this, but for anyone using protonmail to contact vendors I'd suggest using the mobile app and being very cautious until we know more.

 
Last edited by a moderator:
@DoomKitty The way I'm thinking it, initially the vendor(s) was compromised, then the customer. The customer still doesn't know s/he's compromised but the scammer can see their email account and correspondence with the vendor and is now masquerading as the vendor by inserting themselves into the thread using the same subject line by emailing the customer from a spoofed or similar looking email address.

Convoluted I know, but, assuming the member's report is correct (I know which report you're referring to, I saw it as well) I can't see how else that could be accomplished beyond some very sophisticated malware, or Protonmail being compromised which seems very unlikely. I know what you're saying about Protonmail treating each new response as its own entity (I don't know if that's the case at this point), but, assuming that's correct, it still doesn't explain what happened to the reporting member, since the reply they received was from a different, but albeit similar looking email address, which should have created a new thread.

Anyway, as you say, best to wait for some more reports to come in. If anyone has experienced any loss as a result of this current problem, please post in this thread in as much detail as possible (obviously without compromising anyone's security). Better to keep it here than in the vendor threads.

 
@milex thanks for your expertise. It's far beyond mine and I only have the ability to relay the information as it comes to me. One of the persons affected is very tech savvy so I feel like this is not amateurish. He attempted making a new account and I believe he said from a different computer, but still had the same issues. 

I will keep adding information to this thread and I invite anyone else affected to tell their experience. Then perhaps the experts among us will be able to weigh in and give their opinions. I'm just a forum mod and no security expert.

 
PS this has been a problem reported to me by several people, not just a single incident and it is regards to various vendors as well with the common thread being Protonmail.

I'm getting all kinds of crazy emails on there myself, but have not initiated any orders . One that a few of us have received is from lockandload@tutanota.com titled "confidential email ".

Then I am also getting "please confirm your DHL deliveries", "please confirm your email " and I am just swiping them directly to trash, but I can see that they are all from Tutanota addresses.

 
@2earls Exactly the same here. First ones purported to be from Protonmail ("Upgrade Your Account"), then the lockandload ones, then the DHL one. lockandload were apparently from tutanota. The DHL apparently from a Protonmail account. All of them went straight to the trash.

 
@2earls if someone created a new account on a different computer and still had the same issues then it must be the vendors protonmail account that is compromised. Do you have a count on how many vendors this is happening with?

 
I posted about this because I lost ~130 due to this.

I was receiving/sending email to —@protonmail.com about my order and when I received the original btc address to send to from the real vendor email, the btc address didn’t work so I requested a new one.

My new btc address came almost instantly which shoulda set off a flag but I assumed vendor was on their email at that moment.  I send btc to address and they say I can double the order for only $100 more that I didn’t have and I declined and never heard back since.

Looked back just today since I hadn’t heard from realvendor@protonmail.com, and noticed the second btc address was sent from realvendor@tutanota.com(scammer).

All in the same single thread of emails originating from the real vendor. 
 

I haven’t heard back since emailing the real vendor about what happened, no hard feelings obviously as it was my fault.  I am not sure if vendor hasn’t seen my emails yet or maybe has lost contact with that email/deleted it IDK as of right now

.

This is far beyond my comprehension, I’m just explaining what went down and how.

EDIT: I haven’t received any of the above mentioned emails however, only the tutanota email mirroring the protonmail vendor.

 
Last edited by a moderator:
@milex I believe it originated with the customer, but once he emailed the vendor they were able to get into that account. Judging from the number of us who received these emails it seems like the scammer got ahold of one of our vendor's contacts list. He believes that they cannot originate contact from the vendor email, only respond to emails sent and that's when they give the false bitcoin address. 

 
@Ruger2506 Thanks for your post and sorry about your loss. It was your report to which myself and @DoomKitty were referring earlier in the thread.

Have you taken all the obvious precautions like changing your email password, enabling 2FA and checking your device is free from malware? If not, you should do that asap.

 
lookinforthebiscuits said:
@2earls Exactly the same here. First ones purported to be from Protonmail ("Upgrade Your Account"), then the lockandload ones, then the DHL one. lockandload were apparently from tutanota. The DHL apparently from a Protonmail account. All of them went straight to the trash.
Click to expand...
2earls said:
I'm getting all kinds of crazy emails on there myself, but have not initiated any orders . One that a few of us have received is from lockandload@tutanota.com titled "confidential email ".

Then I am also getting "please confirm your DHL deliveries", "please confirm your email " and I am just swiping them directly to trash, but I can see that they are all from Tutanota addresses.
Click to expand...
These are the emails I received as well. I reported some as phishing/spam and others I just deleted.

 
@milex Yes mobile app on iPhone.

Ive only reset my phone to factory and have changed pass but will most likely make new email.

 
Ruger2506 said:
@milex Yes mobile app on iPhone.

Ive only reset my phone to factory and have changed pass but will most likely make new email.
Click to expand...
That is completely bizarre. iPhones can’t be infected with malware. The vendors account must have been compromised, but assuming the scammer had control of the vendors account, why send the false btc address from a different email? And how? I can’t wrap my head around it, but it seems like vendors are being phished and having their accounts compromised. I think it’s important that all vendors using any email service be made aware, change their passwords, enable 2FA, check their email activity logs, scan for malware etc... I still don’t believe there’s an issue with protonmail as a service, I believe it to be safe and secure, but both vendors and customers alike should be on high alert and extremely vigilant when it comes to account security and suspicious emails.

I’m sorry you lost money because of this 😕 it could have happened to anyone.

 
Last edited by a moderator:
@milex Yeah the way it happened was so smooth it was very easy to fall for.  
 

In hindsight, I could have and should have paid more attention to the email address and noticed when it changed.  
 

I wonder if the scammer can only mimic the vendors email by using @tutanota.com or if they are actually sending from the vendors @protonmail.com email.  So the only thing you’d have to look out for is if you suddenly receive emails from an address that differs from the vendors.

 
Last edited by a moderator:
Might not be a bad idea to check proton authentication logs and sessions under Settings > Security. The logs can be wiped, but if they have, that could also be telling.

 
@DoomKitty  Thank you.. will do.  So far, I've only been talking to 1 vend0r and have not had any suspicious links.  Even if I did.. I would never click on them.

 
You must log in or register to reply here.
Drugbuyersguide Shoutbox
  1. L @ Layne_Cobain: @tiquanunderwood so dissapointing man led whole game and then can’t get some first downs to kill some clock and a stupid roughing penalty puts them in easy fg territory…oh well gotta move on I guess gonna have to sweep the bucs there’s other ways in but that’s the most straightforward
  2. tiquanunderwood @ tiquanunderwood: @Layne_Cobain Looking great at halftime. Hope you're having a good tme.
  3. tiquanunderwood @ tiquanunderwood: @Layne_Cobain Finally a solid week for us! Hoping you the same in 20 minutes!
  4. L @ Layne_Cobain: Awww man forgot my niece has her travel basketball game in my town at 430 promised her I’d go guess I’ll be watching big chunk of the game on my phone lol
  5. L @ Layne_Cobain: Haha forgot all about weeden…speaking of old let’s GO OLE MAN RIVERS!!! Go ravens too!!!
  6. tiquanunderwood @ tiquanunderwood: ROOTING FOR YOUR CATS LAYNE COBAIN. FUCK SHOUGH (i actually kinda like him lol hes old like brandon weeden was)
  7. tiquanunderwood @ tiquanunderwood: LETS GO BABY!
  8. L @ Layne_Cobain: @tiquanunderwood and @drdrizzy13 and all others enjoy football Sunday let’s goooo
  9. Y @ Yaugae5121: Can’t believe Ohio banned 7oh. What a joke 👎👎
  10. D @ dopiedan: mushroom
  11. E @ EldritchMusic: american dream
  12. L @ Layne_Cobain: @drdrizzy13 that’s exactly how my buddy whose a saints fan feels he was hellah pissed after you guys won last Sunday lol
  13. D @ drdrizzy13: Coming from a Saints fan I want us to tank. No reason to win.
  14. tiquanunderwood @ tiquanunderwood: @Layne_Cobain Rooting for the Panthers!
  15. L @ Layne_Cobain: @tiquanunderwood i know bro the East is gonna be a sluggest…falcons winning makes it now so panthers beat NOLA and take one of two from the bucs we run the south man im so Fkn excited but also hesitant better not pull no bs against the saints Sunday
  16. tiquanunderwood @ tiquanunderwood: @Layne&Cobain I'm thrilled about that signing for the O'S! AL East is gonna be brutal this year.
  17. D @ drdrizzy13: @Bloodraven666 you aren't supposed to post things like this in the shoutbox. Post it somewhere on the forum. It's probably already been answered.
  18. Ketmaster @ Ketmaster: Hey dumbass, read the rules
  19. L @ Layne_Cobain: @tiquanunderwood lmao I know bro but for real let’s go falcons tonite!!! Help us cats out…how about your orioles getting Pete that’s Fkn huge can’t believe Mets gave him up without even a fight
  20. D @ drdrizzy13: He's got Antonio Cromartie beat! Shit there's a bunch of rumors of Anthony Edwards having like 20 kids.
Back
Top