Protonmail warning message

I have received these Spoof emails this week also. What is good alternative secured email service? 

 
DoomKitty said:
@lookinforthebiscuits There’s too little info so it’s hard to wrap my brains around it, but Im not sure that method would show up in the same thread in Protonmail that way. I mean i don’t have enough info from the reporting member who got scammed to really know what the format looked like but generally protonmail treats each new response as its own entity so a copy/paste of the entire convo with a spoofed email wouldn’t work as it would reduce the whole thread to just one response if that makes sense.   In the way you’re thinking it, is the vendor or the customer compromised?
Click to expand...
With a man-in-the-browser exploit it would be the customer who is compromised. The MITB exploit is basically the same as an XSS exploit but executed via malware on the customer computer rather than a security flaw in the protonmail platform. It could allow the scammer to change the dashboard source-code within the users browser so all emails are BCC'd to the scammers own email address. The customer and legitimate vendor could create an email thread and the scammer could jump in at any time without the legitimate vendor knowing and without breaking the thread,... This is all speculation mind, I'm just a web developer and not a cyber security expert. I'd also be surprised if Windows Defender wasn't able to detect and quarantine MITB malware, plus modern browsers should prevent an exploit like that from running, it would take a REALLY sophisticated bit of malware to pull off an exploit like that. I'm sure there's a much simpler explanation to all this, but for anyone using protonmail to contact vendors I'd suggest using the mobile app and being very cautious until we know more.

 
Last edited by a moderator:
@DoomKitty The way I'm thinking it, initially the vendor(s) was compromised, then the customer. The customer still doesn't know s/he's compromised but the scammer can see their email account and correspondence with the vendor and is now masquerading as the vendor by inserting themselves into the thread using the same subject line by emailing the customer from a spoofed or similar looking email address.

Convoluted I know, but, assuming the member's report is correct (I know which report you're referring to, I saw it as well) I can't see how else that could be accomplished beyond some very sophisticated malware, or Protonmail being compromised which seems very unlikely. I know what you're saying about Protonmail treating each new response as its own entity (I don't know if that's the case at this point), but, assuming that's correct, it still doesn't explain what happened to the reporting member, since the reply they received was from a different, but albeit similar looking email address, which should have created a new thread.

Anyway, as you say, best to wait for some more reports to come in. If anyone has experienced any loss as a result of this current problem, please post in this thread in as much detail as possible (obviously without compromising anyone's security). Better to keep it here than in the vendor threads.

 
@milex thanks for your expertise. It's far beyond mine and I only have the ability to relay the information as it comes to me. One of the persons affected is very tech savvy so I feel like this is not amateurish. He attempted making a new account and I believe he said from a different computer, but still had the same issues. 

I will keep adding information to this thread and I invite anyone else affected to tell their experience. Then perhaps the experts among us will be able to weigh in and give their opinions. I'm just a forum mod and no security expert.

 
PS this has been a problem reported to me by several people, not just a single incident and it is regards to various vendors as well with the common thread being Protonmail.

I'm getting all kinds of crazy emails on there myself, but have not initiated any orders . One that a few of us have received is from lockandload@tutanota.com titled "confidential email ".

Then I am also getting "please confirm your DHL deliveries", "please confirm your email " and I am just swiping them directly to trash, but I can see that they are all from Tutanota addresses.

 
@2earls Exactly the same here. First ones purported to be from Protonmail ("Upgrade Your Account"), then the lockandload ones, then the DHL one. lockandload were apparently from tutanota. The DHL apparently from a Protonmail account. All of them went straight to the trash.

 
@2earls if someone created a new account on a different computer and still had the same issues then it must be the vendors protonmail account that is compromised. Do you have a count on how many vendors this is happening with?

 
I posted about this because I lost ~130 due to this.

I was receiving/sending email to —@protonmail.com about my order and when I received the original btc address to send to from the real vendor email, the btc address didn’t work so I requested a new one.

My new btc address came almost instantly which shoulda set off a flag but I assumed vendor was on their email at that moment.  I send btc to address and they say I can double the order for only $100 more that I didn’t have and I declined and never heard back since.

Looked back just today since I hadn’t heard from realvendor@protonmail.com, and noticed the second btc address was sent from realvendor@tutanota.com(scammer).

All in the same single thread of emails originating from the real vendor. 
 

I haven’t heard back since emailing the real vendor about what happened, no hard feelings obviously as it was my fault.  I am not sure if vendor hasn’t seen my emails yet or maybe has lost contact with that email/deleted it IDK as of right now

.

This is far beyond my comprehension, I’m just explaining what went down and how.

EDIT: I haven’t received any of the above mentioned emails however, only the tutanota email mirroring the protonmail vendor.

 
Last edited by a moderator:
@milex I believe it originated with the customer, but once he emailed the vendor they were able to get into that account. Judging from the number of us who received these emails it seems like the scammer got ahold of one of our vendor's contacts list. He believes that they cannot originate contact from the vendor email, only respond to emails sent and that's when they give the false bitcoin address. 

 
@Ruger2506 Thanks for your post and sorry about your loss. It was your report to which myself and @DoomKitty were referring earlier in the thread.

Have you taken all the obvious precautions like changing your email password, enabling 2FA and checking your device is free from malware? If not, you should do that asap.

 
lookinforthebiscuits said:
@2earls Exactly the same here. First ones purported to be from Protonmail ("Upgrade Your Account"), then the lockandload ones, then the DHL one. lockandload were apparently from tutanota. The DHL apparently from a Protonmail account. All of them went straight to the trash.
Click to expand...
2earls said:
I'm getting all kinds of crazy emails on there myself, but have not initiated any orders . One that a few of us have received is from lockandload@tutanota.com titled "confidential email ".

Then I am also getting "please confirm your DHL deliveries", "please confirm your email " and I am just swiping them directly to trash, but I can see that they are all from Tutanota addresses.
Click to expand...
These are the emails I received as well. I reported some as phishing/spam and others I just deleted.

 
@milex Yes mobile app on iPhone.

Ive only reset my phone to factory and have changed pass but will most likely make new email.

 
Ruger2506 said:
@milex Yes mobile app on iPhone.

Ive only reset my phone to factory and have changed pass but will most likely make new email.
Click to expand...
That is completely bizarre. iPhones can’t be infected with malware. The vendors account must have been compromised, but assuming the scammer had control of the vendors account, why send the false btc address from a different email? And how? I can’t wrap my head around it, but it seems like vendors are being phished and having their accounts compromised. I think it’s important that all vendors using any email service be made aware, change their passwords, enable 2FA, check their email activity logs, scan for malware etc... I still don’t believe there’s an issue with protonmail as a service, I believe it to be safe and secure, but both vendors and customers alike should be on high alert and extremely vigilant when it comes to account security and suspicious emails.

I’m sorry you lost money because of this 😕 it could have happened to anyone.

 
Last edited by a moderator:
@milex Yeah the way it happened was so smooth it was very easy to fall for.  
 

In hindsight, I could have and should have paid more attention to the email address and noticed when it changed.  
 

I wonder if the scammer can only mimic the vendors email by using @tutanota.com or if they are actually sending from the vendors @protonmail.com email.  So the only thing you’d have to look out for is if you suddenly receive emails from an address that differs from the vendors.

 
Last edited by a moderator:
Might not be a bad idea to check proton authentication logs and sessions under Settings > Security. The logs can be wiped, but if they have, that could also be telling.

 
@DoomKitty  Thank you.. will do.  So far, I've only been talking to 1 vend0r and have not had any suspicious links.  Even if I did.. I would never click on them.

 
You must log in or register to reply here.
Drugbuyersguide Shoutbox
  1. Robotanical @ Robotanical: That's a good rule to follow. Offline password manager, too.
  2. RiftChems @ RiftChems: My simple rule to stay safe: diff passwords for everything stored in a password manager, constantly check connected devices on critical platforms/IP logs of logins. Never click links from any email or DM.
  3. P @ psychedpsych: @xenxra oh ya someone is targeting me and it’s caused hell between me, my mom, and family. I got the message universe I’m, in the safest and healthiest way, distancing myself from places that people like that are more prevalent. 🫣😥 Worst part is I have had some things in my logs and such that after awhile I have a damn good idea where it’s coming from. I just want it to stop, like mentally I’m stressed to a scary point(other life bs too).
  4. aBBazaBBa123 @ aBBazaBBa123: Guess I should've read the comments before posting. I hope everyone is well and having a wonderful day!
  5. aBBazaBBa123 @ aBBazaBBa123: @Strength I got the same email, im guessing scam for sure.
  6. aBBazaBBa123 @ aBBazaBBa123: I got an email from <drugbuyers@seznam.cz> telling me I've got 24hrs to verify my account or I'll be kicked. Says it was from DBG security team. Anybody else? Does DBG have a security team sending these emails?
  7. aBBazaBBa123 @ aBBazaBBa123: got an email from <drugbuyers@seznam.cz> telling me I've got 24hrs to verify my email or I will be kicked? Says its from DBG security team.
  8. xenxra @ xenxra: seems to be a lot of weird emails going around lately for people here
  9. J @ jsntwg: dr.williamsbro@gmail.com
  10. J @ jsntwg: Anybody else seen an email from this guy asking about acquiring raw materials (nuts)……not kidding
  11. R @ rhodium: @Strength its a phishing scam
  12. Strength @ Strength: Is dbg sending out emails to us about some weird shutdown thing? Dm me if so
  13. M @ Mammasboi123: Be careful out there fam! The idiots with the Seznam.cz email address are sending out mass phishing emails again. If you get an email from them, just delete it and move along 🫡
  14. G @ GABAtastic: @knofflebon lmfao 🤣 @rockychoc good one lol
  15. K @ knofflebon: @rockychoc I legit was thinking "Whoa, whatever it is I need to subscribe!" before I realized it was a freaking pun.
  16. K @ knofflebon: @rockychoc 🤣
  17. Y @ Yaugae5121: lol seriously mammasboi! Ive been 5/5 finding vendors on here and have had nothing but positive experiences myself. Follow their advice nfrench!
  18. M @ Mammasboi123: @nfrenched92 you must be looking in the wrong places my friend. If I have any suggestion, it would be to ALWAYS check the first page of a vendor’s thread, and then check the last 5-6 most recent pages of their thread as well to get a sense of what’s been happening recently. If a vendor has multiple negative reviews that have not been addressed, I would probably look elsewhere unless it’s $$ I can afford to lose
  19. rockychoc @ rockychoc: It's impossible to put down!
  20. rockychoc @ rockychoc: I’m currently reading a book about anti-gravity
Back
Top