Protonmail warning message

[jdl]

I have received these Spoof emails this week also. What is good alternative secured email service? 

 

[milex]

@lookinforthebiscuits There’s too little info so it’s hard to wrap my brains around it, but Im not sure that method would show up in the same thread in Protonmail that way. I mean i don’t have enough info from the reporting member who got scammed to really know what the format looked like but generally protonmail treats each new response as its own entity so a copy/paste of the entire convo with a spoofed email wouldn’t work as it would reduce the whole thread to just one response if that makes sense.   In the way you’re thinking it, is the vendor or the customer compromised?

With a man-in-the-browser exploit it would be the customer who is compromised. The MITB exploit is basically the same as an XSS exploit but executed via malware on the customer computer rather than a security flaw in the protonmail platform. It could allow the scammer to change the dashboard source-code within the users browser so all emails are BCC'd to the scammers own email address. The customer and legitimate vendor could create an email thread and the scammer could jump in at any time without the legitimate vendor knowing and without breaking the thread,... This is all speculation mind, I'm just a web developer and not a cyber security expert. I'd also be surprised if Windows Defender wasn't able to detect and quarantine MITB malware, plus modern browsers should prevent an exploit like that from running, it would take a REALLY sophisticated bit of malware to pull off an exploit like that. I'm sure there's a much simpler explanation to all this, but for anyone using protonmail to contact vendors I'd suggest using the mobile app and being very cautious until we know more.

 

[lookinforthebiscuits]

@DoomKitty The way I'm thinking it, initially the vendor(s) was compromised, then the customer. The customer still doesn't know s/he's compromised but the scammer can see their email account and correspondence with the vendor and is now masquerading as the vendor by inserting themselves into the thread using the same subject line by emailing the customer from a spoofed or similar looking email address.

Convoluted I know, but, assuming the member's report is correct (I know which report you're referring to, I saw it as well) I can't see how else that could be accomplished beyond some very sophisticated malware, or Protonmail being compromised which seems very unlikely. I know what you're saying about Protonmail treating each new response as its own entity (I don't know if that's the case at this point), but, assuming that's correct, it still doesn't explain what happened to the reporting member, since the reply they received was from a different, but albeit similar looking email address, which should have created a new thread.

Anyway, as you say, best to wait for some more reports to come in. If anyone has experienced any loss as a result of this current problem, please post in this thread in as much detail as possible (obviously without compromising anyone's security). Better to keep it here than in the vendor threads.

 

[2earls]

@milex thanks for your expertise. It's far beyond mine and I only have the ability to relay the information as it comes to me. One of the persons affected is very tech savvy so I feel like this is not amateurish. He attempted making a new account and I believe he said from a different computer, but still had the same issues. 

I will keep adding information to this thread and I invite anyone else affected to tell their experience. Then perhaps the experts among us will be able to weigh in and give their opinions. I'm just a forum mod and no security expert.

 

[2earls]

PS this has been a problem reported to me by several people, not just a single incident and it is regards to various vendors as well with the common thread being Protonmail.

I'm getting all kinds of crazy emails on there myself, but have not initiated any orders . One that a few of us have received is from lockandload@tutanota.com titled "confidential email ".

Then I am also getting "please confirm your DHL deliveries", "please confirm your email " and I am just swiping them directly to trash, but I can see that they are all from Tutanota addresses.

 

[lookinforthebiscuits]

@2earls Exactly the same here. First ones purported to be from Protonmail ("Upgrade Your Account"), then the lockandload ones, then the DHL one. lockandload were apparently from tutanota. The DHL apparently from a Protonmail account. All of them went straight to the trash.

 

[milex]

@2earls if someone created a new account on a different computer and still had the same issues then it must be the vendors protonmail account that is compromised. Do you have a count on how many vendors this is happening with?

 

[Medicine Seeker]

@lookinforthebiscuits I've gotten these emails too. Mine went to the trash as well.

@2earls Exactly the same here. First ones purported to be from Protonmail ("Upgrade Your Account"), then the lockandload ones, then the DHL one. lockandload were apparently from tutanota. The DHL apparently from a Protonmail account. All of them went straight to the trash.

 

[Ruger2506]

I posted about this because I lost ~130 due to this.

I was receiving/sending email to —@protonmail.com about my order and when I received the original btc address to send to from the real vendor email, the btc address didn’t work so I requested a new one.

My new btc address came almost instantly which shoulda set off a flag but I assumed vendor was on their email at that moment.  I send btc to address and they say I can double the order for only $100 more that I didn’t have and I declined and never heard back since.

Looked back just today since I hadn’t heard from realvendor@protonmail.com, and noticed the second btc address was sent from realvendor@tutanota.com(scammer).

All in the same single thread of emails originating from the real vendor. 
 

I haven’t heard back since emailing the real vendor about what happened, no hard feelings obviously as it was my fault.  I am not sure if vendor hasn’t seen my emails yet or maybe has lost contact with that email/deleted it IDK as of right now

.

This is far beyond my comprehension, I’m just explaining what went down and how.

EDIT: I haven’t received any of the above mentioned emails however, only the tutanota email mirroring the protonmail vendor.

 

[2earls]

@milex I believe it originated with the customer, but once he emailed the vendor they were able to get into that account. Judging from the number of us who received these emails it seems like the scammer got ahold of one of our vendor's contacts list. He believes that they cannot originate contact from the vendor email, only respond to emails sent and that's when they give the false bitcoin address. 

 

[lookinforthebiscuits]

@Ruger2506 Thanks for your post and sorry about your loss. It was your report to which myself and @DoomKitty were referring earlier in the thread.

Have you taken all the obvious precautions like changing your email password, enabling 2FA and checking your device is free from malware? If not, you should do that asap.

 

[Dixiechic]

@2earls Exactly the same here. First ones purported to be from Protonmail ("Upgrade Your Account"), then the lockandload ones, then the DHL one. lockandload were apparently from tutanota. The DHL apparently from a Protonmail account. All of them went straight to the trash.

I'm getting all kinds of crazy emails on there myself, but have not initiated any orders . One that a few of us have received is from lockandload@tutanota.com titled "confidential email ".

Then I am also getting "please confirm your DHL deliveries", "please confirm your email " and I am just swiping them directly to trash, but I can see that they are all from Tutanota addresses.

These are the emails I received as well. I reported some as phishing/spam and others I just deleted.

 

[milex]

@Ruger2506 were you using the mobile app to contact the vendor?

 

[Ruger2506]

@milex Yes mobile app on iPhone.

Ive only reset my phone to factory and have changed pass but will most likely make new email.

 

[milex]

@milex Yes mobile app on iPhone.

Ive only reset my phone to factory and have changed pass but will most likely make new email.

That is completely bizarre. iPhones can’t be infected with malware. The vendors account must have been compromised, but assuming the scammer had control of the vendors account, why send the false btc address from a different email? And how? I can’t wrap my head around it, but it seems like vendors are being phished and having their accounts compromised. I think it’s important that all vendors using any email service be made aware, change their passwords, enable 2FA, check their email activity logs, scan for malware etc... I still don’t believe there’s an issue with protonmail as a service, I believe it to be safe and secure, but both vendors and customers alike should be on high alert and extremely vigilant when it comes to account security and suspicious emails.

I’m sorry you lost money because of this it could have happened to anyone.

 

[xxSlappy]

Egad, DHL thinks I work in theatre.

 

[Ruger2506]

@milex Yeah the way it happened was so smooth it was very easy to fall for.  
 

In hindsight, I could have and should have paid more attention to the email address and noticed when it changed.  
 

I wonder if the scammer can only mimic the vendors email by using @tutanota.com or if they are actually sending from the vendors @protonmail.com email.  So the only thing you’d have to look out for is if you suddenly receive emails from an address that differs from the vendors.

 

[xxSlappy]

Might not be a bad idea to check proton authentication logs and sessions under Settings > Security. The logs can be wiped, but if they have, that could also be telling.

 

[sweetmelissa589]

@DoomKitty  Thank you.. will do.  So far, I've only been talking to 1 vend0r and have not had any suspicious links.  Even if I did.. I would never click on them.

 

[veggieragz]

@GungHo i got exactly the same emails