Protonmail warning message

I got these emails. The one looks exactly like proton mail sign in page and wants you to sign in with your info. I followed some bread crumbs and one of them was linked to a Paxful email account besides the tarantula ones. Ive been reporting them all  to proton and they have responded back saying they are phishing emails but nothing else yet.

 
Last edited by a moderator:
milex said:
That is completely bizarre. iPhones can’t be infected with malware. The vendors account must have been compromised, but assuming the scammer had control of the vendors account, why send the false btc address from a different email? And how? I can’t wrap my head around it, but it seems like vendors are being phished and having their accounts compromised. I think it’s important that all vendors using any email service be made aware, change their passwords, enable 2FA, check their email activity logs, scan for malware etc... I still don’t believe there’s an issue with protonmail as a service, I believe it to be safe and secure, but both vendors and customers alike should be on high alert and extremely vigilant when it comes to account security and suspicious emails.

I’m sorry you lost money because of this 😕 it could have happened to anyone.
Click to expand...
This is ALL IMO I am clearly not as smart as Milex,   but I think the thug put a malicious program on the vendors computer who I was working with.  I think that when i emailed the vendor and asked them for a bitcoin ( and all previous emails ) address,   they were coming from me to vendor then bouncing to thug - then thug immediately replied to me with his tutonata account,  hoping I wouldn't notice the change in domains after 5-7 emails between me and the vendor 

Once the email that he was waiting for  to jump in came,  he sent his email, hoping I wouldn't notice it wasn't from Protonmail.   And he won, because I asked for btc address,  got one in a few minutes,  and never looked at the domain.   Very few people would I imagine.  

Check it out - this is a copy paste from my Proton email account - the bottom email was from me to vendor asking about BTC ( name edited cause its only available for donations ) yet it shows the header as vendors meaning all the vendors incoming emails from me were going to the thug,  

The reply came showing time as about 18 hours ahead however....I wish it was just 12 so it would look obvious to be maybe Asia somewhere.  That I can't pinpoint,  but the header seems to give it away ( to me but I am no expert on viruses )  that all the vendors emails were bounced right to the thug.  Probably had a field day going from vendor to vendor. Maybe as stated,  not even Proton related,  unless we know lockandload was sent to more than just Proton accounts ??  

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Saturday, January 18, 2020 3:29 AM, VENDORNAME,   <VENDORNAME@tutonata.com> wrote:

> bitcoin address: xxxxxxxxxxxxxxx
> 
> ------- Original Message -------
> On Friday, January 17, 2020 9:28 AM, VENDOR,   VENDORNAME@protonmail.com wrote:
> do you take bitcoin ? I was curious if you did because  I'd like to use what I have in my ....

 
Mad situation this. Hopefully nobody loose anymore money. What a world we live in. Everything will probably be done on computer or phones one day.

 
Here’s my theory as to what may have been happening:

A hacker most probably phished a DBG vendor. Once they had the vendors ProtonMail password they used an API to access their account, extract their contact list and send out phishing emails to everyone in it. The hope being that a DBG customer would fall for the phishing scam and hand over their account details. The same API would then be used to send out phishing emails to everyone in the customers ProtonMail contact list, which would likely contain more DBG vendors. A vendor falls for the phishing scam and the process is repeated over and over. The hacker is collecting phished ProtonMail addresses and passwords and looking out for vendor accounts that have fallen victim to the phishing scam. Once they have a vendors account info they create a tutonata account that mirrors the vendors real address, and they use an API to monitor email communications to all compromised vendor accounts, looking out for keywords or phrases sent by customers such as “btc address”, at which point the API deletes the customers email enquiring about a btc address from the vendors inbox and the API replies automatically from the fake tutonata account setup for that vendor with false btc information (this would explain why victims have reported receiving instant replies from the fake tutonata accounts) and maybe even use the API to block the customer from being able to contact the vendor again, so they can’t let them know something is wrong. The hacker could set the API to reply from the vendors real account, but if the vendor noticed this they would realise something was wrong, change their password and the game would be up.

ProtonMail addresses are being targeted because that’s largely the email service of choice here, and there’s a few unofficial APIs available for ProtonMail which would allow a hacker to do all this and keep the scam largely automated. It’s a very elaborate setup, but I think it could be possible, and of course there’s a lot to gain... but this is just a theory. The best course of action is still for ProtonMail vendors to change their passwords and increase their account security, as well as for all ProtonMail users to remain vigilant of suspicious emails.

 
I REALLY hope vendors effected by this aren't just only changing their emails!!  If this is a case of just a compromised email account then everything associated with that account is  burned and anything on that account should be assumed to have been compromised (personal info, addresses, passwords etc) and the account should be deleted completely.  If this is a sophisticated MitB or BitB attack then the computer needs to be THOROUGHLY checked for offending malware, all passwords need to be changed, and anything they did on the internet in the last while needs to be really thought about.  Its highly unlikely that the only site that could be viewed by the attacker would be Protonmail.  Perhaps the only email site he could manipulate and injected in was Protonmail, but view? Unlikely.  Either way completely deleting account (very easy with protonmail!) needs to happen IMO.  Also any vendor associated needs to practice waaaaaaay better opsec.  For instance, no vendor should ever have been clicking on links other than privnote or temp.pm ones and even then they need to check those links prior to clicking to make sure that's actually where they are directing to.   Also no one legit will EVER EVER EVER send you something that requires you to log in to something to view it.  Sorry if I'm salty, this is just rather unsettling as I assumed vendors here would be waaay more careful than this suggests, and if up to 5 vendors were effected that's very disturbing to me.   I HIGHLY recommend to all customers that they always send their personal info in a one-time-view way via temp.pm as this will prevent any personal info from being stolen from a compromised vendor account. 

@milex Thanks SO much for the expertise with this.  From the looks of the email that @drjimmy1964 posted an automated API does is extremely likely, though I'm still confused how it shows up in the same email thread as that's something the Protonmail program itself would control i would assume.   @Ruger2506 Did the scam email you received have the same format/wording?

 
Last edited by a moderator:
Trying to think of a possible way to verify a vendor's new email address when they send them to us (as will hopefully happen since they would surely want to no longer use their compromised email).
So, say a vendor emails and tells you that their new address is vendor@wherever , how will will know that it isn't still a scammer using our email addresses from when they stole them from the vendors whose accounts were hacked?  I mean we could say not to trust emails from tutan0ta but what if they start using a different email server to contact us? 
I guess we could ask them a question that only the real vendor would know the answer to, but other than that does anyone have any thoughts on this? Would it help to ask the vendor to PM the customer a password on here help with this? So when they email you, you (the buyer) could then ask "what is the password you sent me?" to verify it was a legit new email. I am probably overthinking all of this LOL. 🙃
Or should I be deleting my email account and starting fresh as well??

 
Last edited by a moderator:
DoomKitty said:
I HIGHLY recommend to all customers that they always send their personal info in a one-time-view way via temp.pm as this will prevent any personal info from being stolen from a compromised vendor account. 
Click to expand...
Thanks for this advice- seems like a good new habit for sure! 

And as for only trusting new emails posted in each vendor's thread that seems like a good plan as well.
I know that should have been obvious to me, but I guess I was worried that the scammer could potentially be a member and have access to the vendor threads and try emailing people with the new email somehow- maybe by using the same name @ a different email server. Hope my line of thinking makes sense. It's probably not something that would happen anyway.
Guess we'll all just have to get used to checking the sender address very carefully.

 
Yeah that makes sense.  I trust Admin and 2E to be exceptionally vigilant about any attempt that the hacker would impersonate the vendor here and try to gain account access.  They have dealt with a LOT of scamscum in the past (and present lol) and do incredible work to try and protect members here.  As for members, vigilance is essential.  So yes, now that we know this attack vector is part of their toolkit, then always checking sender info is a necessity.  Also, always being aware if a vendor reply/response seems unusual or out of character.   And of course doing the usual, like always being on the lookout for phishing scams, regularly change passwords, use 2FA (which can be beaten of course in a few ways but is still way better than relying on single password alone), and always use an email account for anything here that is separate from your personal daily-use account.  These are just a few suggestions. 

IMO everyone (especially vendors) should assume the attacker will try this again and again....

(as they say on Reddit: "username checks out" lol!)

 
I had a protonmail update your account info

And a lockandload email

I deleted both, cleared my cache, changed my pw.

Still I am not going to use proton

Any longer

 
If the ProtonMail servers had been compromised it would be all over the news.  Just google for it and you’ll find news articles written in 2018 and 2019 where ProtonMail was allegedly compromised by hackers in several Eastern European countries including Russia.  

We have all received phishing attempts in the inboxes we use everyday at home and work.  This is no different.  The safest thing to do is change your password to something very strong and do not click on any links that your are not very familiar with.  Or of course, just stop using ProtonMail altogether as DBG suggested. 

I only use my proton email to communicate with vendors, no one else, so that makes me pretty sure that’s how these hackers got my address.

 
Last edited by a moderator:
Looks like a member made a post on Protonmail's reddit: Proton .  Should be an interesting thread to keep an eye as more people comment.  Especially if Protonmail themselves actually respond. 

 
Last edited by a moderator:
I was a victim of this phishing attempts. I blame myself out of pure stupidity .I kept getting these emails saying to update my information or my account could be canceled .I clicked the link and it brought me to a fake proton ,it looked exactly the same as proton.com but looking in the search bar where I was directed was NOT proton at all .So to be safe I deleted my proton and am using my Tutanota as my main email now .Maybe I'll create a new proton ,I've always had both but with all this going on probably just hold off for right now ..I'm pretty sure the one behind this is a member here. I have a good guess who but trying to find a way to prove it .......

Edit: I was not a victim that lost any money ,I just had my account phished 

 
Last edited by a moderator:
@Biskobro  Thant's terrible to hear that it may be someone from DBG doing all this.  I'm sorry to hear that you fell victim to this scammer.  It's just so sad.  This community is such an amazing place and has helped so many people who's doc$ won't give them what they NEED, for pain, anxiety, ect..   I mean, for myself.. If I didn't have this place, I literally have to live like hermit in my home with never seeing anyone, just being lonely and scared, all because of my crippling GAD, social anxiety, agoraphobia, PDSD and depression.  This place has made it to where I can actually leave my house and I'm starting to go the grocery store and even different small stores to buy clothing and other things I need.  I don't have to buy everything online anymore.  This community is not just for people trying to feed their @ddicti0n, it's also for people who really just need help.

 
Biskobro said:
..I'm pretty sure the one behind this is a member here. I have a good guess who but trying to find a way to prove it .......
Click to expand...
I agree. I had a bad feeling that it could likely be a member as well. It seems like the scammer would be someone with some knowledge about how things work, vendor names, etc.. It is scary and sad to think about. 

 
DoomKitty said:
Looks like a member made a post on Protonmail's reddit: Proton .  Should be an interesting thread to keep an eye as more people comment.  Especially if Protonmail themselves actually respond. 
Click to expand...
The screenshot that I took was from reddit .I got many of those emails and it directs you to a fake PROTON UPDATE .That gives the scammer all your information

 
@Biskobro So sorry you got phished!! And so glad you were able to delete the account as who know what nefarious shit could've been done with it.  Take care!

 
Now, my new go to vendor has changed his proton account to a tutanota act.  Can I message him as usual from my proton act., or do I have to make a new tutanota act now too, in order to be able to keep messaging him?  Just wondering because I use to be just a gm@il kind of gal....and so this is kind of confusing to me..lol.    Thank you for any help!

 
You must log in or register to reply here.
Drugbuyersguide Shoutbox
  1. xenxra @ xenxra: maybe
  2. rosetrip33 @ rosetrip33: Hey anyone there
  3. LatsDoodis @ LatsDoodis: @Dr-Octagon “I got a hoe named reel to reel, she got a buddy named SP12 now you know the deal… Mo’ money, mo’ money for the bank roll / Stick to the script, don’t slip in the ’94”
  4. xenxra @ xenxra: or i guess you could just DM them on here
  5. xenxra @ xenxra: @robert1975 prob just shoot admin a msg with contact button at bottom of site
  6. rockychoc @ rockychoc: @xnxra hahahaha
  7. R @ robert1975: @xenxra my username man.... my handle, username.
  8. xenxra @ xenxra: what kind of handle? there are several types of interior and exterior door handles such as pull-out handles, push-down handles, pull-up handles, trigger handles, and touch handles.
  9. R @ robert1975: Can anyone tell me how I change my handle?
  10. C @ Cruzing: Hey guys whats up?
  11. P @ peanut: Good weekend to all. Enjoy the rest of summer.
  12. BobbyDigi33 @ BobbyDigi33: Just a friendly reminder, gratitude is literally a super power we all have at our disposal. It's the antidote to depression, anger, envy, lust and other low vibratory states. Have a nice weekend and be grateful today!
  13. QuantumMatrix @ QuantumMatrix: ✌️
  14. QuantumMatrix @ QuantumMatrix: 💀
  15. CnC5 @ CnC5: Lmao 🤣
  16. Z @ zzaps94: Hey guys sorry I misunderstood what does shoutbox was, Hope you guys are all having a great day out there
  17. Dr-Octagon @ Dr-Octagon: The roland 808. Or the hamond b-3 organ
  18. LatsDoodis @ LatsDoodis: What’s the most important drum machine/kit to have changed music and why? I think maybe SP-12 or the 1200, but kinda want to say drumulator or Rhythm Maker King 2 gave us some classic shit.
  19. xenxra @ xenxra: @DocPep yes. just use temp.pm or snote
  20. Terrylolol @ Terrylolol: Hope everyone has a fantastic week!
Back
Top