Protonmail warning message

I got these emails. The one looks exactly like proton mail sign in page and wants you to sign in with your info. I followed some bread crumbs and one of them was linked to a Paxful email account besides the tarantula ones. Ive been reporting them all  to proton and they have responded back saying they are phishing emails but nothing else yet.

 
Last edited by a moderator:
milex said:
That is completely bizarre. iPhones can’t be infected with malware. The vendors account must have been compromised, but assuming the scammer had control of the vendors account, why send the false btc address from a different email? And how? I can’t wrap my head around it, but it seems like vendors are being phished and having their accounts compromised. I think it’s important that all vendors using any email service be made aware, change their passwords, enable 2FA, check their email activity logs, scan for malware etc... I still don’t believe there’s an issue with protonmail as a service, I believe it to be safe and secure, but both vendors and customers alike should be on high alert and extremely vigilant when it comes to account security and suspicious emails.

I’m sorry you lost money because of this 😕 it could have happened to anyone.
Click to expand...
This is ALL IMO I am clearly not as smart as Milex,   but I think the thug put a malicious program on the vendors computer who I was working with.  I think that when i emailed the vendor and asked them for a bitcoin ( and all previous emails ) address,   they were coming from me to vendor then bouncing to thug - then thug immediately replied to me with his tutonata account,  hoping I wouldn't notice the change in domains after 5-7 emails between me and the vendor 

Once the email that he was waiting for  to jump in came,  he sent his email, hoping I wouldn't notice it wasn't from Protonmail.   And he won, because I asked for btc address,  got one in a few minutes,  and never looked at the domain.   Very few people would I imagine.  

Check it out - this is a copy paste from my Proton email account - the bottom email was from me to vendor asking about BTC ( name edited cause its only available for donations ) yet it shows the header as vendors meaning all the vendors incoming emails from me were going to the thug,  

The reply came showing time as about 18 hours ahead however....I wish it was just 12 so it would look obvious to be maybe Asia somewhere.  That I can't pinpoint,  but the header seems to give it away ( to me but I am no expert on viruses )  that all the vendors emails were bounced right to the thug.  Probably had a field day going from vendor to vendor. Maybe as stated,  not even Proton related,  unless we know lockandload was sent to more than just Proton accounts ??  

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Saturday, January 18, 2020 3:29 AM, VENDORNAME,   <VENDORNAME@tutonata.com> wrote:

> bitcoin address: xxxxxxxxxxxxxxx
> 
> ------- Original Message -------
> On Friday, January 17, 2020 9:28 AM, VENDOR,   VENDORNAME@protonmail.com wrote:
> do you take bitcoin ? I was curious if you did because  I'd like to use what I have in my ....

 
Mad situation this. Hopefully nobody loose anymore money. What a world we live in. Everything will probably be done on computer or phones one day.

 
Here’s my theory as to what may have been happening:

A hacker most probably phished a DBG vendor. Once they had the vendors ProtonMail password they used an API to access their account, extract their contact list and send out phishing emails to everyone in it. The hope being that a DBG customer would fall for the phishing scam and hand over their account details. The same API would then be used to send out phishing emails to everyone in the customers ProtonMail contact list, which would likely contain more DBG vendors. A vendor falls for the phishing scam and the process is repeated over and over. The hacker is collecting phished ProtonMail addresses and passwords and looking out for vendor accounts that have fallen victim to the phishing scam. Once they have a vendors account info they create a tutonata account that mirrors the vendors real address, and they use an API to monitor email communications to all compromised vendor accounts, looking out for keywords or phrases sent by customers such as “btc address”, at which point the API deletes the customers email enquiring about a btc address from the vendors inbox and the API replies automatically from the fake tutonata account setup for that vendor with false btc information (this would explain why victims have reported receiving instant replies from the fake tutonata accounts) and maybe even use the API to block the customer from being able to contact the vendor again, so they can’t let them know something is wrong. The hacker could set the API to reply from the vendors real account, but if the vendor noticed this they would realise something was wrong, change their password and the game would be up.

ProtonMail addresses are being targeted because that’s largely the email service of choice here, and there’s a few unofficial APIs available for ProtonMail which would allow a hacker to do all this and keep the scam largely automated. It’s a very elaborate setup, but I think it could be possible, and of course there’s a lot to gain... but this is just a theory. The best course of action is still for ProtonMail vendors to change their passwords and increase their account security, as well as for all ProtonMail users to remain vigilant of suspicious emails.

 
I REALLY hope vendors effected by this aren't just only changing their emails!!  If this is a case of just a compromised email account then everything associated with that account is  burned and anything on that account should be assumed to have been compromised (personal info, addresses, passwords etc) and the account should be deleted completely.  If this is a sophisticated MitB or BitB attack then the computer needs to be THOROUGHLY checked for offending malware, all passwords need to be changed, and anything they did on the internet in the last while needs to be really thought about.  Its highly unlikely that the only site that could be viewed by the attacker would be Protonmail.  Perhaps the only email site he could manipulate and injected in was Protonmail, but view? Unlikely.  Either way completely deleting account (very easy with protonmail!) needs to happen IMO.  Also any vendor associated needs to practice waaaaaaay better opsec.  For instance, no vendor should ever have been clicking on links other than privnote or temp.pm ones and even then they need to check those links prior to clicking to make sure that's actually where they are directing to.   Also no one legit will EVER EVER EVER send you something that requires you to log in to something to view it.  Sorry if I'm salty, this is just rather unsettling as I assumed vendors here would be waaay more careful than this suggests, and if up to 5 vendors were effected that's very disturbing to me.   I HIGHLY recommend to all customers that they always send their personal info in a one-time-view way via temp.pm as this will prevent any personal info from being stolen from a compromised vendor account. 

@milex Thanks SO much for the expertise with this.  From the looks of the email that @drjimmy1964 posted an automated API does is extremely likely, though I'm still confused how it shows up in the same email thread as that's something the Protonmail program itself would control i would assume.   @Ruger2506 Did the scam email you received have the same format/wording?

 
Last edited by a moderator:
Trying to think of a possible way to verify a vendor's new email address when they send them to us (as will hopefully happen since they would surely want to no longer use their compromised email).
So, say a vendor emails and tells you that their new address is vendor@wherever , how will will know that it isn't still a scammer using our email addresses from when they stole them from the vendors whose accounts were hacked?  I mean we could say not to trust emails from tutan0ta but what if they start using a different email server to contact us? 
I guess we could ask them a question that only the real vendor would know the answer to, but other than that does anyone have any thoughts on this? Would it help to ask the vendor to PM the customer a password on here help with this? So when they email you, you (the buyer) could then ask "what is the password you sent me?" to verify it was a legit new email. I am probably overthinking all of this LOL. 🙃
Or should I be deleting my email account and starting fresh as well??

 
Last edited by a moderator:
DoomKitty said:
I HIGHLY recommend to all customers that they always send their personal info in a one-time-view way via temp.pm as this will prevent any personal info from being stolen from a compromised vendor account. 
Click to expand...
Thanks for this advice- seems like a good new habit for sure! 

And as for only trusting new emails posted in each vendor's thread that seems like a good plan as well.
I know that should have been obvious to me, but I guess I was worried that the scammer could potentially be a member and have access to the vendor threads and try emailing people with the new email somehow- maybe by using the same name @ a different email server. Hope my line of thinking makes sense. It's probably not something that would happen anyway.
Guess we'll all just have to get used to checking the sender address very carefully.

 
Yeah that makes sense.  I trust Admin and 2E to be exceptionally vigilant about any attempt that the hacker would impersonate the vendor here and try to gain account access.  They have dealt with a LOT of scamscum in the past (and present lol) and do incredible work to try and protect members here.  As for members, vigilance is essential.  So yes, now that we know this attack vector is part of their toolkit, then always checking sender info is a necessity.  Also, always being aware if a vendor reply/response seems unusual or out of character.   And of course doing the usual, like always being on the lookout for phishing scams, regularly change passwords, use 2FA (which can be beaten of course in a few ways but is still way better than relying on single password alone), and always use an email account for anything here that is separate from your personal daily-use account.  These are just a few suggestions. 

IMO everyone (especially vendors) should assume the attacker will try this again and again....

(as they say on Reddit: "username checks out" lol!)

 
I had a protonmail update your account info

And a lockandload email

I deleted both, cleared my cache, changed my pw.

Still I am not going to use proton

Any longer

 
If the ProtonMail servers had been compromised it would be all over the news.  Just google for it and you’ll find news articles written in 2018 and 2019 where ProtonMail was allegedly compromised by hackers in several Eastern European countries including Russia.  

We have all received phishing attempts in the inboxes we use everyday at home and work.  This is no different.  The safest thing to do is change your password to something very strong and do not click on any links that your are not very familiar with.  Or of course, just stop using ProtonMail altogether as DBG suggested. 

I only use my proton email to communicate with vendors, no one else, so that makes me pretty sure that’s how these hackers got my address.

 
Last edited by a moderator:
Looks like a member made a post on Protonmail's reddit: Proton .  Should be an interesting thread to keep an eye as more people comment.  Especially if Protonmail themselves actually respond. 

 
Last edited by a moderator:
I was a victim of this phishing attempts. I blame myself out of pure stupidity .I kept getting these emails saying to update my information or my account could be canceled .I clicked the link and it brought me to a fake proton ,it looked exactly the same as proton.com but looking in the search bar where I was directed was NOT proton at all .So to be safe I deleted my proton and am using my Tutanota as my main email now .Maybe I'll create a new proton ,I've always had both but with all this going on probably just hold off for right now ..I'm pretty sure the one behind this is a member here. I have a good guess who but trying to find a way to prove it .......

Edit: I was not a victim that lost any money ,I just had my account phished 

 
Last edited by a moderator:
@Biskobro  Thant's terrible to hear that it may be someone from DBG doing all this.  I'm sorry to hear that you fell victim to this scammer.  It's just so sad.  This community is such an amazing place and has helped so many people who's doc$ won't give them what they NEED, for pain, anxiety, ect..   I mean, for myself.. If I didn't have this place, I literally have to live like hermit in my home with never seeing anyone, just being lonely and scared, all because of my crippling GAD, social anxiety, agoraphobia, PDSD and depression.  This place has made it to where I can actually leave my house and I'm starting to go the grocery store and even different small stores to buy clothing and other things I need.  I don't have to buy everything online anymore.  This community is not just for people trying to feed their @ddicti0n, it's also for people who really just need help.

 
Biskobro said:
..I'm pretty sure the one behind this is a member here. I have a good guess who but trying to find a way to prove it .......
Click to expand...
I agree. I had a bad feeling that it could likely be a member as well. It seems like the scammer would be someone with some knowledge about how things work, vendor names, etc.. It is scary and sad to think about. 

 
DoomKitty said:
Looks like a member made a post on Protonmail's reddit: Proton .  Should be an interesting thread to keep an eye as more people comment.  Especially if Protonmail themselves actually respond. 
Click to expand...
The screenshot that I took was from reddit .I got many of those emails and it directs you to a fake PROTON UPDATE .That gives the scammer all your information

 
@Biskobro So sorry you got phished!! And so glad you were able to delete the account as who know what nefarious shit could've been done with it.  Take care!

 
Now, my new go to vendor has changed his proton account to a tutanota act.  Can I message him as usual from my proton act., or do I have to make a new tutanota act now too, in order to be able to keep messaging him?  Just wondering because I use to be just a gm@il kind of gal....and so this is kind of confusing to me..lol.    Thank you for any help!

 
You must log in or register to reply here.
Drugbuyersguide Shoutbox
  1. Robotanical @ Robotanical: That's a good rule to follow. Offline password manager, too.
  2. RiftChems @ RiftChems: My simple rule to stay safe: diff passwords for everything stored in a password manager, constantly check connected devices on critical platforms/IP logs of logins. Never click links from any email or DM.
  3. P @ psychedpsych: @xenxra oh ya someone is targeting me and it’s caused hell between me, my mom, and family. I got the message universe I’m, in the safest and healthiest way, distancing myself from places that people like that are more prevalent. 🫣😥 Worst part is I have had some things in my logs and such that after awhile I have a damn good idea where it’s coming from. I just want it to stop, like mentally I’m stressed to a scary point(other life bs too).
  4. aBBazaBBa123 @ aBBazaBBa123: Guess I should've read the comments before posting. I hope everyone is well and having a wonderful day!
  5. aBBazaBBa123 @ aBBazaBBa123: @Strength I got the same email, im guessing scam for sure.
  6. aBBazaBBa123 @ aBBazaBBa123: I got an email from <drugbuyers@seznam.cz> telling me I've got 24hrs to verify my account or I'll be kicked. Says it was from DBG security team. Anybody else? Does DBG have a security team sending these emails?
  7. aBBazaBBa123 @ aBBazaBBa123: got an email from <drugbuyers@seznam.cz> telling me I've got 24hrs to verify my email or I will be kicked? Says its from DBG security team.
  8. xenxra @ xenxra: seems to be a lot of weird emails going around lately for people here
  9. J @ jsntwg: dr.williamsbro@gmail.com
  10. J @ jsntwg: Anybody else seen an email from this guy asking about acquiring raw materials (nuts)……not kidding
  11. R @ rhodium: @Strength its a phishing scam
  12. Strength @ Strength: Is dbg sending out emails to us about some weird shutdown thing? Dm me if so
  13. M @ Mammasboi123: Be careful out there fam! The idiots with the Seznam.cz email address are sending out mass phishing emails again. If you get an email from them, just delete it and move along 🫡
  14. G @ GABAtastic: @knofflebon lmfao 🤣 @rockychoc good one lol
  15. K @ knofflebon: @rockychoc I legit was thinking "Whoa, whatever it is I need to subscribe!" before I realized it was a freaking pun.
  16. K @ knofflebon: @rockychoc 🤣
  17. Y @ Yaugae5121: lol seriously mammasboi! Ive been 5/5 finding vendors on here and have had nothing but positive experiences myself. Follow their advice nfrench!
  18. M @ Mammasboi123: @nfrenched92 you must be looking in the wrong places my friend. If I have any suggestion, it would be to ALWAYS check the first page of a vendor’s thread, and then check the last 5-6 most recent pages of their thread as well to get a sense of what’s been happening recently. If a vendor has multiple negative reviews that have not been addressed, I would probably look elsewhere unless it’s $$ I can afford to lose
  19. rockychoc @ rockychoc: It's impossible to put down!
  20. rockychoc @ rockychoc: I’m currently reading a book about anti-gravity
Back
Top