Protonmail warning message

So just to summaries (and I hope we all agree); ProtonMail is safe and secure and absolutely fine to use. The issue was with a small number of vendors having their ProtonMail accounts compromised by falling victim to a phishing scam. The logistics of how the scammer was able to interject an email thread between a customer and a vendor with false BTC info is still unclear, but we know it was only possible and only happened with compromised vendor accounts.

All known vendors with compromised accounts have been contacted (and hopefully instructed to delete their accounts and setup new ones) and all other vendors have been warned about the issue and hopefully changed their passwords as a precaution as well as include an email signature telling customers to check their email headers to make sure emails are coming from the right address.

Assuming all this is correct, I don't think there's much more that can be done and I thank the admin for warning the community and informing vendors of the issue as quickly as they did. People are always going to fall for phishing scams, but hopefully this past week has reminded both vendors and customer alike to be extremely cautious of suspicious emails, never mind what email platform you use.

 
What if the scammer has access to vendors email and sits waiting. When a wallet address request comes in they forward the chain to their scammer email account and replies from there.

That way they can stay unnoticed and then reply to you at will on new scam email.

So if vendors all change pw that my resolve the issue?

 
I would love to know if everyone who has gotten scammed by this are all using Protonmail on the cellphones (so far everyone who has mentioned being scammed has been using their cellphone).  Can anyone who was scammed via their cellphone please log in to their Protonmail account via their laptop/desktop and tell me if the scam email actually show up in the same thread on their desktop as well. 

The Protonmail iOS app is fucking ridiculous and doesn't put all emails that are part of the same thread IN THE SAME THREAD.  They just show up as new emails and so just by looking at the sender name you'd assume it was the same sender and same thread even tho its from a completely different email (thats using the same name as legit email).  But in the web version this isn't the case.  Can someone who has been scammed confirm for me whether or not this is the case?  The answer would help in determining what kind of attack this is and therefore how to avoid it.....Thanks!!!

 
Last edited by a moderator:
@DoomKitty  I actually don't have a cell phone, and I'm just using a laptop and have had no problems so far with proton..  So you may be on to something here...

 
When using Cell-Phones you literally need the Newest released ios etc. for it to be secure and like @DoomKitty said a lot of things for Cell-Phones Apps are messed up compared to the Desktop Version alternatives. I think it's a bad idea to use Cell-Phones for anything where you need very good security.

 
I was looking at headers before making an order with another vendor there. What i notice is the protonmail first header is ReplyingTo and a bunch of  long randomised characters with @protonmail.com at end. 

Each list of randomised characters is a hash of the email or an id for an email in the chain. 

I'm wondering if a scammer was able to get hold of the headers and copy all the hashs of the emails in the replyto chain and then forged the header and entered them in maybe protonmail auto generates the thread of emails from decrpyting the hashs in the replyingto header. 

So essesntially if you have access to a vendors protonmail, you can go to a thread of replies. Copy the header from replyingto all the hashes it contains and open your own email. Spoof the headers and send the copied protonmail replying to header with all the hashs of the previous emails in the thread 

Protonmail gets the email and starts to generate the thread when you open it by parsing the replyignto header - Making the scammers email appear in a chain of messages form a legit vendor.

I hope ive explained this clearly enough. If this is the issue, it could expose a weakness in protonmail. If you can auto generate fake email chains by knowing the hashes of other emails and sending them in the replyingto header. 

Again this issue solves itself if the hacker has no access to vendors emails. 

 
@Idaknowbetter Sadly I believe that. But guess what :)  just sent your pack despite anything. Thanks for the heads up, patient zero 🙂 

@Mushy You got a point - this is why it’s a junk! I pretty much wrote the same thing to their team  and they didn’t even replied. They lost me as a customer and I only have about 2000 customers who use proton, so if they all abandon their accounts it’s just not a big deal either. Screw them. TUTANOTA ALL THE WAY

 
@Olart Pharma  I switched to Tutanota because of your advice, so thank you!   I'm done with proton too.  Thank goodness I did not have any problems, as it seems to only be the app that is being effected and I have the desktop version, but it's still not worth taking the risk...

 
I just tried to  look at the scam emails I received and they are gone. And by scam email I mean the ones where they were sending the fake payment info. Is this happening to everyone else as well?

 
Can any of you with a scam email chain take a screenshot and show me what it looks like?

 
2earls said:
I just tried to  look at the scam emails I received and they are gone. And by scam email I mean the ones where they were sending the fake payment info. Is this happening to everyone else as well?
Click to expand...
Maybe yours are missing  ecause they have been reported as scammer and protonmail deleted them?

 
The domain olatpharrna does not exist. So its clearly a spoofed email. Have you got the headers for that email?

What does the reply to header say?

 
Is phishing and spear phishing the same thing, or is spear phishing more like selective scamming?

 
@2earls Couple ideas: Depending on however the hack is being done they could be taking advantage of Protonmail's "auto-destruct" option (seems likely).  Or if you labelled the suspect email as spam it's possible that it was auto-moved to the spam folder and subsequently deleted somehow by your email provider?  Protonmail will move the email to spam once marked spam or once you click "report phishing" but they can't delete the email except when the spam folder does it's auto-delete which i think is either 7 or 14 days like most emails.  Also possible your email is compromised and the attacker deleted it?

That particular btc address posted above shows about 5800 having been stolen, all then transferred into an address that contains about $233000 worth of btc.......

@Fenrir spear-phishing is just targeted phishing where the fraudulent emails are specific to the group/individual being targeted.  this attack would be called spear-phishing i think

 
Last edited by a moderator:
This hack doesnt seem as scary as forst thought. I was thinking the scammer can inject at will to any protonmail chain.

From what i see

The scammer has access to olart pharmas protonmail probably by fishing or guessing the password.

They sit reading the emails waiting for someone to request payment.

They use any number of email spoofer to send an email from olartpharrna to seem similar.

Whats weird is that they dont reply from olartpharmas account and send the fake wallet. They send from a spoofed address. Which might mean they can only read the email they get.

Maybe a way of remotely viewing olart pharmas screen they use  to view protonmail i.e a trojan.

Or perhaps since they keep using the same address its a pre programmed response.

Overall id say olart has been infected by a trojan that sits dorment when it detects a new protonmail email is recieved it forwards the chain to the scammer. Then deletes the email the scammer reads and if its requesting btc address he quickly sends back the forged email  hes been forwarded with the wallet address.

 
@Mushy

I've never had contact with olart in any way, though I got the scam mails. After this, I've made myself a new account and only informed one vend from here and got the same mails again. 

So I guess this has to be someone of "us" who has access to the vendor threads and email-addresses, no? But wow and especially 'why' the person is doing this is another question. 

But I think it actually is deeper than we think.

 
I have no idea how the attack is happening especially since so little information is known (i have soooo many questions lol), but a couple basic things that should happen imo:

If you're using TAILS or similar, fully wipe usb and reinstall (or just throw away usb and acquire a new one)

Everyone (especially vendors) most DEFINITELY needs to run quality malware software on their computer/phone ASAP.  Then this software needs to be continuously running both on your computer/phone (if using Android) and have browser access.  Obviously delete anything malicious and then run it again.  This isn't full-proof of course, but can find most non zero-day malware, depending on whether you are running software that's cheap/free and shitty or high quality and with well updated definitions...

If you've been affected, then I personally would then fully delete (the app and all associated files) any browser i am using and then reinstall (even if the malware software says you're good.  Can never be too careful when it comes to security) 

AFTER that, everyone needs to change your email password (even if you just changed it).  Another option is getting a new email, but you should fully delete the old one afterwards!  You can export contacts to preserve your client/friend/whatever list so this shouldn't be a problem. 

You need to set up 2FA on any email provider you use (and anything that provides it really).  2FA CAN be defeated but it's a much harder thing to do and it provides a LOT more security than a password alone.  Remember: 2FA won't protect you against a Man-in-the-midde/browser attack it will just add a layer of security to your login credentials.

For vendors: Unless you send out mass emails turn off the default "automatically save contacts" feature.  This will prevent hackers from easily harvesting your entire customer list. Also in general, please know that SUBJECT LINES ARE NOT ENCRYPTED EVER (on protonmail or otherwise), only the email body is.

Make it a habit to NEVER click on a link in a browser without first checking to see what the link is.  Firefox shows the full link (it appears on bottom left of browser window) when you hover the cursor over it, by default.  Not sure about other browsers.

Make sure your email is only associated with activity here,  so that no other info is compromised if that email becomes compromised.

Familiarize yourself with phishing scams and how to avoid them.  Some basics: Always check the sender email.  Do this EVERY time someone emails you.  Never click on links in an email or text message.  If the link says to go to your protonmail account and update whatever, then just go to your browser and manually log in to your account to see if that's true.  I know this can seem tedious and annoying but if you make this a habit the likelihood of being phished is enormously reduced.  I personally never click on links in emails even when i know the email sender is valid.   If a customer/vendor sends you a temp.pm link, first check to make sure the link is actually a temp.pm (or similar) link, then just copy/paste it in your browser instead of clicking.  Other than temp.pm links there's really NO reason a customer or vendor needs to be sending you links ever.  All TNs should be copy/pasted not clicked.  If something seems off in the way the customer/vendor is suddenly responding then it probably is off.   Obviously a lot of phishing scams are more sophisticated and require more vigilance but as a general rule if a person/company is contacting you needing critical info or money or login info, then its always fucking bullshit.

EVERY customer needs to check here and in the vendor threads before ordering.  Both to check for email changes and to read up on how the current situation is affecting customers and vendors.  This should be happening regardless, but i imagine people get used to just emailing and not checking for current reviews or whatnot. 

ALSO: Protonmail allows you to set up IP logs so you can see when people try to log on to your account and from where.  This has an obvious anonymity drawback as protonmail will log IP and time of attempted login, so choose this wisely.  You can also see who has current sessions with your account and revoke access to any device you want under "Sessions Management."  Both of these options are under "Security" in your "Settings." 

Again, these are just a couple absolute basics that i would do and vendors should most definitely do imo.  I have no way of knowing whether this will prevent this attack from happening but it will definitely cover a lot of bases.  Other people will have other things to add hopefully.  I mean i know a lot of people who would do a fully wipe and reinstall of OS if this happened to them which is also what i would do.  If the problem persists with a vendor after doing the above, that would be an ESSENTIAL thing to happen.  Another reason why doing business from a bootable OS on a usb comes in handy.....

Hopefully this helps some!!! Take care all and be safe!!

 
Last edited by a moderator:
You must log in or register to reply here.
Drugbuyersguide Shoutbox
  1. M @ Mammasboi123: @nfrenched92 you must be looking in the wrong places my friend. If I have any suggestion, it would be to ALWAYS check the first page of a vendor’s thread, and then check the last 5-6 most recent pages of their thread as well to get a sense of what’s been happening recently. If a vendor has multiple negative reviews that have not been addressed, I would probably look elsewhere unless it’s $$ I can afford to lose
  2. Y @ Yaugae5121: lol seriously mammasboi! Ive been 5/5 finding vendors on here and have had nothing but positive experiences myself. Follow their advice nfrench!
  3. M @ Mammasboi123: @nfrenched92 you must be looking in the wrong places my friend. If I have any suggestion, it would be to ALWAYS check the first page of a vendor’s thread, and then check the last 5-6 most recent pages of their thread as well to get a sense of what’s been happening recently. If a vendor has multiple negative reviews that have not been addressed, I would probably look elsewhere unless it’s $$ I can afford to lose
  4. M @ Mammasboi123: @nfrenched92 you must be looking in the wrong places my friend. If I have any suggestion, it would be to ALWAYS check the first page of a vendor’s thread, and then check the last 5-6 most recent pages of their thread as well to get a sense of what’s been happening recently. If a vendor has multiple negative reviews that have not been addressed, I would probably look elsewhere unless it’s $$ I can afford to lose
  5. M @ Mammasboi123: @nfrenched92 you must be looking in the wrong places my friend. If I have any suggestion, it would be to ALWAYS check the first page of a vendor’s thread, and then check the last 5-6 most recent pages of their thread as well to get a sense of what’s been happening recently. If a vendor has multiple negative reviews that have not been addressed, I would probably look elsewhere unless it’s $$ I can afford to lose
  6. N nfrenched92: is this site legit nothing but scammers god damn
  7. N nfrenched92: is this site legit nothing but scammers god damn
  8. rockychoc @ rockychoc: It's impossible to put down!
  9. rockychoc @ rockychoc: I’m currently reading a book about anti-gravity
  10. Gleezy @ Gleezy: Happy new years DBG fam! Finally the holidays are over phew! Time to get back to our regular scheduled program 🤣
  11. G @ GABAtastic: @Mammasboi123 too slow bro lol
  12. rockychoc @ rockychoc: Lol
  13. M @ Mammasboi123: I was going to steal your thunder 😆
  14. M @ Mammasboi123: Dang it I knew that one @rockychoc !!
  15. rockychoc @ rockychoc: Snowbank!
  16. rockychoc @ rockychoc: Where do snowmen put their money?
  17. R @ rasetreydir: @ Telp: Same to you! New Year's Blessings upon the whole DBG forum; without exception. Especially among those that suffer here in silence.
  18. xenxra @ xenxra: man it's been like a week since i've seen a rockychoc certified pun in here i think i'm gonna have a mental breakdown
  19. rockychoc @ rockychoc: Lol wtf
  20. Telp @ Telp: @rasetreydir Have a blessed new year friend!
Back
Top