Protonmail warning message

M

milex

Member
Joined
Jul 8, 2017
Messages
66
Hi,

I'm just wondering if the admin who posted the warning message about protonmail being unsafe to use could elaborate more please?

As a web developer, the issue outlined in the warning makes very little sense. I have a feeling that the admin who issued the message may be the victim of a "man-in-the-browser" attack (MITB). This is caused by malware running on the users local machine, most likely created by someone targeting DBG.

Protonmail uses end-to-end encryption, so the concept of emails being intercepted by a scammer is impossible unless a man-in-the-browser attack is being used or vendors have had their protonmail passwords phished and accounts compromised, but this seems extremely unlikely on a wide scale.

Another possibility could be a data breach and leak of protonmail accounts and passwords, but this would have been widely reported on in the tech community, plus protonmail uses bcrypt to hash user passwords, so passwords being leaked in plain text would be next to impossible even if a data breach had occurred.

I'd recommend using Malwarebytes to scan for MITB malware on your machine.

 
Last edited by a moderator:
@milex Agree with everything you said! The problem is highly unlikely with Protonmail itself and most definitely with vendors who’ve been targets of phishing attacks and had their emails compromised and all their contacts stolen.  Protonmail by default adds anyone you email to your contact list so getting all contacts is very easy.  This has been happening to a lot of RC vendors lately and was only a matter of time to happen here.  Selling those email addresses or continuing to phish using those addresses would be the obvious next step for a hacker.   It is mostly happening with protonmail users here because that’s the email most people use on here.  The problem seems to be isolated to here because i have received phishing attempts but only to an email i use solely with vendors here, and it’s not the email associated with my user account here.  Not trying to argue or contradict anyone especially Admin but Protonmail seems extraordinarily safe, but human error like falling for a phishing attack (or any social engineering tactic) is where all security breaks down and is the basis of 90% of all hacks.  

Stay safe y’all!

 
If the scammer is using protonmail contact lists to try and phish customers, I've emailed several high profile vendors using their protonmail accounts in the past (most vendors from the email sources thread) and I haven't received any phishing emails to my protonmail account. So I think it's safe to assume this is probably localised to a very small number of DBG vendors (perhaps just one) and isn't cause to abandon using protonmail all together, but rather just be vigilant of suspicious emails.

More information is needed on which vendor account(s) have been compromised though.

 
Last edited by a moderator:
I received a couple of these a few days ago and reported the phishing attempt to ProtonMail. In both cases the emails appear to be from protonmail.com addresses, though the "from" header also references a tutanota address.

The body of the message contained a tinyurl link which redirected to a fake ProtonMail authentication page, including hotlinked assets from protonmail.com.

So, aside from the fact that the emails are tailored to collecting ProtonMail credentials, I don't see anything that differentiates them from other phishing emails. Of course it would be interesting to know how the target email addresses are being collected, but at this point I don't think there is any inherent danger in using ProtonMail.

As always, stay safe. Choose really good passwords, rotate them periodically, don't share passwords across accounts, use VPN or Tor, be aware of what plugins run in your browser (and what permissions they have), use encryption, etc.

Just my 2 cents.

 
I think it's best to wait for the admins to contact all vendors with protonmail accounts to confirm which vendor(s) have had their accounts compromised. But instructing all vendors with protonmail accounts to change their email seems unnecessary in my opinion though. Protonmail is still a very safe and secure platform, the admins just need to identify the compromised account(s) and warn the vendor(s).

But that's just my opinion, I don't mean to step on anyone's toes. I'm sure we'll be updated soon.

 
Last edited by a moderator:
I have received two bogus emails in my Proton Mail account this past week.  The first one was the tutanota email with the bitly link that others received, and the other one appeared to be from DHL asking me to login to track and verify a package shipment.  It was bogus as well since I have not ordered anything being shipped by DHL.  

I do know I've given my Proton Mail address to only one person, a vendor on this site, in the past 6 to 8 months and that was about two weeks ago.  I am not saying this specific vendor shared/sold my address because I have no proof, but it would be interesting to find out how many others had the same experience after giving out their email address. 

If Proton Mail was aware of a large scale scamming operation on their sites, they would have at least asked everyone to change their passwords.  I've received no communication from them, but I did change my password to something a good bit stronger and turned on 2-Password Authentication.   You used to be required to implement 2-Password on Proton Mail but they removed that requirement over a year ago.  BTW, this is a little off topic, but almost ALL system hacks occurred because of compromised passwords.  

 
Last edited by a moderator:
@GungHo That seems pretty conclusive. It might be best to PM an admin to let them know which vendor it was. If this leak of DBG users is down to one vendor it could save a lot of time and hassle.

 
milex said:
@GungHo That seems pretty conclusive. It might be best to PM an admin to let them know which vendor it was. If this leak of DBG users is down to one vendor it could save a lot of time and hassle.
Click to expand...
My thoughts exactly 🙂 Thanks!

 
Someone just reported that they got scammed via this protonmail situation.  Apparently the hacker responded to an email reply from within the same thread but from seemingly an entirely different email address.  Not near enough info to understand what's happening yet, but definitely a warning to check sender headers on all emails and/or hold off on ordering altogether until this gets figured out and aired out....stay safe everyone!

 
Last edited by a moderator:
Question:  for those of us who have received the phishing/scam emails (myself included),  would it be wise to at least change our pr0ton mail address since the scammer could theoretically continue to use our leaked email address even at a future time? I am thinking that is what the warning is telling us to do, but I am wondering if still using pr0ton is ok if I change the address? 

I thought that pr0ton mail in itself seemed to be a safe email provider. It seems that the leak of a lot of our addresses could have happened with any email provider if the vendor who was hacked/scammed clicked a bogus link or was hacked in some other way?  Or am I incorrect about that? Genuinely asking as I do not know.

I am glad that the warning is posted on DBG as it seems like there may be people who do not know about phishing methods/ scam links and so on. I know I have a LOT more to learn and plan on reading up!!  I am thankful that the admins are on it and are sharing the info for our protection!! Just trying to decide whether to switch to tutan0ta or just a new pr0tonmail address...

 
Last edited by a moderator:
Mere speculation but if it's true that a malicious agent is capable of responding within an email thread from an entirely different email address (and email provider!) then I would say Protonmail itself has been in some way compromised, possibly just at the browser level but still compromised.  I mean only a user that's been phished (i assume as i haven't heard of this particular attack) could be compromised but that could be any vendor (or member) at any time, which would effectively make Protonmail unsafe in terms of this specific attack, hence Admins warning.  Has anyone heard of this kind of attack?!

 
Last edited by a moderator:
DoomKitty said:
Mere speculation but if it's true that a malicious agent is capable of responding within an email thread from an entirely different email address (and email provider!) then I would say Protonmail itself has been in some way compromised, possibly just at the browser level but still compromised.  I mean only a user that's been phished (i assume as i haven't heard of this particular attack) could be compromised but that could be any vendor at any time, which would effectively make Protonmail unsafe, hence Admins warning.  Has anyone heard of this kind of attack?!
Click to expand...
I could well be an elaborate Man-in-the-browser attack (MITB) setup by someone in the DBG community. First phishing a vendor account to obtain a contact list of DBG users, then sending out phishing emails which install the MITB malware. I don't understand exactly how it would work, but MITB malware can be used to modify webpages and possibly hijack email exchanges (making you think you're sending an email to one account when actually it's been sent to another). I'd urge anyone who has clicked on a suspicious link they received in their protonmail account to download Malwarebytes and run a scan.

However if this is happening when using the protonmail iPhone/Android app then that is very scary indeed.

 
Only just saw this thread, but I'm reposting below what I posted in the other thread on this:

I've also been receiving the phishing emails in my Protonmail account. There were quite a few at the end of last week and a few this week.

I stand to be corrected on this, but it's very unlikely that Protonmail itself has been compromised. That would be big news if it had. What's far more likely is that a vendor(s) email account was compromised, the email addresses contained in the address book were harvested and those addresses were spammed with these phishing emails. Clicking on any of the links/opening any of the attachments in those emails likely means either your device was infected with malware and/or your Protonmail account has been compromised. Either way, it's a big problem for all of us.

All members (and vendors for that matter) should ensure they are free of malware and change their mail account passwords asap.

 
@milex An MitB attack does sound likely but why would they have to use a different email address to send within protonmail? Why not just hijack the browser and send from browser as normal?  I am not up to date on a lot of existing attacks, tho i know theres been a lot of work on trying to fully compromise Protonmail as its one of the preferred email of choice of a lot of human rights activists....

@lookinforthebiscuits  The problem with the theory that it's simply a compromised password associated with a vendor account is the same as i mentioned above: the scam emails are within existing email threads but come from an entirely different email address and provider.  If it was a mere account takeover the hacker would just send from the account as normal which we've seen a lot recently in the RC community. 

 
DoomKitty said:
@lookinforthebiscuits  The problem with the theory that it's simply a compromised password associated with a vendor account is the same as i mentioned above: the scam emails are within existing email threads but come from an entirely different email address and provider.  If it was a mere account takeover the hacker would just send from the account as normal which we've seen a lot recently in the RC community. 
Click to expand...
@DoomKitty I take your point, but on the basis the attacker has access to the compromised account, wouldn't they be able to spoof a reply in the thread by simply copying the subject line and sending to the compromised account from a similar looking or completely spoofed email address?

 
@lookinforthebiscuits There’s too little info so it’s hard to wrap my brains around it, but Im not sure that method would show up in the same thread in Protonmail that way. I mean i don’t have enough info from the reporting member who got scammed to really know what the format looked like but generally protonmail treats each new response as its own entity so a copy/paste of the entire convo with a spoofed email wouldn’t work as it would reduce the whole thread to just one response if that makes sense.   In the way you’re thinking it, is the vendor or the customer compromised?

edit: I forgot protonmail looks different on phones and each reply in a thread is completely separate and not tied to the others visibly so in that case a spoofed email might work. The member said the response with the fake btc address happened "almost immediately" so that has to be a well executed spoof if that's the case

 
Last edited by a moderator:
You must log in or register to reply here.
Drugbuyersguide Shoutbox
  1. T @ Turbo259: @drjimmy1964 what did you mean by advertise? not gettin the verbiage, DM works if anything you mean by
  2. B @ bigblueallda: {Visit your local Driver Service Bureau with the necessary documents: original birth certificate, Social Security card, and two proofs of your state's residency. } I definitely provided this when I had to get a new ID when i let mine go expired too long maybe I unknowingly got one but I think it is pretty standard here.
  3. B @ bigblueallda: Well it was a state id renewal. Before that there was a mixup and I had lost my birth certficate and social security number. After a couple of weeks and finally getting several documents in order I was able to get a state ID. It had been expired previously for a little too long and they wanted all kinds of proof. It was a mess. But nah I looked up what to look for an my state's ID to see if it is a Real Id or not and my card as the symbol it is supposed to have. I'll take a closer look though
  4. drjimmy1964 @ drjimmy1964: @bigblueallda are you sure you have a Real ID ? I mean , they really want 6 points of proof and 1 for your addy and 1 for your SSN. Did you maybe get it done and forgot and flew out of the country or something ?
  5. drjimmy1964 @ drjimmy1964: Actually it says "Not For Real ID Purposes". That is my 2022 renewal of my 2018 picture ID. I am not due till 2026 and I am sure they will make me go in since my pic would be 8 years old - they used to make you go in in my state for aging when I was younger, then went paper - then back to picture ( I think 9/11 to blame for that ) but relaxed it.
  6. drjimmy1964 @ drjimmy1964: Wow, for real ? You renewed your DL and without you knowing or having to present documents in person, they did it online? It has the star on top right and says "Rea: ID" Mine says ' NOT A Real ID" . I never knew what a Real ID was and never bothered to ask - I think I somehow was under the impression that it was for either military / gov't workers who had to travel over seas. WRONG lol.
  7. B @ bigblueallda: I already have one and didn't even realize it. I renewed my ID online about 6 months ago and I just looked at it today and it is a Real ID.
  8. drjimmy1964 @ drjimmy1964: @Turbo259 mine was duped , too. Not sure why or how my msg. duped. IMO that guy if serious and smart wouldn’t advertise with you
  9. drjimmy1964 @ drjimmy1964: I wish I had it when I flew to Vegas in 2022. The TSA line for Real ID passengers was short. Now it’s probably going to be crazy .
  10. drjimmy1964 @ drjimmy1964: Has everyone got their Real ID ? I think tomorrow’s the deadline yet just now an agent from AAA (I believe ) was on local news saying you can still get it past May 7.. Required for domestic flights.
  11. T @ Turbo259: sorry for the dupe message
  12. T @ Turbo259: Hey fam,, question for the masses, a vendor not from this forum lost a payment method and is blaming me for it, i have confirmed i havent done anything and even said i was willing to send the $ that was sent back to me to make good, they are being threatening a lil like its my fault to fix, any advice, dm me if easier, but curious as i did nothin wrong and kinda dont know what to do now, not lookin for issues from this person
  13. Scarecrow19 @ Scarecrow19: I wanna shout out to CNC fucking bad ass motherfucker he’s on point. He is the best if you want something he’s the man to see shout to CNC brother
  14. C @ CuCeltic99: @Gracie5 hey you
  15. xenxra @ xenxra: @Wickedy where the sun don't shine
  16. L @ Layne_Cobain: Howdy dbg peeps hope everyone is hangin in there n keepin alright…does anyone know what happened to Annasofia I just realized haven’t seen her on here in forever I hope she’s okay she was always so helpful and kind…(didn’t mean if anyone does know that I was asking her private biz just that she’s alrite…
  17. Wickedy @ Wickedy: Does anyone know where miss print went!!
  18. eswen444 @ eswen444: @rockychoc it was solid, hope your vacation is going great. Looking forward to doing business !
  19. C @ CuCeltic99: @Gracie5 hey you
  20. Dr-Octagon @ Dr-Octagon: Whats the good wurd, nurds....
Back
Top