Xtramail account receiving scam emails from spoofed sender. How do I tell if Xtramail account has been compromised?

Forums › Spark New Zealand (including Skinny and BigPipe) › Xtramail account receiving scam emails from spoofed sender. How do I tell if Xtramail account has been compromised?

RC

19 posts

Geek
+1 received by user: 1

#303336 2-Feb-2023 11:16

A client who uses Xtramail has recently received half a dozen emails with a display name of a mutual contact. The mutual contact has a Gmail account and I haven't received anything dodgy related to the mutual contact.

I speculate that either:

1. The mutual contact's gmail account or other data has been compromised allowing the scammer(s) to obtain his email contact list. I.e. My client's Xtramail account has not been hacked.

2. The client's Xtramail account has been hacked.

Are there any clues in the email header / properties?

Is it possible to identify which ISPs, domains, etc are being used by the scammer from the email properties?

(client and mutual contact details removed for privacy reasons)

Email (as seen by client when email is opened)

From: [MUTUAL CONTACT NAME] <ts-1515@thestudylecole.edu.in>

Subject: Fwd: Message from [MUTUAL CONTACT NAME]

Message body text:

-----Original Message-----

Should have emailed them a little earlier - anyway here are these photos

now: http://www.tztvl.rteprro.com/

**********************

Header / Properties:

Received: from IND01-BMX-obe.outbound.protection.outlook.com ([40.107.239.129])
by mx.xtra.co.nz with ESMTP (using TLSv1.2
with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
id 63A5E5C2-98D12344@mta2301; Fri, 23 Dec 2022 17:30:43 +0000
Received: from xtra.co.nz ([10.23.30.21])
by 10.23.30.101 with LMTP
id IK/ZKcPlpWNoOAAAxkc+lQ:T4
(envelope-from <TS-1515@thestudylecole.edu.in>); Fri, 23 Dec 2022 17:30:43 +0000
Received: from PN3P287MB0129.INDP287.PROD.OUTLOOK.COM
([fe80::6539:120a:d6ae:6d82]) by PN3P287MB0129.INDP287.PROD.OUTLOOK.COM
([fe80::6539:120a:d6ae:6d82%8]) with mapi id 15.20.5924.016; Fri, 23 Dec 2022
17:30:38 +0000
Received: from PN3P287MB0129.INDP287.PROD.OUTLOOK.COM (2603:1096:c01:d8::8) by
MA0P287MB0515.INDP287.PROD.OUTLOOK.COM (2603:1096:a01:b9::5) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.5924.16; Fri, 23 Dec 2022 17:30:38 +0000
Received: from 10.23.30.101 ([10.23.30.21])
by 10.23.40.143 with LMTP
id IK/ZKcPlpWNoOAAAxkc+lQ:T4:P1
(envelope-from <TS-1515@thestudylecole.edu.in>); Fri, 23 Dec 2022 17:30:43 +0000
Received: from 10.23.40.143 ([10.23.30.21])
by 10.23.40.60 with LMTP
id IK/ZKcPlpWNoOAAAxkc+lQ:T4:P1:P1
(envelope-from <TS-1515@thestudylecole.edu.in>); Fri, 23 Dec 2022 17:30:43 +0000
Return-Path: <TS-1515@thestudylecole.edu.in>
From: "MUTUAL CONTACT NAME" <ts-1515@thestudylecole.edu.in>
To: <CLIENT NAME@xtra.co.nz>
Subject: Fwd: Message from [MUTUAL CONTACT NAME]
Date: Sat, 24 Dec 2022 06:30:36 +1300
Message-ID: <PN3P287MB0129A49EDD351EDB6471B8D4B9E99@PN3P287MB0129.INDP287.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AdkW9EiZAlrFz3qBSNaeQTybpbHhjQ==

snnet

1413 posts

Uber Geek
+1 received by user: 556

#3031485 3-Feb-2023 21:03

The headers suggest the xtra mail account isn't compromised, as for the other address a giveaway would be if that organisation uses Microsoft for it's mail service

yitz

2239 posts

Uber Geek
+1 received by user: 594

#3031539 3-Feb-2023 21:36

It's possible the mutual contact's contact list has been stolen but the e-mail filtering solution you use has rejected the message before it hits your inbox whereas your client's Xtra Mail filtering has let it through. Or they are targeting xtra.co.nz address because they know the filtering is bad and people who use xtra are suckers 🤣

RC

19 posts

Geek
+1 received by user: 1

#3031775 4-Feb-2023 15:51

My client who uses XtraMail received the dodgy emails.

The mutual contact's genuine email address is a gmail account & our organisation uses a MS Exchange Server, Outlook, etc. My client thoughtfully sent the dodgy emails she received as attachments to an email she composed and sent to me, so the email header / properties which I copied out of one of the dodgy emails has not been processed through our email system.

From the replies to my question, I gather that my client's XtraMail does not appear to be hacked. That suggests one of the following:

1. that the mutual contact has had his Gmail account hacked (unlikely but possible, esp. if he isn't using 2FA); or

2. that either my client or the mutual contact has had a device hacked with the result that an email contact list has been stolen.

I suppose there's also the possibility that a 3rd party who has been privy to emails sent or received between client and mutual contact has been hacked (email account or device).

Result: Advise both mutual contact and client to change their email account and device passwords and perform a full virus / spyware scan on their devices?

yitz

2239 posts

Uber Geek
+1 received by user: 594

#3031837 4-Feb-2023 18:38

The information could be from multiple historical Yahoo! and Xtra mass breaches around 2013-2014, so the situation might depend on how long you and your client have had the mutual contact. I believe password resets were mandated when the Xtra Mail system was moved back in-house/SMX back in 2017. I don't believe there have been any wide scale breaches since then.

tdgeek

30048 posts

Uber Geek
+1 received by user: 9455

Trusted

Lifetime subscriber

#3031886 4-Feb-2023 19:11

Mark as spam, that trains the filters

RC

19 posts

Geek
+1 received by user: 1

#3032937 7-Feb-2023 16:38

yitz:

The information could be from multiple historical Yahoo! and Xtra mass breaches around 2013-2014, so the situation might depend on how long you and your client have had the mutual contact. I believe password resets were mandated when the Xtra Mail system was moved back in-house/SMX back in 2017. I don't believe there have been any wide scale breaches since then.

Yes, I remember when Yahoo left the back door open and allowed anyone who could access a yahoo mail active session cookie to gain access to the account linked to that cookie. It affected 1000s of Spark customers and led to Spark engaging a new (local I believe) external email provider - which in turn led to about a year of unending problems trying to send email to clients with XtraMail with our emails getting blocked as spam or fraudulent due to the aggressive filtering (no doubt because Xtra's user base is NZ's no.1 target for online fraud).

I though this had all settled down, but it transpires the warning email I sent my client last Thursday did not hit her inbox (or junk / spam folder) and nor did the 2 emails I sent by forwarding the original email when I with her on the phone today. She was receiving other emails from me, so I copied the text out of the original warning email into a new email and substituted all instances of the mutual contact's name with his profession and viola, she received that email within seconds of me hitting send. As a result, I now suspect that Xtra Mail's filter is now flagging up emails with text containing the mutual reference's name. Good one Spark!

I wish my friends, family and clients would bid Xtra Mail farewell & suspect that Spark would dearly love that too.