Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsSpark New Zealand (including Skinny and BigPipe)Xtramail account receiving scam emails from spoofed sender. How do I tell if Xtramail account has been compromised?

RC

RC

19 posts

Geek


#303336 2-Feb-2023 11:16
Send private message

A client who uses Xtramail has recently received half a dozen emails with a display name of a mutual contact. The mutual contact has a Gmail account and I haven't received anything dodgy related to the mutual contact.

 

I speculate that either:

 

 

 

1. The mutual contact's gmail account or other data has been compromised allowing the scammer(s) to obtain his email contact list.  I.e. My client's Xtramail account has not been hacked.

 

2. The client's Xtramail account has been hacked.

 

 

 

Are there any clues in the email header / properties?

 

 

 

Is it possible to identify which ISPs, domains, etc are being used by the scammer from the email properties?

 

 

 

(client and mutual contact details removed for privacy reasons)

 

 

 

Email (as seen by client when email is opened)

 

From: [MUTUAL CONTACT NAME] <ts-1515@thestudylecole.edu.in>

 

Subject: Fwd: Message from [MUTUAL CONTACT NAME] 

 

Message body text:

 

-----Original Message-----

 

 

 

Should have emailed them a little earlier - anyway here are these photos

 

now: http://www.tztvl.rteprro.com/ 

 

 

 

**********************

 

 

 

Header / Properties:

 

Received: from IND01-BMX-obe.outbound.protection.outlook.com ([40.107.239.129])
    by mx.xtra.co.nz with ESMTP (using TLSv1.2
    with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    id 63A5E5C2-98D12344@mta2301; Fri, 23 Dec 2022 17:30:43 +0000
Received: from xtra.co.nz ([10.23.30.21])
    by 10.23.30.101 with LMTP
    id IK/ZKcPlpWNoOAAAxkc+lQ:T4
    (envelope-from <TS-1515@thestudylecole.edu.in>); Fri, 23 Dec 2022 17:30:43 +0000
Received: from PN3P287MB0129.INDP287.PROD.OUTLOOK.COM
 ([fe80::6539:120a:d6ae:6d82]) by PN3P287MB0129.INDP287.PROD.OUTLOOK.COM
 ([fe80::6539:120a:d6ae:6d82%8]) with mapi id 15.20.5924.016; Fri, 23 Dec 2022
 17:30:38 +0000
Received: from PN3P287MB0129.INDP287.PROD.OUTLOOK.COM (2603:1096:c01:d8::8) by
 MA0P287MB0515.INDP287.PROD.OUTLOOK.COM (2603:1096:a01:b9::5) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.5924.16; Fri, 23 Dec 2022 17:30:38 +0000
Received: from 10.23.30.101 ([10.23.30.21])
    by 10.23.40.143 with LMTP
    id IK/ZKcPlpWNoOAAAxkc+lQ:T4:P1
    (envelope-from <TS-1515@thestudylecole.edu.in>); Fri, 23 Dec 2022 17:30:43 +0000
Received: from 10.23.40.143 ([10.23.30.21])
    by 10.23.40.60 with LMTP
    id IK/ZKcPlpWNoOAAAxkc+lQ:T4:P1:P1
    (envelope-from <TS-1515@thestudylecole.edu.in>); Fri, 23 Dec 2022 17:30:43 +0000
Return-Path: <TS-1515@thestudylecole.edu.in>
From: "MUTUAL CONTACT NAME" <ts-1515@thestudylecole.edu.in>
To: <CLIENT NAME@xtra.co.nz>
Subject: Fwd: Message from [MUTUAL CONTACT NAME]
Date: Sat, 24 Dec 2022 06:30:36 +1300
Message-ID: <PN3P287MB0129A49EDD351EDB6471B8D4B9E99@PN3P287MB0129.INDP287.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AdkW9EiZAlrFz3qBSNaeQTybpbHhjQ==

 

 

 

 

Create new topic
snnet
1377 posts

Uber Geek


  #3031485 3-Feb-2023 21:03
Send private message

The headers suggest the xtra mail account isn't compromised, as for the other address a giveaway would be if that organisation uses Microsoft for it's mail service

 
 
 
 

Trade NZ and US shares and funds with Sharesies (affiliate link).
yitz
1874 posts

Uber Geek


  #3031539 3-Feb-2023 21:36
Send private message

It's possible the mutual contact's contact list has been stolen but the e-mail filtering solution you use has rejected the message before it hits your inbox whereas your client's Xtra Mail filtering has let it through. Or they are targeting xtra.co.nz address because they know the filtering is bad and people who use xtra are suckers 🤣

RC

RC

19 posts

Geek


  #3031775 4-Feb-2023 15:51
Send private message

My client who uses XtraMail received the dodgy emails.

 

The mutual contact's genuine email address is a gmail account & our organisation uses a MS Exchange Server, Outlook, etc.  My client thoughtfully sent the dodgy emails she received as attachments to an email she composed and sent to me, so the email header / properties which I copied out of one of the dodgy emails has not been processed through our email system. 

 

From the replies to my question, I gather that my client's XtraMail does not appear to be hacked. That suggests one of the following:

 

1. that the mutual contact has had his Gmail account hacked (unlikely but possible, esp. if he isn't using 2FA); or

 

2. that either my client or the mutual contact has had a device hacked with the result that an email contact list has been stolen.

 

I suppose there's also the possibility that a 3rd party who has been privy to emails sent or received between client and mutual contact has been hacked (email account or device).

 

Result: Advise both mutual contact and client to change their email account and device passwords and perform a full virus / spyware scan on their devices?  



yitz
1874 posts

Uber Geek


  #3031837 4-Feb-2023 18:38
Send private message

The information could be from multiple historical Yahoo! and Xtra mass breaches around 2013-2014, so the situation might depend on how long you and your client have had the mutual contact. I believe password resets were mandated when the Xtra Mail system was moved back in-house/SMX back in 2017. I don't believe there have been any wide scale breaches since then.

tdgeek
28622 posts

Uber Geek

Trusted
Lifetime subscriber

  #3031886 4-Feb-2023 19:11
Send private message

Mark as spam, that trains the filters

RC

RC

19 posts

Geek


  #3032937 7-Feb-2023 16:38
Send private message

yitz:

 

The information could be from multiple historical Yahoo! and Xtra mass breaches around 2013-2014, so the situation might depend on how long you and your client have had the mutual contact. I believe password resets were mandated when the Xtra Mail system was moved back in-house/SMX back in 2017. I don't believe there have been any wide scale breaches since then.

 

 

 

 

Yes, I remember when Yahoo left the back door open and allowed anyone who could access a yahoo mail active session cookie to gain access to the account linked to that cookie. It affected 1000s of Spark customers and led to Spark engaging a new (local I believe) external email provider - which in turn led to about a year of unending problems trying to send email to clients with XtraMail with our emails getting blocked as spam or fraudulent due to the aggressive filtering (no doubt because Xtra's user base is NZ's no.1 target for online fraud). 

 

 

 

I though this had all settled down, but it transpires the warning email I sent my client last Thursday did not hit her inbox (or junk / spam folder) and nor did the 2 emails I sent by forwarding the original email when I with her on the phone today. She was receiving other emails from me, so I copied the text out of the original warning email into a new email and substituted all instances of the mutual contact's name with his profession and viola, she received that email within seconds of me hitting send.    As a result, I now suspect that Xtra Mail's filter is now flagging up emails with text containing the mutual reference's name.   Good one Spark!

 

 

 

I wish my friends, family and clients would bid Xtra Mail farewell & suspect that Spark would dearly love that too.

Create new topic





News and reviews »

New Air Traffic Management Platform and Resilient Buildings a Milestone for Airways
Posted 6-Dec-2023 05:00

Logitech G Launches New Flagship Console Wireless Gaming Headset Astro A50 X
Posted 5-Dec-2023 21:00

NordVPN Helps Users Protect Themselves From Vulnerable Apps
Posted 5-Dec-2023 14:27

First-of-its-Kind Flight Trials Integrate Uncrewed Aircraft Into Controlled Airspace
Posted 5-Dec-2023 13:59

Prodigi Technology Services Announces Strategic Acquisition of Conex
Posted 4-Dec-2023 09:33

Samsung Announces Galaxy AI
Posted 28-Nov-2023 14:48

Epson Launches EH-LS650 Ultra Short Throw Smart Streaming Laser Projector
Posted 28-Nov-2023 14:38

Fitbit Charge 6 Review 
Posted 27-Nov-2023 16:21

Cisco Launches New Research Highlighting Gap in Preparedness for AI
Posted 23-Nov-2023 15:50

Seagate Takes Block Storage System to New Heights Reaching 2.5 PB
Posted 23-Nov-2023 15:45

Seagate Nytro 4350 NVMe SSD Delivers Consistent Application Performance and High QoS to Data Centers
Posted 23-Nov-2023 15:38

Amazon Fire TV Stick 4k Max (2nd Generation) Review
Posted 14-Nov-2023 16:17

Over half of New Zealand adults surveyed concerned about AI shopping scams
Posted 3-Nov-2023 10:42

Super Mario Bros. Wonder Launches on Nintendo Switch
Posted 24-Oct-2023 10:56

Google Releases Nest WiFi Pro in New Zealand
Posted 24-Oct-2023 10:18








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







NordVPN






RSS feeds
Main feed
Forums feed
Copyright
©2002-2023 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Affiliate links
Mighty Ape
Sharesies
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.