Email Phishing or Xtra Account Password Hack?

Forums › Spark New Zealand (including Skinny and BigPipe) › Email Phishing or Xtra Account Password Hack?

outdoorsnz

694 posts

Ultimate Geek
+1 received by user: 303

ID Verified

#316014 8-Sep-2024 15:15

Helping a friend via phone (not in person) on this.

So many related parties received the classic phishing email, "Sorry to ask, do you have a free moment over email? Please let me know! " from this person, and judging from the phone calls, quite a few have fallen for this already!!!

i.e. reported to them that friends received call from the warehouse assuming for gift card purchases etc.

I've looked at the source of the email and it looks like any other xtra email, mailed using Open-Xchange Mailer v7.10.6-Rev67

Assuming this is all spoofed using database from past hacks and they are being targeted.

We went through with them what emails have you recently view and links clicked etc, and only thing that came up was they thought they received an email from spark (or xtra) that mentioned something about being with them for a long time and program needs updating, and they clicked on an update button that did nothing. Which to me is a red flag.

They assure me no passwords etc were passed over.

The question is, has their xtra email account password been hacked or all 100% just been spoofed?

What would be the best advice here?

Reset iphone / ipad?
Change xtra account password
Def call the bank and reset details there
Change email address as guessing they will be on the target list

Thanks

Goosey

3014 posts

Uber Geek
+1 received by user: 867

Subscriber

#3280048 8-Sep-2024 17:28

Yes to 1 & 2

unsure what relevance #3 would have?

as for 4, get them to get themselves a Gmail or outlook account and start the process of updating all services and subscriptions they have to point to that new email and for the added benefit, change their passwords for those services or subscriptions at the same time.

they don’t have to try and do this asap…just try one or two services and subscriptions a week until it’s done.

blu3max

3 posts

Wannabe Geek
+1 received by user: 1

#3280657 10-Sep-2024 13:07

Yeah we have just come across the same email client (Open Xchange) and exact same message on another xtra email account today.

Breach, guessed password, or spoofing?

It appears to be automated and in an info gathering stage.

richms

29098 posts

Uber Geek
+1 received by user: 10208

Trusted

Lifetime subscriber

#3280677 10-Sep-2024 14:34

We had one with the same opening from an xtra address a couple of weeks back. When the staff replied saying how can I help, the reply was blocked and when looked at was a gift card buying scam one. Didnt even pretend to be from anyone here,

Richard rich.ms

outdoorsnz

694 posts

Ultimate Geek
+1 received by user: 303

ID Verified

#3280955 11-Sep-2024 14:33

This wasn't a PW account hack. Most likely clicked on email link and exposed through the active email session. Resolved now.

Good reminder, don't trust any email and don't click the link...

Thanks

richms

29098 posts

Uber Geek
+1 received by user: 10208

Trusted

Lifetime subscriber

#3288495 1-Oct-2024 11:00

Another..

From: XXXXX <XXXXXX@xtra.co.nz>
Sent: Saturday, 28 September 2024 2:46 PM
Subject: Keeping in touch :)

________________________________________
This Email is From an External Sender.
________________________________________
This message came from outside your organization.Please be careful clicking links and opening attachments if you don't know this sender. Please report suspicious emails to the IT department.
________________________________________
--
Hello. I have a very important issue which I'll like you to help me out.
Sorry to ask, do you have a free moment over email? Please let me know!
Thanks

XXXXX

Richard rich.ms

SirHumphreyAppleby

2938 posts

Uber Geek
+1 received by user: 1860

#3288499 1-Oct-2024 11:22

outdoorsnz:

Good reminder, don't trust any email and don't click the link...

Verify the source of the e-mail before clicking the link.

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

rhy7s

673 posts

Ultimate Geek
+1 received by user: 147

#3292992 4-Oct-2024 15:23

outdoorsnz:

This wasn't a PW account hack. Most likely clicked on email link and exposed through the active email session. Resolved now.

Good reminder, don't trust any email and don't click the link...

Thanks

Just had one of these from a friend on Xtra. Can I get some more clarification on the details above? The scammer receives a reply sent to the Xtra address but then reaches out with the gift card scam from a Gmail account with the same username as the Xtra account. Do they have a session open to the Xtra account without having gained access to the password? Or have set up forwarding during the compromised session?

daveymg

20 posts

Geek
+1 received by user: 4

#3309379 15-Nov-2024 14:12

I've dealt with a few of these lately. The attacker appears to gain access to the xtra mailbox and sets a forward to a gmail address setup with the same username. They also change recovery info so the xtra user can't reset the pasword online and has to get resolution via the helpdesk.

I've just had a repeat email from someone who was previously hacked and has been through the process of changing the password etc. No idea though as to how the hack is being repeated.