Possible data breach with AA (SmartFuel) or subcontractors and Realme account creation attempt

Forums › IT Pro and developers › Possible data breach with AA (SmartFuel) or subcontractors and Realme account creation attempt

coastline

1 post

Wannabe Geek
+1 received by user: 1

#290645 24-Nov-2021 23:45

Hi,

Hopefully this is a correct forum area to post in, please let me know if I should move it somewhere else.

I received two emails today from what appears to be an attempt to create a Realme account.

The email headers and message body (base64 encoded) are legit and I confirmed this by trying to register for a realme account (new random email) - I got the confirmation message with the same email headers and message body.

> Received: from smtpi.msn.com (singmehub09.msn.com [207.46.50.230])

Message body only contains some html tables and a few img src that go to microsoft.com (hostname appears to be their cdn part).

A note on the email address. I own my domain and I generate distinct email addresses each time I need to subscribe somewhere. And by that I don't mean dot gmail or plus signs, I mean a real address along the lines of: randomstring@mydomain.co.nz

I don't reuse email addresses and write down in my password safe each time where I used that specific email address to be able to track it down.

The randomstring is truly a random string that cannot be matched accidentally.

This one was used exclusively at AA (and subsequently SmartFuel registration). I double checked this and it's not showing up anywhere else. Last email that this address received was in August 'Upcoming changes to the AA Smartfuel Privacy Policy'. This specific email was sent via m1.ubiquity.co.nz so AA would definitely subcontract their mailing list so anyone downstream could've been breached/leaked email addresses.

This is not something new and I've seen it happening multiple times in the past with lots of websites that get hacked or simply leak email addresses and I normally completely ignore this - but someone attempting to use it to register for Realme is quite worrying.

I went to realme.govt.nz, clicked 'forgot username', entered this email address and thankfully it shows up as:

> Sorry, the email or text mobile number you have entered is not associated with a username.

So it looks like it was just an attempt to create the account using the email address but couldn't go further as the verification code was mandatory.

I was thinking of trying to contact Realme but at this stage is nothing more than just a random (brute force attempt) to create an account.

Nothing really I can do but I was wondering if anyone noticed anything unusual/suspicious recently relating to Realme or similar attempts in case it's a wider issue?

I already have a realme account and checked login activity, all are mine so no issues there (of course I used a different email address for my realme account which is completely separate)

Thank you.

davidcole

6099 posts

Uber Geek
+1 received by user: 1465

Trusted

#2818946 25-Nov-2021 06:35

I did have an email on realme I don’t think it was trying to create an account but attempted to reset password maybe. I can’t remember et the actual text.

I do have aa credentials, but thought that the email address would have been mine standard one. And I can’t remember if it’s the same address as Smartfuel.

So none could be coincidental, as I don’t really have the proof that you do.

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

MadEngineer

4591 posts

Uber Geek
+1 received by user: 2570

Trusted

#2818954 25-Nov-2021 07:18

I had a couple of 2fa verification emails from realme at around 1.30am the other day which wasn’t me. Curiously the activity page on my realme account showed nothing.

You're not on Atlantis anymore, Duncan Idaho.

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#2818966 25-Nov-2021 07:53

I use the same technique with unique email addresses. It's not unusual at all to get spam on these dedicated email addresses, I think email database compromise is quite common, a quick look at todays spam shows this for:

My Fitness Pal
Mega Macs (probably gone)
Last FM

That's just for today. I expect if I looked back I'd find many, many more.

Oblivian

7345 posts

Uber Geek
+1 received by user: 2117

ID Verified

#2819023 25-Nov-2021 10:20

I have to wonder if someone has cottoned on to the realme accts being used here for Covid QRs and trying the NZ linked info from exploited dbases.

Over the past few weeks my gmail has gone from 2 spam a year if I was lucky. To around 4 Bitcoin/giftcard/etherium trading invite messages /a day/. Looks like I was MyFitnessPal'd (or underarmour/mapmyride) duped at some point. But until recently been no malicious use of it. That said even using bangood etc ends up in 'marketing partner's adding you to all and sundry of spam lists too.

Times like this I wish I had domain'd and done an explicit one for each signup too :/

Ge0rge

2114 posts

Uber Geek
+1 received by user: 2060

Trusted

Lifetime subscriber

#2820769 28-Nov-2021 22:00

@timmmay:

I use the same technique with unique email addresses. It's not unusual at all to get spam on these dedicated email addresses, I think email database compromise is quite common, a quick look at todays spam shows this for:

My Fitness Pal
Mega Macs (probably gone)
Last FM
That's just for today. I expect if I looked back I'd find many, many more.

Could you please point a novice at some reading material on how this is done please? I currently have a domain name with metaname, as far as I can tell they don't do email hosting so would I need to move providers? I do know enough to know I don't know anywhere near enough to host my own email server at home, but do like the technique described here with unique email address.

Thanks.

dfnt

1553 posts

Uber Geek
+1 received by user: 1036

Trusted

Lifetime subscriber

#2820785 29-Nov-2021 01:08

I use https://simplelogin.io with my own domain

It has a Chrome plugin and I create a unique email/alias for each site, although its little too late for my primary email which has been on quite a few breaches now. But at least going forward I'll know which site has leaked my details.

There's many ways to do it but I prefer the simple and easy option, though one thing I like with simplelogin is that I can reply to an email sent to the alias and the recipient sees the alias address not my real email.

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

fe31nz

1294 posts

Uber Geek
+1 received by user: 423

#2820786 29-Nov-2021 03:38

Ge0rge:

Could you please point a novice at some reading material on how this is done please? I currently have a domain name with metaname, as far as I can tell they don't do email hosting so would I need to move providers? I do know enough to know I don't know anywhere near enough to host my own email server at home, but do like the technique described here with unique email address.

Thanks.

Hosting your own email server at home is a fairly fraught business - not something you want to do unless you want to put a fair bit of time into it. But if you have your own domain, you can pay email services to run email for your domain. The problem is that they usually charge per email address for such services, which is not at all what you want if you are going to create and destroy temporary email addresses all the time. You could look around and see if there are any providers that will support you having unlimited email addresses on a domain for a minimal cost, or only charge your for having up to say 5 email addresses and do not care if you change them all the time. I use www.dynu.com as the MX backup service for my email server - they might have an option for that sort of thing.

With your own email server, you can create and destroy as many email addresses as you like. Once a temporary email address has been destroyed, any incoming emails for that address will be bounced with a message saying that address does not exist. Then you can look at your log files and see all the log messages about spammers trying to use those email addresses. It is quite fun watching all the failed attempts. They usually way outnumber real emails though, and sometimes you get a bot that is very persistent and is trying several times a second and just never goes away. For them, you have to use software like fail2ban, or (as I do) manually add those IP addresses to my router's blacklist.

So how are you getting your email now? Is it using your domain, or is it a third party like a gmail account?

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#2820787 29-Nov-2021 06:02

Ge0rge:

Could you please point a novice at some reading material on how this is done please? I currently have a domain name with metaname, as far as I can tell they don't do email hosting so would I need to move providers? I do know enough to know I don't know anywhere near enough to host my own email server at home, but do like the technique described here with unique email address.

The way I do it is extremely simple:

Activate the catchall email for your domain. That way any email sent to any address at the domain arrives at your nominated inbox.
When you sign up to an account at use that domain as the prefix. For example if your domain is example.com and you're signing up for Amazon AU you'd use amazon.com.au@example.com

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41040

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2820844 29-Nov-2021 07:42

fe31nz:

Ge0rge:

Could you please point a novice at some reading material on how this is done please? I currently have a domain name with metaname, as far as I can tell they don't do email hosting so would I need to move providers? I do know enough to know I don't know anywhere near enough to host my own email server at home, but do like the technique described here with unique email address.

Thanks.

The problem is that they usually charge per email address for such services, which is not at all what you want if you are going to create and destroy temporary email addresses all the time.

This is going off topic. Perhaps @Ge0rge could create a new topic asking how to create multiple emails so you can have one for each service.

By the way, most providers charge per account - not per email address. Some providers will offer email aliases, which is just a different email address for an account.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.