dry247's store may have been hacked

Status
Not open for further replies.

bambinod

Est. Contributor
Messages
10,583
Role
  1. Diaper Lover
I run my own mailserver and make my own email addresses up as needed. Each business I email gets a different address to use with me. So if I get spammed or virus/phish emails, I know where they leaked, and can just disable the address if it gets annoying. (I don't have to cave and get a whole new email address if I can't stand the spam anymore)

Anyway. My paypal address just got phished. I've had that happen a few times before, but I've never seen any hint of identifying information in the email. (I do a bit of forensics on them usually if I'm bored)

THIS time however, I got a hit. The phish directs me to www.dry247.com/cashe/mol.html (the "click here to verify your account information") This link was hidden under two layers of armor to make it very hard for av/spam scanners to spot. It's very rare to see something this well obfuscated.

I ordered twice from dry247 in june, and paid using paypal.

I think it's safe to conclude they had a break-in and theft of information including at least some ordering information, including paypal address. And they did the unusual thing of hosting their phishing form on the same server they stole the data from. (they relayed the spam through another hacked server at lesimpotsfrance.onmicrosoft.com)

That link is now displaying correct information, so they've probably caught and plugged the hole. But you might want to keep a closer eye on your paypal information for the next few months.

I'd be curious to know if anyone else here gets one of these.

EDIT... well I should have kept reading my mail. The very next one was an identical phishing message, sent to the email address I gave drycare for my order.... I'd say I've confirmed a hack beyond all doubt.
 

bambinod

Est. Contributor
Messages
10,583
Role
  1. Diaper Lover
As of this morning I've received two more very different looking phishing attempts to two different email addresses I have used with other vendors. In both cases, the attacks were very specifically customized to look like they came from the business I made the email address for. And in one case they used the exact same image link internally as I found in another one. I believe many of these are coming from the same group of phishers.

My bet is that they've finally finished digesting all the data they stole from heartbleed and are using it for targetted phishing, sending phishing emails customized to the site where they stole the address from. Everyone should be very much on their guard for phishing emails in general over the next month or so. Anyone that doesn't really understand what this "phishing" is, should read up on it NOW. http://en.wikipedia.org/wiki/Phishing
 

Vyse

Est. Contributor
Messages
82
Role
  1. Diaper Lover
This is an interesting development, everyone kinda just forgot about heart bleed. I would warrent a guess that you're right though, and thanks for the advanced warning on this.
I will be keeping an eye out for suspicious e-mails.
 

PupSpaz

Est. Contributor
Messages
283
Role
  1. Diaper Lover
  2. Little
I'll concur that dry 247 website was / is breached. I've had the same spam (although it was weeks ago), both for the PayPal and dry247 specific email addresses. On the bright side, they won't have credit card numbers since PayPal holds that data.
 
Status
Not open for further replies.
Top