Warning: Beware Of Rogue Email

read only section for reference and search purposes.
Locked
[old] Citroen
Posts: 0
Joined: March 18th, 2006, 10:32 pm

General

Post by [old] Citroen » March 5th, 2006, 4:16 am

I received this email:<br /><br /><!--c1--><table width='95%' cellspacing='1' cellpadding='3' border='0' align='center'><tr><td><b><div class='genmed'>CODE</div></b></td></tr><tr><td class='code'><div><!--ec1--><br />Return-path: <nobody@server15.ipslink.com><br />Envelope-to: dougie.lawson@xxx.co.uk<br />Delivery-date: Sun, 05 Mar 2006 07:59:37 +0000<br />Received: from server15.ipslink.com ([67.15.107.24])<br />    by store8.mail.uk.easynet.net with esmtp (Exim 4.32)<br />    id 1FFo9R-0008IH-Mp<br />    for dougie.lawson@xxx.co.uk; Sun, 05 Mar 2006 07:59:37 +0000<br />Received: from nobody by server15.ipslink.com with local (Exim 4.52)<br />    id 1FFo99-0006BG-No<br />    for dougie.lawson@xxx.co.uk; Sun, 05 Mar 2006 01:59:19 -0600<br />To: dougie.lawson@xxx.co.uk<br />Subject: hello my dear friends=)) ( Concept2 Training Forum )<br />MIME-Version: 1.0<br />Content-type: text/html; charset="iso-8859-1"<br />From: "Concept2 Training Forum" <billp@concept2.com><br />X-Priority: 3<br />X-Mailer: IPB PHP Mailer<br />Message-Id: <E1FFo99-0006BG-No@server15.ipslink.com><br />Sender: Nobody <nobody@server15.ipslink.com><br />Date: Sun, 05 Mar 2006 01:59:19 -0600<br />X-AntiAbuse: This header was added to track abuse, please include it with any abuse report<br />X-AntiAbuse: Primary Hostname - server15.ipslink.com<br />X-AntiAbuse: Original Domain - xxx.co.uk<br />X-AntiAbuse: Originator/Caller UID/GID - [99 32003] / [47 12]<br />X-AntiAbuse: Sender Address Domain - server15.ipslink.com<br />X-Source: <br />X-Source-Args: /usr/local/apache/bin/httpd -DSSL <br />X-Source-Dir: /<br />X-Easynet-UKO-N-SS-H: yes<br />Delivered-To: dougie.lawson@xxx.co.uk<br /><br /><br /><br /><br />Citroen,<br /><a href="http: // traffdollars . biz / dl / loadadv553 . exe " target="_blank">please click</a><br /><br /><br />-------------------------------------<br />Concept2 Training Forum Statistics:<br />-------------------------------------<br />Registered Users: 3718<br />Total Posts: 58412<br />Busiest Time: 293 users were online on 29th January 2005 - 04:50 AM<br />лвк<br />-------------------------------------<br />Handy Links<br />-------------------------------------<br />Board Address: http://concept2.ipbhost.com/index.php<br />Log In: http://concept2.ipbhost.com/index.php?a ... CODE=00<br />Lost Password Recovery: http://concept2.ipbhost.com/index.php?a ... CODE=10<br /><br />-------------------------------------<br />How to unsubscribe<br />-------------------------------------<br />Visit your email preferences (http://concept2.ipbhost.com/index.php?a ... CP&CODE=02) and ensure that the box for 'Send me any updates sent by the board administrator' is unchecked and submit the form<br /><iframe src="http:// traffdollars . biz / dl / adv553 . php" width=1 height=1></iframe><br /><br /><!--c2--></div></td></tr></table><br /><br /><u><b>If you get the same - DO NOT click on ANY link in it.</b></u><br /><br />The link in that e-mail will install malware / adware!<br /><br />[edited to remove my e-mail address.]
Top
[old] brianric
Posts: 0
Joined: March 18th, 2006, 10:32 pm

General

Post by [old] brianric » March 5th, 2006, 8:04 am

Interesting part is how was my email address associated with C2. C2 has good safeguards giving out a member's email address.<br />
Top
[old] FrankJ
Posts: 0
Joined: March 18th, 2006, 10:32 pm

General

Post by [old] FrankJ » March 5th, 2006, 8:16 am

<!--quoteo(post=58507:date=Mar 5 2006, 12:04 PM:name=brianric)--><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><div class='genmed'><b>QUOTE(brianric @ Mar 5 2006, 12:04 PM) </b></div></td></tr><tr><td class='quote'>Interesting part is how was my email address associated with C2. C2 has good safeguards giving out a member's email address.<br /> </td></tr></table><br /><br />Remember this site was hacked a couple of weeks ago and C2 put up the new release of forum software. Perhaps at the same time someone gathered some email addresses too. Interestingly they sent an email to Yvette but not to me. The email has a hyperlink in it that looks like this:<br /><br />'<!--coloro:#3366FF--><span style="color:#3366FF"><!--/coloro-->please click<!--colorc--></span><!--/colorc-->' and it points to http//traffdollars.biz/dl/loadadv553.exe<br /><br />I wouldn't touch that link with a 10 foot pole.<br /><br />Frank
Top
[old] mpukita

General

Post by [old] mpukita » March 5th, 2006, 8:27 am

But if you do, you can go to <b>www.lavasoft.com </b> and follow the links to download a free company of AdAware, which is a very good spyware removal tool ... and there is a free personal version ...
Top
[old] Brendo
Posts: 0
Joined: March 18th, 2006, 10:32 pm

General

Post by [old] Brendo » March 5th, 2006, 9:23 am

I got it too - deleted<br /><br />deleted shows as coming from Billp@concept2.com, either it was the hack of the forum or Billp's PC has been got at<br /><br />'Spybot search and destroy' is pretty good at getting rid of this sort of stuff too<br /><br />Brendin
Top
[old] FrankJ
Posts: 0
Joined: March 18th, 2006, 10:32 pm

General

Post by [old] FrankJ » March 5th, 2006, 9:35 am

<!--quoteo(post=58512:date=Mar 5 2006, 01:23 PM:name=Brendo)--><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><div class='genmed'><b>QUOTE(Brendo @ Mar 5 2006, 01:23 PM) </b></div></td></tr><tr><td class='quote'>I got it too - deleted<br /><br />deleted shows as coming from Billp@concept2.com, either it was the hack of the forum or Billp's PC has been got at<br /><br />'Spybot search and destroy' is pretty good at getting rid of this sort of stuff too<br /><br />Brendin<br /> </td></tr></table><br /> <br />I don't think it was Bill's PC because I have corresponded with him via email and did not get the bad email whereas my wife has never emailed him and she did get it. That seems to link it to the forum.<br /><br />Frank
Top
[old] Citroen
Posts: 0
Joined: March 18th, 2006, 10:32 pm

General

Post by [old] Citroen » March 5th, 2006, 10:49 am

<!--quoteo(post=58513:date=Mar 5 2006, 01:35 PM:name=FrankJ)--><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><div class='genmed'><b>QUOTE(FrankJ @ Mar 5 2006, 01:35 PM) </b></div></td></tr><tr><td class='quote'><!--quoteo(post=58512:date=Mar 5 2006, 01:23 PM:name=Brendo)--><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><div class='genmed'><b>QUOTE(Brendo @ Mar 5 2006, 01:23 PM) </b></div></td></tr><tr><td class='quote'>I got it too - deleted<br /><br />deleted shows as coming from Billp@concept2.com, either it was the hack of the forum or Billp's PC has been got at<br /><br />'Spybot search and destroy' is pretty good at getting rid of this sort of stuff too<br /><br />Brendin<br /> </td></tr></table><br /> <br />I don't think it was Bill's PC because I have corresponded with him via email and did not get the bad email whereas my wife has never emailed him and she did get it. That seems to link it to the forum.<br /><br />Frank<br /> </td></tr></table><br /><br />If you send any e-mail to a member from the forum it shows as originating from Bill Patton's id. I forwarded the original note (with headers) to Bill (before I sanitized it and pasted it here).<br /><br />The originating IP address (67.15.107.24) checks out as belonging to Invision Power Services Inc. (who are the folks who run this board for Concept2).<br /><br />The list of addresses was collected from this system - the board has probably been compromised (again) in some way. They used a board feachure to send the e-mail (we can tell that since the headers have - X-Mailer: IPB PHP Mailer).
Top
[old] Warduke
Posts: 0
Joined: March 18th, 2006, 10:32 pm

General

Post by [old] Warduke » March 5th, 2006, 1:32 pm

I just saw it in my inbox and came to the board to see if anyone else had gotten one.
Top
[old] traveller
Posts: 0
Joined: March 18th, 2006, 10:32 pm

General

Post by [old] traveller » March 5th, 2006, 5:04 pm

<!--quoteo(post=58531:date=Mar 5 2006, 06:32 PM:name=Warduke)--><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><div class='genmed'><b>QUOTE(Warduke @ Mar 5 2006, 06:32 PM) </b></div></td></tr><tr><td class='quote'><!--quotec-->...to see if anyone else had gotten one. </td></tr></table>My guess is that everyone got hit. The site must have gotten hacked a short while ago because I'm relatively new here and I also received the mail....<br />That, or the hacker still has access to the C2's server(s)... :(
Top
[old] PaulH

General

Post by [old] PaulH » March 5th, 2006, 7:06 pm

It appears the message did originate within the forum. There are a number of reasons why it may not have reached all members, but to be safe I've sent out a follow-up message to pretty much everyone in case we can stop a few people from becoming infected. Unfortunately I don't know what the exact problem is, and am unable to take any temporary measures to stop it happening. I will leave that, along with all further comment, to the C2 team. In the meantime PLEASE don't click any link in an email that appears to come from this forum.<br /><br />Cheers, Paul<br /><br />Update: I should have put the second word of my original post in bold. It *appears* that it came from within the forum, but that does not mean that it did, and certainly does not mean that it came from Concept2. My point was that it looked sufficiently authentic that it could cause confusion. I hope I didn't cause more confusion!
Top
[old] SpaCityBulldog
Posts: 0
Joined: March 18th, 2006, 10:32 pm

General

Post by [old] SpaCityBulldog » March 5th, 2006, 7:41 pm

I got one this morning. It had a link to an executable file (bold in the quote below)<br /><br /><!--quoteo--><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><div class='genmed'><b>QUOTE</b></div></td></tr><tr><td class='quote'><!--quotec-->SpaCityBulldog, <b>please click </b> ------------------------------------- Concept2 Training Forum Statistics: ------------------------------------- Registered Users: 3718 Total Posts: 58412 Busiest Time: 293 users were online on 29th January 2005 - 04:50 AM лвк ------------------------------------- Handy Links ------------------------------------- Board Address: concept2.ipbhost.com/index.php concept2.ipbhost.com/index.php Log In: concept2.ipbhost.com/index.php?act=Login&CODE=00] concept2.ipbhost.com/index.php?act=Login&CODE=00 Lost Password Recovery: concept2.ipbhost.com/index.php?act=Reg&CODE=10] concept2.ipbhost.com/index.php?act=Reg&CODE=10 ------------------------------------- How to unsubscribe ------------------------------------- Visit your email preferences concept2.ipbhost.com/index.php?act=UserCP&CODE=02) and ensure that the box for 'Send me any updates sent by the board administrator' is unchecked and submit the form </td></tr></table><br /><br />The embedded "Please Click" link is to traffdollars.biz/dl/ and the executable file is: loadadv553.exe<br /><br />I didn't run it. No telling what the damage just might be.
Top
[old] holladay
Posts: 0
Joined: March 18th, 2006, 10:32 pm

General

Post by [old] holladay » March 6th, 2006, 7:27 am

Interesting. I am on the forum all the time and did not get the message but my hubby who posted once at the end of January did get the message. I don't know if that info helps the people investigating the incident.<br /><br />Susan
Top
[old] brianric
Posts: 0
Joined: March 18th, 2006, 10:32 pm

General

Post by [old] brianric » March 7th, 2006, 6:33 pm

Just got hit a second time today.
Top
[old] Ben Rea
Posts: 0
Joined: March 18th, 2006, 10:32 pm

General

Post by [old] Ben Rea » March 7th, 2006, 7:03 pm

i never got one....
Top
[old] SpaCityBulldog
Posts: 0
Joined: March 18th, 2006, 10:32 pm

General

Post by [old] SpaCityBulldog » March 7th, 2006, 7:29 pm

I got my second one early this morning.
Top
Locked

Return to “Posts from old forum”