Talk Morgan Forums Community The Malvern Arms Email account security breach

Maybe one of our resident computer experts can help with this.

One of the email accounts of one of our domains has been apparently hacked. It does not necessarily mean that the server has been hacked as it appears to affect only one account but it may mean that one of the devices (MacBook or recent and updated Android phone) has a virus, or that there has been an intercept of log-in details between the device and the server.

We got to know about it because of two gmail bounces with the following message:

[quote]This is the mail system at host relay.mailchannels.net.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<xxxxxxxxxx@gmail.com>: host gmail-smtp-in.l.google.com[74.125.195.26] said:
550 5.2.1 [ERN] Recipient is receiving email too quickly. (in reply to RCPT
TO command)
[/quote
(<xxxxxxxxxx@gmail.com> - the real gmail address I removed)

In both cases the bounced emails had a spoofed email address that was our email address but the origin of the bounced emails was from an IP in Vietnam and another in Iran.

The message that was attached contained one line and a a signature line that was a persons name that was also the subject of the email. It is that one line that is the real worry because it contained the smtp server, username, email address and the real password. The line is as below (with modified details) and, needless to say, the password has now been changed and before the new password is implemented in the devices a virus scan will be run.



If anyone has come across this before and has any information I would be pleased to know about it.

I would be interested to know how this happens too.... My address book is held by Google, my personal email is a Yahoo address. I am often (apparently) sending out spoof emails from Yahoo - despite the mail account not being hacked or my Google account being hacked.

Peter it may be that they did not get access to the email but simply mined your contacts list, have you looked at this ?

If it does not appear to have actually come out of your system through your SMTP servers then this is also possible. Someone mine your contacts and then uses the email ID to send them out from a totally different dummy account to your contact list, masked address so it looks like you. This is a common phishing attack.

I would start by looking at what applications have access to contacts on the phone and laptop. The usual range of nasties like Farcebook try and copy your contacts up to “make life easier” and then if they have a breach the list can be stolen from them. This list is then sold on and used for phishing.

Not much you can do once it is out there but I am guessing you probably are aware of this with your experience ?

It doesn't sound like you were hacked. The scumbag is just pretending to be from your operation. Sort of like writing someone else's return address ona letter. Very hard to track down the culprit, but not really a problem for you.

Edwin and Alistair. Thanks for the response but the problem is that the email password that was in the bounced mail was the real one. I have checked to see if the email and password is listed on HPI Identity Leak Checker and https://haveibeenpwned.com/.I am familiar with spoofed email addresses but I am not sure whether or not they actually used our server to send the mail but without a doubt the contents of the mail would have given the receiver access to the email account.

The system has been scanned for viruses and I am waiting for a second scan to complete. The first scan with Dr. Antivirus (Mac) came up with what was probably a couple of false positives for a Windows Trojan.

The next step will be to see if any sites have been accessed with the same password. We have changed it for the email account.

Was made aware today by several of my email recipients that they had received an email from me with a "link" to open, how worried should I be ?
Should I take any action.
It's my private address hotmail not used for business corresponding.

I'm going to be arrested immediately by the police for tax fraud. See you in 10 years!

Looking forward to reading the inside story, Barlinnie ?

Probably Pe'erheed. Don't fancy the Bar L.

Don't worry I'll pay for a top lawyer for you.

Seems I've just received £2 million in bitcoins.