Maybe one of our resident computer experts can help with this.

One of the email accounts of one of our domains has been apparently hacked. It does not necessarily mean that the server has been hacked as it appears to affect only one account but it may mean that one of the devices (MacBook or recent and updated Android phone) has a virus, or that there has been an intercept of log-in details between the device and the server.

We got to know about it because of two gmail bounces with the following message:

[quote]This is the mail system at host relay.mailchannels.net.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<xxxxxxxxxx@gmail.com>: host gmail-smtp-in.l.google.com[74.125.195.26] said:
550 5.2.1 [ERN] Recipient is receiving email too quickly. (in reply to RCPT
TO command)
[/quote
(<xxxxxxxxxx@gmail.com> - the real gmail address I removed)

In both cases the bounced emails had a spoofed email address that was our email address but the origin of the bounced emails was from an IP in Vietnam and another in Iran.

The message that was attached contained one line and a a signature line that was a persons name that was also the subject of the email. It is that one line that is the real worry because it contained the smtp server, username, email address and the real password. The line is as below (with modified details) and, needless to say, the password has now been changed and before the new password is implemented in the devices a virus scan will be run.



If anyone has come across this before and has any information I would be pleased to know about it.

I would be interested to know how this happens too.... My address book is held by Google, my personal email is a Yahoo address. I am often (apparently) sending out spoof emails from Yahoo - despite the mail account not being hacked or my Google account being hacked.

Peter it may be that they did not get access to the email but simply mined your contacts list, have you looked at this ?

If it does not appear to have actually come out of your system through your SMTP servers then this is also possible. Someone mine your contacts and then uses the email ID to send them out from a totally different dummy account to your contact list, masked address so it looks like you. This is a common phishing attack.

I would start by looking at what applications have access to contacts on the phone and laptop. The usual range of nasties like Farcebook try and copy your contacts up to “make life easier” and then if they have a breach the list can be stolen from them. This list is then sold on and used for phishing.

Not much you can do once it is out there but I am guessing you probably are aware of this with your experience ?

It doesn't sound like you were hacked. The scumbag is just pretending to be from your operation. Sort of like writing someone else's return address ona letter. Very hard to track down the culprit, but not really a problem for you.

Edwin and Alistair. Thanks for the response but the problem is that the email password that was in the bounced mail was the real one. I have checked to see if the email and password is listed on HPI Identity Leak Checker and https://haveibeenpwned.com/.I am familiar with spoofed email addresses but I am not sure whether or not they actually used our server to send the mail but without a doubt the contents of the mail would have given the receiver access to the email account.

The system has been scanned for viruses and I am waiting for a second scan to complete. The first scan with Dr. Antivirus (Mac) came up with what was probably a couple of false positives for a Windows Trojan.

The next step will be to see if any sites have been accessed with the same password. We have changed it for the email account.

Was made aware today by several of my email recipients that they had received an email from me with a "link" to open, how worried should I be ?
Should I take any action.
It's my private address hotmail not used for business corresponding.

I'm going to be arrested immediately by the police for tax fraud. See you in 10 years!

Looking forward to reading the inside story, Barlinnie ?

Probably Pe'erheed. Don't fancy the Bar L.

Don't worry I'll pay for a top lawyer for you.

Seems I've just received £2 million in bitcoins.

That's a relief!

It is likely that you addresses were harvested. If this is the case do nothing, I get about 10 of these a day from various people I know.

Check if it looks like this from the recipients view point?

1. Email arrives showing your name (someone else's list was harvested with your name in the contacts so you are getting it)
2. It has a general title and just a single link in it.
3. If you hover over the email FROM name or inspect it then it is not actually from your email account but some other junk account being used with your name like a mail merge. This is designed to catch the less technical or rushed into clicking it as they think it is from you.
4. The link is also a cover for another URL which can be seen by hovering over it for a moment. You can check this as well if you like, sometimes you might find out which breach provided your details.

If you want to check the underlying email that actually sent it then hit reply-to so it shows the email address and put it into google and it will show you where else this has been used.

I hope I don't have to say "DONT CLICK THE LINK" although I have never done so and as a result don't know where it goes! TRAIN ALL OF YOUR STAFF AT YOUR COMPANY ON THIS." it is how ransomware gets in. Microsoft backup to OneDrive on office365 does not solve this. Best product I have seen for this to date is Sentinel ONE which has a rollback capability but this is a business type product to be used in conjunction with Miicrosoft Defender/EndPointManager.

1. This is not from your email account but has been masked to look like it is to go phishing. People less technically savy or in a rush are meant to see your name, feel it is trustworthy and so click the link without thinking. It is not from your account in nearly every case if the above are true.
2. You can send an email to your friends saying that your account has not been hacked but one of the services you share your contacts with probably has so you are sorry on their behalf and to ignore all the links like (insert screen capture of example email) this. Unfortunately you have no way of stopping them, it is a big interweb spam thing.
3. Sign up with one of the monitoring sites like https://haveibeenpwned.com/ and it will show you where a breach has led to you being grifted. Look at the list and then compare it to the various sites and mobile apps which you have given access to your contacts to.
4. Change the password on the hotmail account now anyway, it won't hurt.
5. See 4 - now
6. I said see 4 - NOW.
7. Have a look on your phone and see what applications you have granted access to contacts and consider if they really need them. Chances are that one of them (Yes FarceBook I am looking at you) has been granted access, it has then sync'd them with FB-HQ cloud service so you "can use them across all your devices" and "mined for revenue purposes" this was breached several times and they do not give a damn.
7. Treat as one of those things that happen on the Interweb and don't get stressed.

It can lead to a couple of thoughts.
1. Is my antivirus/phishing software up to date. Buy a modern one with phishing protection.
2. Does my business have insurance against a ransomware infestation or viral attack and it's impact on my ability to do business.
3. When did I last take a backup

But the most important thought.

Is that old pencil in the draw still sharp, do I have some paper to write on and what's this pile of technical crap worth on eBay if I flog it?

If it has come from your actual email account then panic and inform the bank instantly. Then PM me.

Top Dog Alistair your much better with Computers than Morgan's l.o.l

In other news, I have recently heard that I am going to have eleven billionty dollars transferred to me from Nigeria.

Can't wait!