"DirectAdmin Client Message" Email - Scam/Real?

Sounds like the JBMC database was hacked...
And they timed it pretty well since DA released a new version today...
 
@ DA staff - there are 3 or 4 threads now about this out there.. on the forum.. have a look.
 
I received an email addressed to my real full name, that says:
Dear [MY NAME],

Please note that currently there is a security vulnerability concerning the current
DirectAdmin version, in order to learn how to protect your server until we can issue
a patch please visit http://www.austinfosec.com.au/update.php


Thank you,
DirectAdmin.com
Click to expand...

However, clicking on the above link takes me to a redirection page which triggers my anti-virus. Certainly looks very suspicious, except the email headers look legitimate:

From - Wed May 25 17:50:00 2011
X-Account-Key: account4
X-UIDL: 00004f19497545f3
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <[email protected]>
Envelope-to: [MY-EMAIL]
Delivery-date: Wed, 25 May 2011 17:49:43 -0300
Received: from mail by [MY DOMAIN] with spam-scanned (Exim 4.67)
(envelope-from <[email protected]>)
id 1QPL1Q-0007Ne-He
for [MY EMAIL]; Wed, 25 May 2011 17:49:43 -0300
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on [MY DOMAIN]
X-Spam-Level:
X-Spam-Status: No, score=-0.0 required=10.0 tests=BAYES_20,SPF_HELO_PASS,
SPF_PASS autolearn=ham version=3.3.1
Received: from jbmc-software.com ([216.194.67.119])
by [MY DOMAIN] with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.67)
(envelope-from <[email protected]>)
id 1QPL1P-0007Nb-WF
for [MY-EMAIL]; Wed, 25 May 2011 17:49:40 -0300
Received: from apache by jbmc-software.com with local (Exim 4.76)
(envelope-from <[email protected]>)
id 1QPL2Z-0003Kv-V6
for [MY-EMAIL]; Wed, 25 May 2011 14:50:51 -0600
To: [MY-EMAIL]
Subject: DirectAdmin Client Message
From: DirectAdmin <[email protected]>
Message-Id: <[email protected]>
Date: Wed, 25 May 2011 14:50:51 -0600
Click to expand...

Is this a spoof (that somehow has my real full name, which I never give out) - or a poorly crafted real message?
 
Come on guys! READ! There are now like 8 thread s about this in the last ten minutes!
 
I received one as well.

Judging by the headers, this came from apache on jbmc-software.com and doesn't appear to be spoofed.

Edit; header:
Received: from jbmc-software.com ([216.194.67.119])
by <redacted> with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.73)
(envelope-from <[email protected]>)
id 1QPL3Q-0001rq-Pf
for <redacted>; Wed, 25 May 2011 16:51:44 -0400
Received: from apache by jbmc-software.com with local (Exim 4.76)
(envelope-from <[email protected]>)
id 1QPL4U-0005MK-Mp
for <redacted>; Wed, 25 May 2011 14:52:50 -0600
Click to expand...
 
Got several also... this is looking pretty bad. With my client details exactly as we are registered with DirectAdmin...
 
I think we can assume DA customers database has been compromised
any information about credit card data? If I'm not mistaken, the name included in my E-mail is the one for my credit card
 
dan said:
Here's an interesting one. Just got a spam email from someone claiming to be DA. Message source is below:

Code: 
Return-path: <[email protected]>
Envelope-to: [my email address]
Delivery-date: Wed, 25 May 2011 16:53:54 -0400
Received: from mail by illusion.bluespidernetwork.co.uk with spam-scanned (Exim 4.72)
	(envelope-from <[email protected]>)
	id 1QPL5U-0004Jk-GI
	for [my email address]; Wed, 25 May 2011 16:53:54 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	illusion.bluespidernetwork.co.uk
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS,
	SPF_PASS autolearn=ham version=3.3.1
Received: from jbmc-software.com ([216.194.67.119])
	by illusion.bluespidernetwork.co.uk with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.72)
	(envelope-from <[email protected]>)
	id 1QPL5U-0004Jg-Bt
	for [my email address]; Wed, 25 May 2011 16:53:52 -0400
Received: from apache by jbmc-software.com with local (Exim 4.76)
	(envelope-from <[email protected]>)
	id 1QPL6X-00076l-Sf
	for [my email address]; Wed, 25 May 2011 14:54:57 -0600
To: [my email address]
Subject: DirectAdmin Client Message
From: DirectAdmin <[email protected]>
Message-Id: <[email protected]>
Date: Wed, 25 May 2011 14:54:57 -0600
X-Antivirus-Scanner: Clean mail, though you should still use an Antivirus scanner

Dear Dan  Jones,

Please note that currently there is a security vulnerability concerning the current
DirectAdmin version, in order to learn how to protect your server until we can issue
a patch please visit http www austinfosec com au update.php


Thank you,	
DirectAdmin.com

(URL manipulated to prevent search engine spiders picking it up).
The source code to that site has an iframe which directs somewhere else. The code to THAT site has some "encrypted" javascript that runs on load. I can only assume this attempts to do something malicious. Probably doesn't work in Firefox/Linux anyway.

Just making anyone at JBMC aware of this, and any other DA admins that come across this message. What's more interesting is that it has my full and correct name.
Click to expand...

Same message as the other thread..

Come on guys! READ! There are now like 8 thread s about this in the last ten minutes!
 
I received the same e-mail message
Received: from mail by server.advancednet.pl with spam-scanned (Exim 4.75)
(envelope-from <[email protected]>)
id 1QPL9r-0003Aa-Ng
for [email protected]; Wed, 25 May 2011 22:58:23 +0200
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
server.advancednet.pl
X-Spam-Level:
X-Spam-Status: No, score=-95.9 required=7.5 tests=AWL,DNS_FROM_OPENWHOIS,
SPF_HELO_PASS,SPF_PASS,USER_IN_WHITELIST autolearn=no version=3.2.5
Received: from jbmc-software.com ([216.194.67.119])
by server.advancednet.pl with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.75)
(envelope-from <[email protected]>)
id 1QPL9r-0003AV-Fe
for [email protected]; Wed, 25 May 2011 22:58:23 +0200
Received: from apache by jbmc-software.com with local (Exim 4.76)
(envelope-from <[email protected]>)
id 1QPLAw-0001Ut-1c
for [email protected]; Wed, 25 May 2011 14:59:30 -0600
To: [email protected]
Subject: Your login details for DirectAdmin Forums
From: "DirectAdmin Forums" <[email protected]>
Auto-Submitted: auto-generated
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
Date: Wed, 25 May 2011 14:59:30 -0600
 
I got same scam email.
And from email headers it looks sent from DA server

Need wait for John reply about this emails and how scammers get personal data.


Return-path: <[email protected]>
Envelope-to: my@email
Delivery-date: Wed, 25 May 2011 23:52:32 +0300
Received: from jbmc-software.com ([216.194.67.119])
by my.provider.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
(Exim 4.74)
(envelope-from <[email protected]>)
id 1QPL4A-0000wj-J2
for my@email; Wed, 25 May 2011 23:52:32 +0300
Received: from apache by jbmc-software.com with local (Exim 4.76)
(envelope-from <[email protected]>)
id 1QPL5C-0005ws-Se
for my@email; Wed, 25 May 2011 14:53:34 -0600
To: my@email
Subject: DirectAdmin Client Message
From: DirectAdmin <[email protected]>
Message-Id: <[email protected]>
Date: Wed, 25 May 2011 14:53:34 -0600
X-Sender-IP-app-auth: 216.194.67.119
 
Just got this too... So where is this coming from... how did they get a list of DA hosts including my full name (including middle initial!)?
 
I received the email too ..

I received the email too, it had my full name, i checked the source before i clicked on the link (view source) -> jbmc-software.com (216.194.67.119)

Did you guys clicked on the link? i have zone alarm as an antivirus and firewall, hope i did not get some virus
 
Lem0nHead said:
I think we can assume DA customers database has been compromised
any information about credit card data? If I'm not mistaken, the name included in my E-mail is the one for my credit card
Click to expand...

I don't think JBMC touches credit card data -- all transactions i've done have required entering cc info on a gateway website.
 
You must log in or register to reply here.
Back
Top