I received a credit card scam addressed to my one-off unique address registered to fedex.com.
So it seems fedex.com user database has been compromised. Change your logins asap.
-Dan
Possibly. The other possibility I can think of is that you succumbed to a phishing scheme where are you entered the login information for your Fed ex account.
Phishing scheme didn't happen.
fedex has had a number of major compromises so it's not a stretch that their user database was stolen and sold to spammers.
-Dan
Dan Hollis wrote:
Phishing scheme didn’t happen.
fedex has had a number of major compromises so it’s not a stretch that
their user database was stolen and sold to spammers.
The other possibility is that your one-off email scheme is predictable, and someone knows you use FedEx, and that someone is targeting specifically you, and this obvious phishing email is a red herring for the exploit you didn’t see.
Be concerned.
– S.C.
Oh for fucks sake.
Really?
You two are questioning someone who subscribes to Nanog over Fedex?
You really think it's more likely that someone is targeting Dan Hollis
(whoever he is) instead of Fedex leaving something else exposed?
Is it possible, yes. I’ve seen it several times now at my place of work. Targeted attacks are a thing.
Date: Friday, May 31, 2019 08:04:13 -0400
From: Jason Kuehl <jason.w.kuehl@gmail.comIs it possible, yes. I've seen it several times now at my place of
work. Targeted attacks are a thing.>
> Dan Hollis wrote:
>
> Phishing scheme didn't happen.
>
> fedex has had a number of major compromises so it's not a
> stretch that their user database was stolen and sold to spammers.
>
When I have looked into this type of issue for my unique addressing
some did trace back to back-end db hacks (e.g., adobe), but I found
that the most likely culprit was the 3rd-party bulk mailer that
handled the organization's marketing mail. It could be a non-zeroed
disk thrown into the trash or an inside job, but it almost always
traced back to one or two bulk mailing companies.
The most common issue for quite a while was malware on the windows
desktops of employees with access to the companies ESP account.
The web browser saves username and password to autofill the ESPs
web interface in a very predictable place. Malware exfiltrates that. Bad
guys compromise ESP account, download all the lists they can find
(and then start spamming on the company dime).
That's why ESPs pushed quite so hard to get multifactor authentication
of some sort adopted by their customers. But a lot of them didn't do
that (partly, I suspect, because the ESP account was accessed by
multiple employees) and even if they did that didn't stop the lists
that had already been downloaded.
Actual compromises of the ESP, or bad behaviour of it's employees,
seem to be rather rare but customer account compromise is
everywhere.
Cheers,
Steve
FYI, I've been running numerous experiments in this area for many years
using unique non-guessable non-typo'able addresses. Explaining the
results in full would take many pages, so let me summarize: 3rd party
bulk mailers leak like sieves. "How?" remains an open question: could be
that they're selling, could be that they have security issues, could be
that insiders are selling on their own, could be any number of things:
it's really not possible to say. But they are unquestionably leaking.
This is hardly surprising: many of them are spammers-for-hire, many of
them use invasive tracking/spyware, and none of them actually care in
the slightest about privacy or security -- after all, it's not *their*
data, why should they?
Which are some of the many reasons that outsourcing your mailing lists
is a terrible idea, doubly so when it's quite easy to run your own with
Mailman (or equivalent).
---rsk
* rsk@gsp.org (Rich Kulawiec) [Fri 31 May 2019, 16:18 CEST]:
[...]
This is hardly surprising: many of them are spammers-for-hire, many of
them use invasive tracking/spyware, and none of them actually care in
the slightest about privacy or security -- after all, it's not *their*
data, why should they?
Which is why we now have GDPR. Care, or get fined.
Which are some of the many reasons that outsourcing your mailing lists
is a terrible idea, doubly so when it's quite easy to run your own with
Mailman (or equivalent).
Unfortunately it's not that easy; the few large remaining mail hosters at best have opaque procedures when it comes to accepting mail.
-- Niels.
The one-off email scheme is not predictable. It is randomly generated string of characters.
$ ./randgen
jvtMDluV0lwnlY5O
So you can totally eliminate that possibility entirely.
-Dan
Not quite so simple, though, is it. If you want to make a complaint then you have to get your EU national data protection regulator interested. Even the worst-leaking ESPs are unlikely to generate many complaints, I suspect. And if they are located outside the EU with no direct business presence within the EU then it requires the regulator to make approaches to foreign governments who might or might not be willing to cooperate.
In the UK the data protection regulator is the ICO <> and, whilst it is perhaps one of the better UK regulatory agencies, I still wouldn’t hold out much hope of getting them to do anything like this (where multiple levels of evidence would need to be collected) in individual cases. Sadly so but I think that if you have a decent and consistent volume (and follow all the usual good hygiene requirements) then it should be possible to get on their automated radar in a positive way. It seems to me that it’s small volume senders who have the real deliverability problems.
You’d be surprised how often nation-states use essentially phishing scams.
What seems to help in individual cases is to reply to real but otherwise
unwanted mails and remind the sender of GDPR violation. I got several
sources to stop sending me such mails. When using a templated answer, it
takes 5 seconds to do so.
Also, the correspondence may come handy later, should evidence need to
be presented.
Robert