A little something about everything

internet marketing and website development made simple..

User Data Breach at Amazon.com today, Notice: Important Information about your Amazon.com Account

If you're wondering why you are receiving more spam then usual this could be part of the issue.

Seems amazon.com account emails were disclosed by mistake recently.

Here is the Notification:

Sender:

Amazon.com <no-reply@amazon.com>

Header Info:

Received-SPF: pass (hidden: domain of bounces.amazon.com designates 54.240.13.69 as permitted sender)
 client-ip=54.240.13.69
Received: from a13-69.smtp-out.amazonses.com ([54.240.13.69]) by hidden with
 ESMTPS (version=TLS1_2 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521); Tue, 27 Nov 2018 14:43:50 -0600

Subject:

Important Information about your Amazon.com Account

Here is the message:

Hello, We’re contacting you to let you know that our website inadvertently disclosed your email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action. Sincerely,Customer ServiceAmazonPlease note: this e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.

It appears that, ($om3o1dP@$$w0rd), is your password. You might not know me and you are most likely wondering why you're getting this e-mail, right?

So I've had several clients call me with these questions; what is this?, do I have a virus?, is my account compromised?, what should I do?

First off, if you are still using the password in the email go change your passwords! Its also a good idea to use separate email address for work, personal finance and social media sites.

What is this?

These emails are being sent by scammers that have come into possession of compromised social media databases that included your email, unencrypted or poorly encrypted passwords and other info such as contacts. 

Do I have a virus?

Perhaps but its not related to this email. Scan your system with a reputable antivirus scanner.

Is my account compromised?

If you are still using the same email address and password for any website, device or application then yes! you should change your password immediately. 

What should I do?

Don't send the scammers anything, never send them money no matter what. Check your accounts for weak password and update them. Always use https and verify you are on the correct website. Don't share anything on social media that you don't want people to know, its not secure and at some point it very well could be used in the next database breach to try and extort money from you.

Here is the email example,

Subject Text:

somee-mail-address-you-used@social-media-site.compromised:$om3o1dP@$$w0rd

Body Text:

It appears that, ($om3o1dP@$$w0rd), is your password. You might not know me and you are most likely wondering why you're getting this e-mail, right?

in fact, I put in place a malware on the adult videos (porno) web site and you know what, you visited this website to have fun (you know very well what I mean). During the time you were watching videos, your internet browser started out functioning as a RDP (Remote Desktop) which provided accessibility to your screen and web cam. and then, my software programs obtained all of your current contacts from your Messenger, Outlook, Facebook, in addition to emails.

What did I really do?

I produced a double-screen video. First part shows the recording you're seeing (you have a good taste haha . . .), and 2nd part shows the recording of your web cam.

what exactly should you do?

Well, in my opinion, $1100 is really a fair price for your little secret. You will make the payment by Bitcoin (if you don't know this, search "how to purchase bitcoin" search engines like google).

Bitcoin Address: [some scammers bitcoin address] (It's case sensitive, so copy and paste it)

Very important:
You've one day in order to make the payment. (I've a completely unique pixel within this e mail, and at this moment I know you have read through this email message). If I do not get the BitCoins, I will certainly send your videos to all of your contacts including relatives, co-workers, and so on. Having said that, if I get the payment, I'll destroy the recording immidiately. If you want evidence, reply with "Yes!" and i'll certainly send out your videos to your # contacts. It is a non-negotiable offer, that being said don't waste my personal time and yours by responding to this message.


 

Exploitable LDAP server used for an attack: Microsoft Active Directory / Exchange Server

You've just received notice that your Active Directory server is being used as part of a wide scale dDoS attack. Here is how you can fix it.

Go to the firewall settings on the active directory server or reported server IP and look for the following rules.

  • Active Directory Domain Controller - LDAP (TCP-In)
  • Active Directory Domain Controller - LDAP (UDP-In)
  • Active Directory Domain Controller - LDAP for Global Catalog (TCP-In)
  • Active Directory Domain Controller - Secure LDAP (TCP-In)
  • Active Directory Domain Controller - Secure LDAP for Global Catalog (TCP-In)

For each of these alter the rule by choosing the Scope tab and entering only IP addresses that should have access to LDAP information. For example, Microsoft Exchange Servers within your network that need access to LDAP.

For assistance securing your network or if you are looking for hosted exchange services check out Area51.mn.

 

Using a SSL Certificate for RDP

Create and install a certificate using IIS or import a pfx file, the cert can be SHA256 or whatever you want.

Open your Cert Manager,

  • Run/open "MMC"
  • File, Add/Remove Snap-in, Certificates, OK
  • Expand the folder with your cert (generally Personal, Certificates)
  • Right Click the Certificate, Open
  • Details tab, near the bottom choose thumbprint and select the HASH VALUE
  • remove the spaces from the HASHVALUE
  • open a Command Prompt with elevated privileges
  • run the following command using your SSL cert's thumbprint hash value in place of "HASHVALUE" remove the quotes.
    • wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="HASHVALUE"
  • It should say "Updating property(s) of ...
  • then it should say .. update successful

That's it, you're done.

How to see if a sender is being spoofed in outlook: helping to prevent fraud and malware

Many times you may receive emails in Outlook that are pretending to be someone they are not, even sometimes they may appear to be coming from yourself.

Simple and effective way to see who the sender of each email really is,

  1. Click on the window where you view incoming emails, then click "view", "add columns"
  2. Now click "New Column" and name it something like "Sender"
  3. Change the Type to "Formula", click "edit" and enter the following: 
    right(([SearchFromEmail],[SearchFromEmail]),InStr(1,[SearchFromEmail],"@"))
    or right([SearchFromEmail],len([SearchFromEmail])-InStr(1,[SearchFromEmail],"@")) to show just the domain.