1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Major gaming tech manufacturer phishing email.

Discussion in 'General Discussion' started by MiSJAH, 1 Jun 2019.

  1. MiSJAH

    Wise Guy

    Joined: 30 Nov 2013

    Posts: 1,462

    Location: UK

    Hi All,

    I recently received a phishing email:

    [​IMG]

    The sender address is a large tech/gaming manufacturer.

    I made the company aware of the situation on Sunday 26th May.

    Nothing heard until today where they have sent out a mass email to their customers.

    Is 6 days sitting on the information normal is regards to these matters?
     
  2. thenewoc

    Soldato

    Joined: 9 Mar 2012

    Posts: 6,185

    Location: West Sussex, England

    i got one of these too, got captured in my junk folder though.
     
  3. MiSJAH

    Wise Guy

    Joined: 30 Nov 2013

    Posts: 1,462

    Location: UK

    My concern isn't with the email, per se, but the access someone has to the manufacturers servers/system.
     
  4. Ree

    Wise Guy

    Joined: 22 Aug 2016

    Posts: 2,008

    i got an email from msi about this today. never received the original email that its on about though.
     
  5. Azza

    Caporegime

    Joined: 6 Dec 2005

    Posts: 35,529

    Location: Birmingham

    Won't they just be spoofing the sender rather than anything else.
     
  6. Ceryndrion

    Mobster

    Joined: 21 Mar 2003

    Posts: 4,577

    Location: Nottingham

    More than likely, would be interesting to see the headers.
     
  7. thenewoc

    Soldato

    Joined: 9 Mar 2012

    Posts: 6,185

    Location: West Sussex, England

    Judging by the msg headers I would say this says it's a spoofed sender address and most likely why it was swept into junk automatically...

    I've not had an email from msi to warn about it though.

     
  8. thenewoc

    Soldato

    Joined: 9 Mar 2012

    Posts: 6,185

    Location: West Sussex, England

    Here's the full headers (with my email obfuscated)...

    Code:
    Received: from BL2NAM02HT063.eop-nam02.prod.protection.outlook.com
    (2603:10a6:803:a0::43) by VE1PR09MB3294.eurprd09.prod.outlook.com with HTTPS
    via VI1PR06CA0150.EURPRD06.PROD.OUTLOOK.COM; Sat, 25 May 2019 22:34:35 +0000
    Received: from BL2NAM02FT022.eop-nam02.prod.protection.outlook.com
    (10.152.76.57) by BL2NAM02HT063.eop-nam02.prod.protection.outlook.com
    (10.152.77.73) with Microsoft SMTP Server (version=TLS1_2,
    cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1922.16; Sat, 25 May
    2019 22:34:34 +0000
    Authentication-Results: spf=none (sender IP is 212.175.12.130)
    smtp.mailfrom=cpanel.isbiroptik.com; hotmail.com; dkim=none (message not
    signed) header.d=none;hotmail.com; dmarc=none action=none
    header.from=msi.com;
    Received-SPF: None (protection.outlook.com: cpanel.isbiroptik.com does not
    designate permitted sender hosts)
    Received: from cpanel.isbiroptik.com (212.175.12.130) by
    BL2NAM02FT022.mail.protection.outlook.com (10.152.77.153) with Microsoft SMTP
    Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
    15.20.1922.16 via Frontend Transport; Sat, 25 May 2019 22:34:34 +0000
    X-IncomingTopHeaderMarker:
    OriginalChecksum:8470BBA7EFB74747B31F14599B7F3D5756F4400360EFF7C5332FA447EFFC5C04;UpperCasedChecksum:5AC579D75D366CE7EE688C78C260D7ECE3BE94CE20F9D2A3C01E02931C672F7C;SizeAsReceived:1504;Count:22
    Received: from isbiroptik by cpanel.isbiroptik.com with local (Exim 4.91)
    (envelope-from <isbiroptik@cpanel.isbiroptik.com>)
    id 1hUfFI-0007td-Kf
    for ****@hotmail.com; Sun, 26 May 2019 01:34:32 +0300
    To: ****@hotmail.com
    Subject: =?UTF-8?B?QWNjb3VudCBBbGVydDogWW91ciBBcHBsZSBJRCB3YXMgdXNlZCB0byBzaWduIGluIGZyb20gYW5vdGhlciBsUCBBZGRyZXNzIGluIEluZG9uZXNpYSAoNS8yNi8yMDE5IDQ6MDk6NTIgUE0gKQ==?=
    X-PHP-Script: bulten.isbiroptik.com/admin/temp/surveys/6661/2/asu.php for 35.222.223.210
    X-PHP-Originating-Script: 501:asu.php
    From: =?UTF-8?B?QXBwU3RvcmU=?= <services@msi.com>
    Content-type: multipart/mixed; boundary="--GuXzKLastB"
    Reply-To: services@msi.com
    Message-Id: <E1hUfFI-0007td-Kf@cpanel.isbiroptik.com>
    Sender: <isbiroptik@cpanel.isbiroptik.com>
    Date: Sun, 26 May 2019 01:34:32 +0300
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - cpanel.isbiroptik.com
    X-AntiAbuse: Original Domain - hotmail.com
    X-AntiAbuse: Originator/Caller UID/GID - [501 501] / [47 12]
    X-AntiAbuse: Sender Address Domain - cpanel.isbiroptik.com
    X-Get-Message-Sender-Via: cpanel.isbiroptik.com: authenticated_id: isbiroptik/only user confirmed/virtual account not confirmed
    X-Authenticated-Sender: cpanel.isbiroptik.com: isbiroptik
    X-Source:
    X-Source-Args: php-fpm: pool bulten_isbiroptik_com
    X-Source-Dir: isbiroptik.com:/bulten.isbiroptik.com/admin/temp/surveys/6661/2
    X-IncomingHeaderCount: 22
    Return-Path: isbiroptik@cpanel.isbiroptik.com
    X-MS-Exchange-Organization-ExpirationStartTime: 25 May 2019 22:34:34.4204
    (UTC)
    X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
    X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
    X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
    X-MS-Exchange-Organization-Network-Message-Id:
    abf8d9d8-13d2-4905-a038-08d6e1612985
    X-EOPAttributedMessage: 0
    X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
    X-MS-Exchange-Organization-MessageDirectionality: Incoming
    X-Forefront-Antispam-Report: EFV:NLI;
    X-MS-Exchange-Organization-AuthSource:
    BL2NAM02FT022.eop-nam02.prod.protection.outlook.com
    X-MS-Exchange-Organization-AuthAs: Anonymous
    X-MS-PublicTrafficType: Email
    X-MS-UserLastLogonTime: 5/25/2019 9:37:14 PM
    X-MS-Office365-Filtering-Correlation-Id: abf8d9d8-13d2-4905-a038-08d6e1612985
    X-Microsoft-Antispam:
    BCL:0;PCL:0;RULEID:(2390118)(5000113)(711020)(4605104)(610169)(8291501072);SRVR:BL2NAM02HT063;
    X-MS-TrafficTypeDiagnostic: BL2NAM02HT063:
    X-MS-Exchange-PUrlCount: 1
    X-MS-Exchange-EOPDirect: true
    X-Sender-IP: 212.175.12.130
    X-SID-PRA: SERVICES@MSI.COM
    X-SID-Result: NONE
    X-MS-Exchange-Organization-PCL: 2
    X-OriginatorOrg: outlook.com
    X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 May 2019 22:34:34.1251
    (UTC)
    X-MS-Exchange-CrossTenant-Network-Message-Id: abf8d9d8-13d2-4905-a038-08d6e1612985
    X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
    X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
    X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
    00000000-0000-0000-0000-000000000000
    X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2NAM02HT063
    X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
    X-MS-Exchange-Organization-ExpirationIntervalReason: FlexTransport
    X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.1301205
    X-MS-Exchange-Processed-By-BccFoldering: 15.20.1922.000
    X-Microsoft-Antispam-Mailbox-Delivery:
    abwl:0;wl:0;pcwl:0;kl:0;iwl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;psp:0;auth:0;dest:J;OFR:SpamFilterAuthJ;ENG:(5062000261)(5061607266)(5061608174)(4900115)(8390100)(8377080)(8376100)(8386120)(8375121)(4920090)(6380081)(4950130)(4990090)(9140004);RF:JunkEmail;
    X-Message-Info:
    qoGN4b5S4yq0/zlyHv5xRFX9EtuW4SUMcX0M1fXnCA3C8KfxkUgn0Kp1Jy0yprVkXdKPM1RswBS6bSm1BQnM6WtYYxKrDoW9CCpO+mZD1gjxVpN73i70RXDqGQ87zzzGDszeqVF1URvHoMtFNyrUhAdQX+wXeaTsEu7T03b27ecMMozIsGa66FfzZbji3x9fho/oYohBE3zo9VFUjb7TJA==
    X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0xO0Q9MjtHRD0xO1NDTD02
    X-Microsoft-Antispam-Message-Info:
    EYfXzkToqm4w+PxoJyl24QrUBE3ff836Kkcl5Lw/7BnEbV7d9XUazVWEMK0wkc+VUpI43n0XYCNCOuCQUtFQ0zYeJTX7GYhUwoA3uRZFSW0SbI7ijl3ppRHiDZvbcx91OsWFQueT2UDuTJek0o5Y8+oLPqQ17drRPWwoXoixLXfUwdzUW1uMCEV4YdI5dS0BmHrZH5i0kUA7KKiatVyoxcD/bVvBvVH4oa0oO8qQrCqFS2eOF1dlHRbb8BoKDDDFwS2fAiZcvmOnnS0B4oggrEbKOvGKfg5ze4HZNiqNpMGP6+pqnSqq8SJiPF09M9+VIwzTnBTkHG2qgBxXIwDcencxOhvfkdzkAoNEBwt0PKfnGY988C3ohnT9+EpF9HbXfpl4EJqAaJtS4YqD2KH9/hXMAY+GnNj2ipE5+AUBzWdq8IuDZJlDfdVcaxk+Q0tbHjXkxb5WDOo6AJhlQCfzsLZts73PExGGNv0hjboqp0QKF15dz5Mw6IFI+atYH2gC844my8YgA/ILHLYJPZAw4WWSipdCfS/1twwEKaHNLvRdykPfvwkT/fDGxAuAmIniOdiQMPLex4l0zItVRJY7H2qMaaI3VKu5u7HbdMMelRm6vgi7ITHZVOd3n7hGzlLLMxJjIUov6JebanjYOoMny4+eYDxnZ2EPNeycStVJdqMVpSJwjFLrNkTMIf7W7+Yx5jjs9+AdIlTzg1nBAyaeWFKAn02McMv1Pd/1d8iqj1gZDdBVwAPqqmFIIYiaHdxWKuS9awXdv29We+5/ON9iw2DOlIoKewZtE4mga2g0X5n1wwkD/NIlWyaF+6n7fGI7
    MIME-Version: 1.0
     
  9. Malevolence

    Capodecina

    Joined: 21 Oct 2011

    Posts: 14,892

    Why don't you just say 'MSI'?
     
  10. Beerbaron

    Soldato

    Joined: 28 Feb 2006

    Posts: 5,942

    Location: Beds

    Its spoofed and didn't originate from MSI.
     
  11. MiSJAH

    Wise Guy

    Joined: 30 Nov 2013

    Posts: 1,462

    Location: UK

    Can you give a layman explanation of that please?

    I've had run ins with MSI historically, I don't want to appear biased.

    Was MSI's response.
     
  12. Stephanie Peterson

    Hitman

    Joined: 9 Jan 2019

    Posts: 887

    Spoofed emails are a massive problem, i recently had an academic director who appeared to be sending out mass emails of... well not to great a content.
    Was just spoofed address but trying to explain to this person that there was little we could do was not easy.
     
  13. thenewoc

    Soldato

    Joined: 9 Mar 2012

    Posts: 6,185

    Location: West Sussex, England

    I don't fully understand them myself since I'm not sure which bits can be relied upon to be true, they get added at different stages, the lines nearest the top are added by your own email provider.

    In short, the headers are a mix of entries that are either created at message creation time by the email client or script as seems to be the case with this one, and each server that handles the receipt of the message.

    The sender is asserting that the from address is msi.com but I suspect msi.com has spf and dkim records set up on their dns to prevent someone from successfully spoofing their address e.g. ensuring the message gets marked as spam. This is because those dns records don't identify the senders actual address (<isbiroptik@cpanel.isbiroptik.com>) as having the authority to send messages on behalf of msi.com. The 'spf=none' and 'dkim=none' are things I'd expect to see genuine organisations using too but these are not set for 'cpanel.isbiroptik.com'.


    more info in these....

    https://mediatemple.net/community/products/dv/204643950/understanding-an-email-header

    https://whatismyipaddress.com/email-header
     
  14. Brizzles

    Soldato

    Joined: 16 Mar 2005

    Posts: 7,306

    Location: Clevedon , Bristol

    Got the same one today also.

    I don't even have an Apple ID, so needless to say i wasn't concerned