Jump to content

Phishing email targetting German ESET users

cutting_edgetech

By cutting_edgetech
in General Discussion

 Share

Recommended Posts

  • ESET Insiders
cutting_edgetech

cutting_edgetech 25

Posted
  • ESET Insiders
Posted (edited)

It seems that Eset customers in Germany are receiving fake emails from unknown individuals claiming they are from Eset. These individuals ask for your credit Card info or other method of payment. They say they will have no other choice than temporarily  suspend your account if you do no give them your payment info. I thought to myself most Eset customers are too intelligent to fall for something like that lol  There has been a thread started at Wilder's Security Forum on this by one individual that received this message by email. Hopefully no Credit Card info was compromised, but it does appear that some user's contact info was compromised. At least in Germany anyways, but nothing has been confirmed. Hopefully it was only a reseller, and no customers payment info was compromised. If they had the info they would not be asking for it so if anyone's payment info was compromised then it was obviously not everyone's. At any rate it's still bad news. I'm sure Eset will be addressing this soon.

 

hxxp://www.wilderssecurity.com/showthread.php?p=2246020#post2246020

Edited by cutting_edgetech
Link to comment
Share on other sites
Guest me@privacy.net

Guest me@privacy.net

Posted
Posted

ESET Germany is aware of it and will take position on this matter, as reported to me by a phone supporter.

The fake mails are personalized with correctly adressing the contact by name.

 

The fake site has been reported to netcraft for phishing.

Link to comment
Share on other sites
  • ESET Insiders
cutting_edgetech

cutting_edgetech 25

Posted
  • Author
  • ESET Insiders
Posted (edited)

This likely was no reseller. I bought all my licenses at ESEt directly...

 

It appears that it could be a much bigger problem then. Two members at Wilder's posted there saying they received the email, and they bought their license directly from Eset.

Edited by cutting_edgetech
Link to comment
Share on other sites
wolliballa

wolliballa 4

Posted
Posted

!!! Check out

hxxp://www.wilderssecurity.com/showthread.php?p=2246055#post2246055

hxxp://www.wilderssecurity.com/showthread.php?t=349468

 

It looks like some customer data has been lost and is now used for licence phishing.

 

Customer names and adresses are real, underlying URL (88.198.132.3) gets blocked by 6.0.316.1  (8493)

Link to comment
Share on other sites
Guest Guest

Guest Guest

Posted
Posted

This morning I received an email from ESET.

 If you follow the contain link, they ask you for your credit card so i thing it´s a fake.

I don´t know why they got my full name from...

 

Anyone else got this kind of mail ?

 

 

Dear Eset Customer,(full real name)

During our regularly scheduled account maintenance and verification
procedure we have detected aslight error in your ESET online account.

Please fill in all the details that are required to complete this verification
process or you ESET license will get suspended.

Please understand that this is a security measure intended to help protect
you and your account.

If you choose to ignore our request, you leave us no choice but to temporary
suspend your license. We apologize for any inconvenience.

Please click the following link to verify your account :

https://www.esetshop.de/verify/PP1263/


ESET NOD Email ID PP1263.

Copyright © 1999-2013 ESET. All rights reserved. ESET (Germany)

From - Thu Jun 27 09:23:58 2013X-Account-Key: account2X-UIDL: 0MLw0W-1UvLWY1rLw-007o54X-Mozilla-Status: 0001X-Mozilla-Status2: 00000000X-Mozilla-Keys:                                                                                 Return-Path: root@server.affairs4u.comReceived: from server.affairs4u.com ([216.246.29.28]) by mx-ha.web.de (mxweb106) with ESMTP (Nemesis) id 0MLw0W-1UvLWY1rLw-007o54 for <fullname@web.de>; Thu, 27 Jun 2013 05:14:58 +0200Received: from root by server.affairs4u.com with local (Exim 4.69)	(envelope-from <root@server.affairs4u.com>)	id 1Us2fh-0002WC-LN	for fullname@web.de; Thu, 27 Jun 2013 04:14:57 +0100To: nikoslukas@web.deSubject: Please verify your ESET AccountFrom: ESET <service-552316464@esetshop.de>MIME-Version: 1.3Content-Type: Text/HTMLContent-Transfer-Encoding: 32bitMessage-Id: <E1Us2fh-0002WC-LN@server.affairs4u.com>Date: Thu, 27 Jun 2013 04:14:57 +0100X-AntiAbuse: This header was added to track abuse, please include it with any abuse reportX-AntiAbuse: Primary Hostname - server.affairs4u.comX-AntiAbuse: Original Domain - web.deX-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]X-AntiAbuse: Sender Address Domain - server.affairs4u.comX-Source: /usr/local/bin/phpX-Source-Args: php x.php X-Source-Dir: /root/123Envelope-To: <fullname@web.de>

 

Link to comment
Share on other sites
Guest me@privacy.net

Guest me@privacy.net

Posted
Posted

Same here for me, a directly bought license. However we should wait for a statement by eset what has been compromised.

This is going to really hurt eset's image. Data Protection Supervisors will be knocking on their doors soon.

Link to comment
Share on other sites
Guest me_germany

Guest me_germany

Posted
Posted

I got this same mail this morning and i ordered my license at ESEt directly...

Link to comment
Share on other sites
wolliballa

wolliballa 4

Posted
Posted

Yes, see similar posts, also under wilderssecurity.com

 

Eset Germany in the meantime is aware of this issue ( just talked to local support ) and in the middle of investigation (where is the leak, what happend, what is the source....)

Link to comment
Share on other sites
Guest German-Customer

Guest German-Customer

Posted
Posted

I also received 2 E-Mails last night claiming to be from Eset (German customer here) wanting me to enter my credit card data. I was addressed with my full name, they used the correct E-Mail address.

One of the links pointed at affairs4u .com, the other at esetnod .tld .cc.

 

This is very alarming! A Security company getting customer data stolen is unacceptable!

 

Link to comment
Share on other sites
Guest Guest_2

Guest Guest_2

Posted
Posted

Good morning,
 
this morning I got the same email as you. If you will copy and paste the shown link (https://www.esetshop.de/verify/PP1263/) you will get this hxxp://affairs4u.com/esetnod/?-451832672/?z-451832672 in your browser.
 
I think something must be definitly wrong. Is good to have a feeling for such things, but the first look is official.
 
Any other information?

Link to comment
Share on other sites
  • ESET Moderators
TomasP

TomasP 316

Posted
  • ESET Moderators
Posted

Hello,

 

As for now, we are aware of this situation and we can assure you that this email does not originate at ESET.

 

T.

Link to comment
Share on other sites
derFunk

derFunk 0

Posted
Posted

Kindly have a look at hxxp://pastebin.com/AYcw8HRV.

 

I unscrambled the phishing site's source code - The form wants to send the phished data to shadyflw@gmail.com (<input name="ip" value="41.251.67.216" type="hidden"><input name="Send" value="shadyflw@gmail.com" type="hidden">).

 

Maybe that helps.

 

I really hope no credit card data have been lost.

Link to comment
Share on other sites
Guest EsetUserBerlin

Guest EsetUserBerlin

Posted
Posted

I have received a similar mail as well and it appeared to me almost serious, for

a) my name has been mentioned

B) it refers to a product in use

c) with a sender domain known, too: esetshop.de

 

I thought, there could only be two reasons for this: 1st: my network/Server/Notebooks is hacked by Trojan etc.  2nd: Eset has been hacked.

 

As there is a discussion going on in several forums and I found this discussion here, I am now sure that the 2nd reason is correct.

 

This is TERRIBLE and I already got in contact with Eset Germany to clarify situation - for the privacy of our customer data is mission-critical.

 

Wait for any official comments here, too.

 

Is this a German thing, only?

Link to comment
Share on other sites
Guest Timo

Guest Timo

Posted
Posted

I have received the same mail, directed to the special email adress that I have used *only* for registering with eset. It can only come from their database.

 

Best regards,

Timo

Link to comment
Share on other sites
Guest German12

Guest German12

Posted
Posted

i got that same email and i just want to know: are my credit card details now in danger???

Link to comment
Share on other sites
Guest me@privacy.net

Guest me@privacy.net

Posted
Posted

There's no official statement at this point. According to a heise.de/security report from 11:38 CET, eset is still investigating and makes no official statement. But considering that the phisher is asking for your cc-card details on the phishing site, the phisher may only got salted data if any or only the customer's contact details. But that's just a wild guess from my side. So we have to wait for a statement to be sure what has happened.

 

Link to comment
Share on other sites
Guest HenSch

Guest HenSch

Posted
Posted

I have also received this kind of email.

Even if analysis are still running, ESET should send out a notification immediately to all customers telling them to ignore the fake email!

 

best regards

Hendrik

Link to comment
Share on other sites
Guest Leos00

Guest Leos00

Posted
Posted

There is a good point tho.... if they try to Scam ppl to give em the CreditCard info then that means that they dont have em yet :-/

Link to comment
Share on other sites
derFunk

derFunk 0

Posted
Posted (edited)

Not fully true, Guest_Leos00_*, because ESET and their contractors offer different payment methods.

Credit card numbers are most attractive, so why not ask for it although they might have the bank account data already etc.

Edited by derFunk
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...