Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,176
- Points
- 113
Every day, attackers sent millions of realistic messages on behalf of well-known brands.
An unknown attacker exploited a vulnerability in Proofpoint's email routing settings to mass-send fake messages on behalf of well-known companies such as Best Buy, IBM, Nike, and Walt Disney.
According to a researcher from Guardio Labs, emails were sent through official Proofpoint servers with authentic SPF and DKIM signatures, which allowed them to bypass basic security measures and mislead recipients to steal funds and credit card data.
The campaign is called EchoSpoofing. It began in January of this year and ended only in June, when Proofpoint began to take active countermeasures. The attackers sent an average of three million emails every day, reaching a peak of 14 million on one of the June days.
The method of forging emails turned out to be so unique that it left almost no chance to understand that these are not real emails from companies. Attackers used SMTP servers on virtual private servers (VPS), observing all authentication measures, such as SPF and DKIM, which made fake emails very convincing.
Emails were routed through Microsoft 365 clients (tenants) controlled by attackers, and then transmitted through the email infrastructure of Proofpoint clients to users of free email services such as Yahoo!, Gmail, and GMX. This became possible due to a configuration error on Proofpoint servers that gives attackers elevated privileges.
The main problem was the ability to change email routing settings on Proofpoint servers, which allowed messages to be forwarded from any Microsoft 365 tenant without specifying specific valid tenants. This led to the fact that attackers could set up fake talents and send messages that were sent through Proofpoint servers and looked like genuine ones.
The attackers used a hacked version of the PowerMTA program to send mass messages, using different IP addresses and VPS to send thousands of messages at a time. These emails were received by Microsoft 365 and sent through the Proofpoint infrastructure using the DKIM signature, which made them even more convincing.
The main goal of EchoSpoofing was to generate illegal income and minimize the risk of exposure, since direct access to companies could significantly increase the chances of detecting the scheme. Proofpoint stated that the hackers ' activities do not coincide with known threats and groups. The company's specialists stressed that customer data was not compromised, and that they were provided with recommendations for detecting phishing.
To reduce the volume of spam, Proofpoint calls on VPS providers to limit the ability to send a large number of messages from their servers and encourages mail services to limit the ability of new and unconfirmed users to send bulk messages and fake domains.
Source
An unknown attacker exploited a vulnerability in Proofpoint's email routing settings to mass-send fake messages on behalf of well-known companies such as Best Buy, IBM, Nike, and Walt Disney.
According to a researcher from Guardio Labs, emails were sent through official Proofpoint servers with authentic SPF and DKIM signatures, which allowed them to bypass basic security measures and mislead recipients to steal funds and credit card data.
The campaign is called EchoSpoofing. It began in January of this year and ended only in June, when Proofpoint began to take active countermeasures. The attackers sent an average of three million emails every day, reaching a peak of 14 million on one of the June days.
The method of forging emails turned out to be so unique that it left almost no chance to understand that these are not real emails from companies. Attackers used SMTP servers on virtual private servers (VPS), observing all authentication measures, such as SPF and DKIM, which made fake emails very convincing.
Emails were routed through Microsoft 365 clients (tenants) controlled by attackers, and then transmitted through the email infrastructure of Proofpoint clients to users of free email services such as Yahoo!, Gmail, and GMX. This became possible due to a configuration error on Proofpoint servers that gives attackers elevated privileges.
The main problem was the ability to change email routing settings on Proofpoint servers, which allowed messages to be forwarded from any Microsoft 365 tenant without specifying specific valid tenants. This led to the fact that attackers could set up fake talents and send messages that were sent through Proofpoint servers and looked like genuine ones.
The attackers used a hacked version of the PowerMTA program to send mass messages, using different IP addresses and VPS to send thousands of messages at a time. These emails were received by Microsoft 365 and sent through the Proofpoint infrastructure using the DKIM signature, which made them even more convincing.
The main goal of EchoSpoofing was to generate illegal income and minimize the risk of exposure, since direct access to companies could significantly increase the chances of detecting the scheme. Proofpoint stated that the hackers ' activities do not coincide with known threats and groups. The company's specialists stressed that customer data was not compromised, and that they were provided with recommendations for detecting phishing.
To reduce the volume of spam, Proofpoint calls on VPS providers to limit the ability to send a large number of messages from their servers and encourages mail services to limit the ability of new and unconfirmed users to send bulk messages and fake domains.
Source
