DO NOT open email from CPAA today

[jshepherd]

There is an email going out from CPAA that supposedly looks like it has a certificate attached. That attachment is a virus. Do NOT open it!

 

[Purranha]

Thank you for the warning Jeremy!

 

[Pearl Dreams]

Wow! Thank you for the warning. I'll post it on Pricescope also.

 

[jshepherd]

It looks like anyone who has communicated with BoPerry@cpaa.org is getting the email. A lot of people emailed him about their Pearls as One certificates and the email appears to have a certificate attached. It's not. It's a virus.

 

[Pearl Dreams]

I'll add that to my Pricescope thread.

 

[battah]

Yikes, thanks for the heads up! So many viruses and phishing emails going around these days. Gmail considerately sorted that message to my junk folder.

 

[ennui]

Thank you for the warning.

If only these people could use their intelligence for good instead of evil.

 

[Katbran]

Thank you for the warning !

 

[KAC]

any other info.... I opened an attachment from Bo today

 

[JerseyPearl]

Run your virus scan program and have it delete the offender.

I received the email, and thankfully, couldn't open the attachment!

 

[Lagoon Island Pearls]

There is an email going out from CPAA that supposedly looks like it has a certificate attached. That attachment is a virus. Do NOT open it!

Nearly 24 hours after this was posted, I received the email.

The warning is appreciated, but inadequate. Bo's been hacked. His and our personal information has been compromised. My personal information (home address) was displayed in the offending attachment.

What's worse, anyone that clicked on it has been hacked too, irrespective of whether it appears to run or not.

The email originated from a computer in Chile (lafetechocolat.com) likely an inadvertent go-between and hosted by a GoDaddy server (secureserver.net). I've done a cursory examination of the attachment with a Hex editor (so I can look at the headers and links, without actually running it)

The attachment contains an .xml file that does not install surreptitious software, instead scans the document folders and forwards personal files and contacts to email addresses which appear encrypted to avoid trace routing by average users.

Later today, I will run this on a virtual machine (a restore-able quarantine), so I can open it with a disassembler and examine the source code to determine precisely what it's doing.

To anyone that ran it, the damage is done. They have your info and any info you have on others. However, because the CPAA is registered organization, they have the burden of adequately warning anyone who may be compromised with a reasonable explanation how they allowed themselves to be hacked and follow up with a report of action taken.

Not impressed. I take exception to my personal information being unlawfully accessed. Likewise, it's not my job to fix people's negligence. Once I have examined the source code and determined it's purpose, will file a complaint with the Office of the Privacy Commissioner in Canada and submit a report to my lawyer of record.


Received: (qmail 8326 invoked by uid 30297); 22 Sep 2017 0713 -0000
Received: from unknown (HELO p3plibsmtp02-09.prod.phx3.secureserver.net) ([68.178.213.9])
(envelope-sender <icavieres@lafetechocolat.com>)
by p3plsmtp18-02-25.prod.phx3.secureserver.net (qmail-1.03) with SMTP
for <dave@lagoonislandpearls.ca>; 22 Sep 2017 0713 -0000
Received: from mail.lafetechocolat.cl ([190.196.209.115])
by p3plibsmtp02-09.prod.phx3.secureserver.net with bizsmtp
id CX2B1w0232VvxZq01X2CBy; Fri, 22 Sep 2017 0013 -0700
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.lafetechocolat.cl (Postfix) with ESMTP id 807A143B551
for <dave@lagoonislandpearls.ca>; Fri, 22 Sep 2017 0438 -0300 (CLT)
Received: from mail.lafetechocolat.cl ([127.0.0.1])
by localhost (mail.lafetechocolat.cl [127.0.0.1]) (amavisd-new, port 10032)
with ESMTP id bV-ocbLmH38c for <dave@lagoonislandpearls.ca>;
Fri, 22 Sep 2017 0434 -0300 (CLT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.lafetechocolat.cl (Postfix) with ESMTP id 2F7A843AE02
for <dave@lagoonislandpearls.ca>; Fri, 22 Sep 2017 0408 -0300 (CLT)
X-Virus-Scanned: amavisd-new at mail.lafetechocolat.cl
Received: from mail.lafetechocolat.cl ([127.0.0.1])
by localhost (mail.lafetechocolat.cl [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id uqZimmIxhSmW for <dave@lagoonislandpearls.ca>;
Fri, 22 Sep 2017 0407 -0300 (CLT)
Received: from localhost (unknown [65.40.118.4])
by mail.lafetechocolat.cl (Postfix) with ESMTPSA id 22DBC4305A4
for <dave@lagoonislandpearls.ca>; Fri, 22 Sep 2017 03:58:13 -0300 (CLT)
Date: Fri, 22 Sep 2017 06:53:40 +0000
To: dave@lagoonislandpearls.ca
From: Bo Perry <boperry@cpaa.org>
Subject: Re: The Final Exam
Message-ID: <ba5713868a2a09ad341dad88a4a45899@127.0.0.1>
X-Mailer: Outlook
In-Reply-To: <_____________________________@dave> // removed by me
References: <_____________________________@dave> // removed by me
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="b1_ba5713868a2a09ad341dad88a4a45899"
X-Nonspam: None

 

[CathyKeshi]

Thank you everyone for the alerts.

 

[jshepherd]

I have someone examining it now to see what exactly was attached. The offices of the CPAA are closed in Rhode Island this weekend for the Jewish holiday, but I was able to check the history on the CPAA website and see no suspicious login activity, so it appears related only to that one personal email address.

I'll post more as I learn more today.

 

[jshepherd]

The virus that the file contains is the HEUR trojan:
http://www.solvusoft.com/en/malware/trojans/heur-trojan-downloader-script-generic/

It gets downloaded onto your computer when the file is opened with Microsoft Word and macros are enabled.

Once the macros run, the virus tries to gain root access and can remotely download files.

These are the instructions on how to remove it:
https://malwaretips.com/blogs/heur-trojan-win32-generic-virus/

For those of us who use Google Docs instead of Word, or have a different version that won't open the file, we appear to be unaffected. So far, I've not heard of anyone being infected yet.

 

[Haylea23]

Thank you for the update Jeremy.

I received the email and opened it before I knew about it all.
I have done a quick scan and nothing appeared so might do a complete scan and see if it comes up with anything.

 

[jshepherd]

If you were unable to open the file, you should be fine. And nothing appears to be affected elsewhere, just one personal email account. It happens. It's unfortunate, but it happens every day.

 

[Ash]

Thank you for the warning and updates Jeremy.

 

[Pareltje]

Actually I responded to the email from Bo (I thought he really sent it to me) and I asked him to resend my certificate because I got one with a "herby". I wanted a certificate without a spelling mistake. Somebody I know also got her name incorrectly spelled.
And this "Bo" responded back by asking for my address.
Weird?
Unfortunately this warning came too late because I got the mail from Bo before noon CEST. And I'm not happy if this means that my privacy has been compromised.

 

[jshepherd]

Can you send me a copy of that email (jeremy@pearlparadise.com)? It sounds like you got an email from Bo, not the one with the trojan attached.

 

[jshepherd]

I did follow up on this as well, because it didn't make sense to me.

The warning is appreciated, but inadequate. Bo's been hacked. His and our personal information has been compromised. My personal information (home address) was displayed in the offending attachment.

This was the response I received from the person who did the examination of the file.

Without seeing the email he got, I’m not really sure what he is talking about either.

If they hacked Bo’s account and he had that person’s address saved in the account then they could have included it in the email (body) for some reason.

It wouldn’t be in the actual file though, the file uses obfuscated code, so it looks like this:

123 321 423 123
176 234 234 845
345 345 432 432

It is really unlikely that there would be an address in the file itself and if it was it would be really hard to decode.

Perhaps the attachment came as a response to an email you sent to Bo with your personal information, like a certificate request? This is an email account not the CPAA database, so I don't see how any other information could have been exposed.