Here's the story:
I logged into my web hosting company and saw that two new email accounts had been added to my domain. "paypal@domain.com" and "support@domain.com" had been added by someone other than me.
About the same time, I received notification from my web hosting company that they were deactivating my email accounts because I was sending more than their 800 emails per hour limit. It was obvious that these new accounts were being used to perpetrate a paypal phishing expedition.
After deleting these acounts, changing all of my web hosting passwords, and straightening things out with my hosting company, I'm now trying to figure out how someone hacked into my web hosting account and added these two new email addresses. Did they do it from my (the account holder) side or did they hack in from the hosting side. Did someone slip a key logger onto my Mac or did they sniff my wireless connection while I was traveling recently and connected via my hotel's (almost certainly) 802.11b connection?
I installed ClamXav, the open source virus scanner, and "Little Snitch" (a tool to monitor communication from an application to a point outside the computer.) Thus far, Little Snitch has found nothing unexpected trying to communicate out (like a key logger or something), but ClamAav found some stuff:
/Users/xxx/Library/Mail/Mailboxes/Import/Archived 2004/In Archived 2004_0430.mbox/mbox: HTML.Phishing.Bank-121 FOUND
/Users/xxx/Library/Mail/Mailboxes/Import/Archived 2004/In Archived 2004_0430.mbox/Messages/6056.emlx: HTML.Phishing.Bank-121 FOUND
/Users/xxx/Library/Mail/Mailboxes/In Archived 2005_1231.mbox/Messages/26933.emlx: Worm.Sober.U-3 FOUND
/Users/xxx/Library/Mail/POP-xxx.com/INBOX.mbox/Messages/39294.emlx: HTML.Phishing.Pay-201 FOUND
/Users/xxx/Library/Mail/POP-xxx.com/Sent Messages.mbox/Messages/30745.emlx: HTML.Phishing.Bank-573 FOUND
/Users/xxx/Library/Mail/POP-xxx.com/Sent Messages.mbox/Messages/30747.emlx: HTML.Phishing.Bank-573 FOUND
I recognize Worm.Sober.U as an old Windows virus that probably was emailed to me in some spam a while back. I'm not clear on what the "Phishing" files are that ClamXav found. Obviously, I know what phishing is, but I wasn't aware that such activity was normally associated with a recognizable file type. I thought phishing was merely perpetrated by a bogus link in an email or on a web page. What is this that ClamXav found? And the bigger issue is, how was my web hosting account accessed, with it's very non-obvious password and user name?
I logged into my web hosting company and saw that two new email accounts had been added to my domain. "paypal@domain.com" and "support@domain.com" had been added by someone other than me.
About the same time, I received notification from my web hosting company that they were deactivating my email accounts because I was sending more than their 800 emails per hour limit. It was obvious that these new accounts were being used to perpetrate a paypal phishing expedition.
After deleting these acounts, changing all of my web hosting passwords, and straightening things out with my hosting company, I'm now trying to figure out how someone hacked into my web hosting account and added these two new email addresses. Did they do it from my (the account holder) side or did they hack in from the hosting side. Did someone slip a key logger onto my Mac or did they sniff my wireless connection while I was traveling recently and connected via my hotel's (almost certainly) 802.11b connection?
I installed ClamXav, the open source virus scanner, and "Little Snitch" (a tool to monitor communication from an application to a point outside the computer.) Thus far, Little Snitch has found nothing unexpected trying to communicate out (like a key logger or something), but ClamAav found some stuff:
/Users/xxx/Library/Mail/Mailboxes/Import/Archived 2004/In Archived 2004_0430.mbox/mbox: HTML.Phishing.Bank-121 FOUND
/Users/xxx/Library/Mail/Mailboxes/Import/Archived 2004/In Archived 2004_0430.mbox/Messages/6056.emlx: HTML.Phishing.Bank-121 FOUND
/Users/xxx/Library/Mail/Mailboxes/In Archived 2005_1231.mbox/Messages/26933.emlx: Worm.Sober.U-3 FOUND
/Users/xxx/Library/Mail/POP-xxx.com/INBOX.mbox/Messages/39294.emlx: HTML.Phishing.Pay-201 FOUND
/Users/xxx/Library/Mail/POP-xxx.com/Sent Messages.mbox/Messages/30745.emlx: HTML.Phishing.Bank-573 FOUND
/Users/xxx/Library/Mail/POP-xxx.com/Sent Messages.mbox/Messages/30747.emlx: HTML.Phishing.Bank-573 FOUND
I recognize Worm.Sober.U as an old Windows virus that probably was emailed to me in some spam a while back. I'm not clear on what the "Phishing" files are that ClamXav found. Obviously, I know what phishing is, but I wasn't aware that such activity was normally associated with a recognizable file type. I thought phishing was merely perpetrated by a bogus link in an email or on a web page. What is this that ClamXav found? And the bigger issue is, how was my web hosting account accessed, with it's very non-obvious password and user name?
