Email hacked and viruses found. Connection?

Discussion in 'Mac Basics and Help' started by Moof1904, Aug 25, 2006.

  1. Moof1904 macrumors 65816

    May 20, 2004
    Here's the story:

    I logged into my web hosting company and saw that two new email accounts had been added to my domain. "" and "" had been added by someone other than me.

    About the same time, I received notification from my web hosting company that they were deactivating my email accounts because I was sending more than their 800 emails per hour limit. It was obvious that these new accounts were being used to perpetrate a paypal phishing expedition.

    After deleting these acounts, changing all of my web hosting passwords, and straightening things out with my hosting company, I'm now trying to figure out how someone hacked into my web hosting account and added these two new email addresses. Did they do it from my (the account holder) side or did they hack in from the hosting side. Did someone slip a key logger onto my Mac or did they sniff my wireless connection while I was traveling recently and connected via my hotel's (almost certainly) 802.11b connection?

    I installed ClamXav, the open source virus scanner, and "Little Snitch" (a tool to monitor communication from an application to a point outside the computer.) Thus far, Little Snitch has found nothing unexpected trying to communicate out (like a key logger or something), but ClamAav found some stuff:

    /Users/xxx/Library/Mail/Mailboxes/Import/Archived 2004/In Archived 2004_0430.mbox/mbox: HTML.Phishing.Bank-121 FOUND
    /Users/xxx/Library/Mail/Mailboxes/Import/Archived 2004/In Archived 2004_0430.mbox/Messages/6056.emlx: HTML.Phishing.Bank-121 FOUND
    /Users/xxx/Library/Mail/Mailboxes/In Archived 2005_1231.mbox/Messages/26933.emlx: Worm.Sober.U-3 FOUND
    /Users/xxx/Library/Mail/ HTML.Phishing.Pay-201 FOUND
    /Users/xxx/Library/Mail/ Messages.mbox/Messages/30745.emlx: HTML.Phishing.Bank-573 FOUND
    /Users/xxx/Library/Mail/ Messages.mbox/Messages/30747.emlx: HTML.Phishing.Bank-573 FOUND

    I recognize Worm.Sober.U as an old Windows virus that probably was emailed to me in some spam a while back. I'm not clear on what the "Phishing" files are that ClamXav found. Obviously, I know what phishing is, but I wasn't aware that such activity was normally associated with a recognizable file type. I thought phishing was merely perpetrated by a bogus link in an email or on a web page. What is this that ClamXav found? And the bigger issue is, how was my web hosting account accessed, with it's very non-obvious password and user name?
  2. Anonymous Freak macrumors 601

    Anonymous Freak

    Dec 12, 2002
    'Phishing' is what you call it when you get an email that pretends to be from a bank/PayPal/etc claiming that you need to enter your information again to prove you're okay. The message includes a link, that when you click on it, appears to be a legitimate page for the bank/PayPal/etc that asks for MUCH MORE information than should really be required (such as a bank asking for your Debit Card number, PIN, verification number, social security number, etc.)

    ClamAV is finding these messages. They are not viruses, they are scam attempts.

    Double check your web host folder to make sure you don't have extra files hiding anywhere. It sounds like your domain was hacked, and is being used as the host for these fake bank web sites. Delete any .htm/.html pages you don't recognize. (I would actually suggest completely erasing every file on your host, and re-uploading your web site, just to be safe.)
  3. Moof1904 thread starter macrumors 65816

    May 20, 2004
    I've scoured my hosting account and web pages and such and changed all my login info. My confusion is because I didn't realize that there was something sufficiently unique to phishing emails that would make it possible for a virus detection tool to recognize them from among the other, generic emails I had received.

    That and, of course, wondering how they hacked my web hosting account in the first place.

Share This Page