Post by The Stig » Fri Dec 05, 2014 2:16 am

Mods: my apologies if this is in the wrong subforum, didn't really know where else it should go. Feel free to move it if this isn't the right section.

Just received this email from "admin@opencartclub.net" and while I'm pretty sure this is just a phishing attempt, I'd like to be 100% sure before I ignore the email.
hi guys this is from opencartvn, opencartclub.net and opencartz

i have all your information including username and passwords


[LINK REMOVED DUE TO PROFANITY]
_________________

Sent to [don't dox me]@gmail.com

Unsubscribe:
[LINK REMOVED DUE TO PROFANITY]

Opencart Club, 3640 Wilshire Ave., Cincinnati, OH 45208, US

Marketing provided by:
ActiveCampaign (http://www.activecampaign.com)

User avatar
Newbie

Posts

Joined
Wed Dec 25, 2013 3:19 am

Post by uksitebuilder » Fri Dec 05, 2014 2:19 am

Ignore it and Bin it.

ImageImageImageImageImage

For Friendly Professional Support - Click Here


User avatar
Guru Member

Posts

Joined
Thu Jun 09, 2011 11:37 pm
Location - United Kindgom

Post by humpadilly » Fri Dec 05, 2014 3:06 am

I got the exact same thing... i dont even know what opencart club is!

Newbie

Posts

Joined
Wed Mar 06, 2013 3:06 pm

Post by Chuckun » Fri Dec 05, 2014 3:38 am

I think it's worth changing all your passwords.. I got one too.

It looks to me like opencart forums DB has been hacked.. I could be wrong, but there is no other way they could know my email and username so appropriately targeted at Opencart.. Clearly something's gone on and we're not being told?

New member

Posts

Joined
Fri May 07, 2010 6:37 am

Post by gboydnz » Fri Dec 05, 2014 4:40 am

They are using a 3rd party to send the emails, report them here and get their account closed down: www.activecampaign.com/contact/?type=abuse

Also report it as phishing if you use gmail.

Very scary stuff, especially at this time of year, a hack of our ecommerce site would be disastrous.

Newbie

Posts

Joined
Thu Sep 27, 2012 10:50 am

Post by uksitebuilder » Fri Dec 05, 2014 5:51 am

Just out of interest, which web host do you all use ?

Just wandering if there is something in common

ImageImageImageImageImage

For Friendly Professional Support - Click Here


User avatar
Guru Member

Posts

Joined
Thu Jun 09, 2011 11:37 pm
Location - United Kindgom

Post by humpadilly » Fri Dec 05, 2014 6:18 am

I host my own servers / domains... I also find it strange that they have my user and email from a site i never remember creating an account on.

I don't ever remember buying any of their extensions http://www.opencart.com/index.php?route ... encartclub

Very strange... i have reset my passwords... even tho they are always the ones generated by the forgot my password system...

Newbie

Posts

Joined
Wed Mar 06, 2013 3:06 pm

Post by ecommercesussexltd » Fri Dec 05, 2014 7:04 am

I got 2x emails.

"hi guys this is from opencartvn, opencartclub.net and opencartz

i have all your information including username and passwords


http://opencartz.emsend3lnk.com/REMOVED
_________________

Sent to REMOVED

Unsubscribe:
REMOVED

Opencart Club, 3640 Wilshire Ave., Cincinnati, OH 45208, US

Marketing provided by:
ActiveCampaign (http://www.activecampaign.com)"


Posts

Joined
Mon Jan 06, 2014 8:45 am

Post by sytra » Fri Dec 05, 2014 7:24 am

uksitebuilder wrote:Just out of interest, which web host do you all use ?

Just wandering if there is something in common
We had the same email (actually had 2 mails), and use Vidahost

This is the second email, subject line was FUXXXD (i'm sure you can work it out)

Registrant Name: Nguyen Thai Buu
Registrant Organization: Nguyen
Registrant Street: 2/3 Ly Thuong Kiet, Long Xuyen, An Giang
Registrant Street: 2/3 Ly Thuong Kiet, Long Xuyen, An Giang
Registrant City: ho-chi-minh
Registrant State/Province:
Registrant Postal Code: 08408
Registrant Country: Vietnam
Registrant Phone: +84.903902095
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: nguyenthaibuu@gmail.com
Registry Admin ID:
_________________

Sent to MY EMAIL REMOVED

Unsubscribe:
http://opencartz.emsend3lnk.com/proc.ph ... &act=unsub

Opencart Club, 3640 Wilshire Ave., Cincinnati, OH 45208, US

Marketing provided by:
ActiveCampaign (http://www.activecampaign.com)

Running OC 1.5.5.1 with vqmods.
http://www.aislings.co.uk
http://www.lovers-paradise-toys.co.uk


Active Member

Posts

Joined
Sat Feb 04, 2012 6:27 am

Post by Dhaupin » Fri Dec 05, 2014 8:36 am

If any of ya'll still have one of those mails floating around, can you "view original" and paste in the whole output? Often with domains not routing through gmail/yahoo/others you are able to see an originating IP. Sometimes if youre lucky it will be from either their main server IP or their home/cell ISP for location to city.

If it was sent through a marketing mailer SaaS style, often the mailer company is willing to shut down the redirect, effectively reducing sent-mail phishing liability. Seems as if its ActiveCampaign but ive seen those spoofed before, which is lol. Passing it off...they check, they arent even a customer.

Also if you use Gmail you can use the down arrow thinger in the right corner to report as phishing. If enough report, G scrubs off links so there is no click at all. Also re-writes image sources to prevent inject for others.

Finally if you really wanna mess with them, reply back with something like this:

Congrats you are the winner of our monthly email-in giveaway! To claim your $100 Visa Gift Card please verify your mailing address and phone with the form in the following link: https://example.com/verify.php?type=visa-100

Obviously the verify link would be a total trap, log as much as you can about the visit :) Since its a querystring, you can change it per email or whatever and bend it.

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA

Post by humpadilly » Fri Dec 05, 2014 3:58 pm

activecampaign responded after i reported it...

We are very sorry you received some spam, we have added your address to our global exclusion list. We have strict anti-spam policies and have investigated the sender in question and shut down their account permanently.

As requested here is the props...

Return-Path: bounce-114158-3-194-*****************************=*****************************@emsend3.com
Received: from emsend3.com ([67.228.34.57]) by ***************************** ; Thu, 4 Dec 2014 19:25:53 +0100
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dk; d=emsend3.com; h=To:From:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:Sender:List-Unsubscribe:Message-ID; i=opencartz.activehosted.com@emsend3.com; bh=G3Q1MvuTfAbX5Gh4df2ICZE9Q1Q=; b=rGLKMdh12MZsr6vhVd5w7NW9LII1D3QGb93fOa53kD94+ywCsc8s1P+vtqO1HtQLT6tyDan6fS8D 3bi7vwz03AP/Pcsn8hORo8MZ50pIwQJd1obEqd41X6xgTCfTcbYB5QWAtCQF48SNY8M4ZX6uK3/l xBWeAufdgHQY42rL7so=
Received: by emsend3.com id hg2jjc18it4d for <*****************************>; Thu, 4 Dec 2014 11:56:58 -0600 (envelope-from <bounce-114158-3-194-*****************************=*****************************@emsend3.com>)
To: <*****************************>
From: "Opencart Club" <admin@opencartclub.net>
Subject: fucked
Date: Thu, 04 Dec 2014 11:52:53 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="_=_swift-40087341154809f75cd9973.62776366_=_"
Content-Transfer-Encoding: 7bit
Sender: <opencartz.activehosted.com@emsend3.com>
X-Sender: <opencartz.activehosted.com@emsend3.com>
X-Report-Abuse: Please report abuse here: http://www.activecampaign.com/contact/?type=abuse
X-mid: aHVtcGFkaWxseUBodW1wYWRpbGx5LmNvbSAsIGMzICwgbTUgLCBzMw
List-Unsubscribe: <mailto:unsubscribe-3-7fabfa22ccac44cea2f8d1cac62785cb@opencartz.activehosted.com>, <http://opencartz.emsend3lnk.com/box.php ... ub2&luha=1>
Message-ID: <20141204175657.5439.794605678.swift@opencartz.activehosted.com>

Newbie

Posts

Joined
Wed Mar 06, 2013 3:06 pm

Post by Dhaupin » Fri Dec 05, 2014 11:23 pm

Hah well thats good that they suspended the account :) Although the IP resolves through ActiveCampaign, looks like the username they used is opencartz which most likely is from Vietnam (surprise surprise). A handful of Viets have been actively trying to hax/phish OC owners for the last couple months and their pirated leaks are full of back doors.

Hmm i wonder if they have anything to do with this epic fail Facebook + OC + forum account phishing attempt? Its using Invision boards skinned to facebook.

Attachments

opencartz-lol.JPG

So pro - opencartz-lol.JPG (184.74 KiB) Viewed 4066 times


https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA

Post by Daniel » Sun Feb 21, 2016 5:39 pm

It could also be an extension hes uploaded onto the extension store with a back door in.

viewtopic.php?f=192&t=158533

I have also just sent an email to a lawyer in Ho Chi Minh City to sue the owner of opencartvn. He facilitating piracy.

OpenCart®
Project Owner & Developer.
OpenCart commercial support now available!


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by Daniel » Sun Feb 21, 2016 7:26 pm

OpenCart club was the hackers sites! he was trying to collect peoples login details.

OpenCart®
Project Owner & Developer.
OpenCart commercial support now available!


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by Daniel » Sun Feb 21, 2016 7:27 pm


OpenCart®
Project Owner & Developer.
OpenCart commercial support now available!


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm
Who is online

Users browsing this forum: No registered users and 2 guests