Opencart Club Account Compromised?

Mods: my apologies if this is in the wrong subforum, didn't really know where else it should go. Feel free to move it if this isn't the right section.

Just received this email from "admin@opencartclub.net" and while I'm pretty sure this is just a phishing attempt, I'd like to be 100% sure before I ignore the email.

hi guys this is from opencartvn, opencartclub.net and opencartz

i have all your information including username and passwords


[LINK REMOVED DUE TO PROFANITY]
_________________

Sent to [don't dox me]@gmail.com

Unsubscribe:
[LINK REMOVED DUE TO PROFANITY]

Opencart Club, 3640 Wilshire Ave., Cincinnati, OH 45208, US

Marketing provided by:
ActiveCampaign (http://www.activecampaign.com)

Ignore it and Bin it.

I got the exact same thing... i dont even know what opencart club is!

I think it's worth changing all your passwords.. I got one too.

It looks to me like opencart forums DB has been hacked.. I could be wrong, but there is no other way they could know my email and username so appropriately targeted at Opencart.. Clearly something's gone on and we're not being told?

They are using a 3rd party to send the emails, report them here and get their account closed down: www.activecampaign.com/contact/?type=abuse

Also report it as phishing if you use gmail.

Very scary stuff, especially at this time of year, a hack of our ecommerce site would be disastrous.

Just out of interest, which web host do you all use ?

Just wandering if there is something in common

I host my own servers / domains... I also find it strange that they have my user and email from a site i never remember creating an account on.

I don't ever remember buying any of their extensions http://www.opencart.com/index.php?route ... encartclub

Very strange... i have reset my passwords... even tho they are always the ones generated by the forgot my password system...

I got 2x emails.

"hi guys this is from opencartvn, opencartclub.net and opencartz

i have all your information including username and passwords


http://opencartz.emsend3lnk.com/REMOVED
_________________

Sent to REMOVED

Unsubscribe:
REMOVED

Opencart Club, 3640 Wilshire Ave., Cincinnati, OH 45208, US

Marketing provided by:
ActiveCampaign (http://www.activecampaign.com)"

uksitebuilder wrote:Just out of interest, which web host do you all use ?

Just wandering if there is something in common

We had the same email (actually had 2 mails), and use Vidahost

This is the second email, subject line was FUXXXD (i'm sure you can work it out)

Registrant Name: Nguyen Thai Buu
Registrant Organization: Nguyen
Registrant Street: 2/3 Ly Thuong Kiet, Long Xuyen, An Giang
Registrant Street: 2/3 Ly Thuong Kiet, Long Xuyen, An Giang
Registrant City: ho-chi-minh
Registrant State/Province:
Registrant Postal Code: 08408
Registrant Country: Vietnam
Registrant Phone: +84.903902095
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: nguyenthaibuu@gmail.com
Registry Admin ID:
_________________

Sent to MY EMAIL REMOVED

Unsubscribe:
http://opencartz.emsend3lnk.com/proc.ph ... &act=unsub

Opencart Club, 3640 Wilshire Ave., Cincinnati, OH 45208, US

Marketing provided by:
ActiveCampaign (http://www.activecampaign.com)

If any of ya'll still have one of those mails floating around, can you "view original" and paste in the whole output? Often with domains not routing through gmail/yahoo/others you are able to see an originating IP. Sometimes if youre lucky it will be from either their main server IP or their home/cell ISP for location to city.

If it was sent through a marketing mailer SaaS style, often the mailer company is willing to shut down the redirect, effectively reducing sent-mail phishing liability. Seems as if its ActiveCampaign but ive seen those spoofed before, which is lol. Passing it off...they check, they arent even a customer.

Also if you use Gmail you can use the down arrow thinger in the right corner to report as phishing. If enough report, G scrubs off links so there is no click at all. Also re-writes image sources to prevent inject for others.

Finally if you really wanna mess with them, reply back with something like this:

Congrats you are the winner of our monthly email-in giveaway! To claim your $100 Visa Gift Card please verify your mailing address and phone with the form in the following link: https://example.com/verify.php?type=visa-100

Obviously the verify link would be a total trap, log as much as you can about the visit Since its a querystring, you can change it per email or whatever and bend it.

activecampaign responded after i reported it...

We are very sorry you received some spam, we have added your address to our global exclusion list. We have strict anti-spam policies and have investigated the sender in question and shut down their account permanently.

As requested here is the props...

Return-Path: bounce-114158-3-194-*****************************=*****************************@emsend3.com
Received: from emsend3.com ([67.228.34.57]) by ***************************** ; Thu, 4 Dec 2014 19:25:53 +0100
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dk; d=emsend3.com; h=To:From:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:Sender:List-Unsubscribe:Message-ID; i=opencartz.activehosted.com@emsend3.com; bh=G3Q1MvuTfAbX5Gh4df2ICZE9Q1Q=; b=rGLKMdh12MZsr6vhVd5w7NW9LII1D3QGb93fOa53kD94+ywCsc8s1P+vtqO1HtQLT6tyDan6fS8D 3bi7vwz03AP/Pcsn8hORo8MZ50pIwQJd1obEqd41X6xgTCfTcbYB5QWAtCQF48SNY8M4ZX6uK3/l xBWeAufdgHQY42rL7so=
Received: by emsend3.com id hg2jjc18it4d for <*****************************>; Thu, 4 Dec 2014 11:56:58 -0600 (envelope-from <bounce-114158-3-194-*****************************=*****************************@emsend3.com>)
To: <*****************************>
From: "Opencart Club" <admin@opencartclub.net>
Subject: fucked
Date: Thu, 04 Dec 2014 11:52:53 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="_=_swift-40087341154809f75cd9973.62776366_=_"
Content-Transfer-Encoding: 7bit
Sender: <opencartz.activehosted.com@emsend3.com>
X-Sender: <opencartz.activehosted.com@emsend3.com>
X-Report-Abuse: Please report abuse here: http://www.activecampaign.com/contact/?type=abuse
X-mid: aHVtcGFkaWxseUBodW1wYWRpbGx5LmNvbSAsIGMzICwgbTUgLCBzMw
List-Unsubscribe: <mailto:unsubscribe-3-7fabfa22ccac44cea2f8d1cac62785cb@opencartz.activehosted.com>, <http://opencartz.emsend3lnk.com/box.php ... ub2&luha=1>
Message-ID: <20141204175657.5439.794605678.swift@opencartz.activehosted.com>

Hah well thats good that they suspended the account Although the IP resolves through ActiveCampaign, looks like the username they used is opencartz which most likely is from Vietnam (surprise surprise). A handful of Viets have been actively trying to hax/phish OC owners for the last couple months and their pirated leaks are full of back doors.

Hmm i wonder if they have anything to do with this epic fail Facebook + OC + forum account phishing attempt? Its using Invision boards skinned to facebook.

It could also be an extension hes uploaded onto the extension store with a back door in.

viewtopic.php?f=192&t=158533

I have also just sent an email to a lawyer in Ho Chi Minh City to sue the owner of opencartvn. He facilitating piracy.

OpenCart club was the hackers sites! he was trying to collect peoples login details.