James says "Really now, do you want to do business with someone who talks like this?" Answer yes. He's a regular buyer that lives in Czechoslovakia. Not everyone has English as a primary language.
New Message Received Notification You have received a new message in your inbox on HipStamp. Message details: Sender: igazepdwar1971 Title: Invalid order Message: Hello dear seller about week ago,I bought your stuff, but I still do not get this position in my account, although i have this transaction in my paypal account. I contacted Hipstamp user support, they recommend me to contact you attached a screenshots of my PayPal and hipstamp accounts.
Here are screenshots in zip-archive: [REDACTED]
Please help me understand about the situation. Please [ click here ] to respond to this message (do not reply directly to this email - as it will not reach the other member). Best regards HipStamp
- Any of the original messages on HipStamp have since been removed (although obviously we can not remove the original email copies any Seller may have received). - We have sent out an email to all Sellers notifying them of the information we previously posted in this thread. - We have now taken a series of additional steps to prevent similar behavior from malicious individuals in the future.
JUST STOPPED ATTEMPTED SCAN FROM JS.DOWNLOADER!GEN39 EMAIL STATES CONTACTED HIPSTAMP ABOUT MY ORDER THEY SUGGESTED I SEND YOU SCREEN SHOT COULD YOU LOOK AT THIS. FELL FOR IT BECAUSE IT LOOKED SO GENUINE LUCKILY NORTO/N ON THE JOB AND BLOCKED / REMOVED. BEWARE
I have received two of these email as well. One from a heireunamen1976 and from a forquibighast1982. Thought it looked a bit suspicious and didn't open it. Also deleted these messages from my email inbox and Trash folder.
sorry, but cannot resist writing on this.. surely when reading the following it was OBVIOUS it was fraud . spam / malicious etc etc If is wasn't OBVIOUS then I suggest we start a chat column dedicated to help people learn about internet and spam / malicious emails etc etc etc
was this not a give away.... "about week ago,I bought your stuff, but I still do not get this position in my account"
"about a week ago"... alarms bells ringing.. even with fast local mail I would question this and the wording.. "about".. any real buyer would state the date
"I bought your stuff".. really??? even louder alarms bells.. stuff? what sort of word is that to describe stamps
and finally.. "still do not get this position into my account".. well apart from the awful phase structure it is meaningless for a sale of some stamps. alarms bells are screaming at me know.. and I just laughed with my partner and deleted the email, ( had also seen Mark's message waiting to be read so realised no need to forward to him) and continued drinking my morning tea.
and finally ... and seriously .. surely rule number one.. NEVER open attachment you do not know about
I do hope no one got a virus because of this and while it seems like stating the obvious to me, who has been writing about do's and don'ts for many years, perhaps this is a wake up reminder and lesson to many new sellers and less technically aware sellers.
I got the same yesterday. I am afraid my attention was low at the time after a difficult and tiring week and I just clicked on the link to see what it was about. When you opened the files once they had downloaded, for a fraction of a second you could see a second window opening and closing, and if your eye was quick enough you could see a file name with a .js extension. So the harm is down for me as .js is a JavaScript. The only thing is that I don't know what this actually did.
I have now done the obvious thing and changed all my passwords, etc... but I do not know what and how much harm was done. What I would be interested to know is whether the HipStamp team has actually gone and looked into those files to see what they (particularly the java scripts) are actually doing. Is it it just harvesting data such as passwords, credit cards, etc? Is it more harmful? Is the threat ongoing (i.e. The JavaScript runs once when downloaded, but is there a piece of java script left on the computer still running at the moment?). Also, does this affect Windows only, Apple Mac as well? Etc.... It would be nice if the HipStamp team could give us information about the actual threat so that effective measures can be taken to counter it.
Just for the record, I too received this scam email. Deleted it without opening the attachment. There is always someone out there who wants your take your money. Hopefully for those who did open the attachment, it won't be too serious and any fix will be easy for them.
What you say is true on windows computers, but it's different on Mac; I am not worried about a virus (ie an active content that would have been installed on the computer and running a particular process) as this is not possible on a mac in the way it is on windows, without my specific authorization (to run the process, if it's not from an authorized source, the Mac OS systematically prompts for an authorization to overrun the protection, which has not happened in this case) - What happened at the time of opening the files is that a java script was also downloaded and run. The Java Script is what worries me. What I need to know is what that script does and what it has done when it was opened.
We're not specialists in the anti-virus and anti-malware field, so we would not be able to determine what this specific file is trying to do. However, zip files which contain javascript (js) files sent through email is a common tactic. For example, here's an article on similar activity: https://isc.sans.edu/forums/diary/Malicious+spam+with+zip+attachments+containing+js+files/20153/
In general, downloading a zip file itself would not cause any issues - nor opening the zip file. However, executing and running a javascript file (generally on a windows machine - not mac) could be potentially dangerous. If you have an anti-virus system in place, that should help to prevent malicious activity. However, if you have opened the zip file, and executed the javascript file, you may want to consider running a free anti-malware tool to check your computer.
Mark thanks for letting us know so quickly and for your various follow ups. The message I received was from "Xpowmettepep 1981" re invalid order and mention of "hipstamp-support.com". No follow up on our part. Is the world getting more complicated or is it just my imagination!
The attack seems to have been directed at the 'Team Viewer' program on windows which, as its name suggests, allows others to play on your machine. It can be a useful program, but is also a common target for hackers who in this case were Russian. If you open up your Task Manager (control-shift-escape on Windows 8) and see a Team Viewer running, you might have an issue. As Mark suggested, run the free version of Malwarebytes and after that has swept your system, you could also do a 'system restore' with a way-point before yesterday's attack, and then run Malwarebytes again just as a safety.
Thank you for this information - This confirms what I felt about the threat being targeted at Windows rather than Mac. Being a Mac user for the last 4 years, I have never had an anti virus on my system (although I keep some add-ons on my web browser, such as trafic light, wot, etc... that detect malware on internet pages and are meant to protect against fake web sites, etc...) Anyway, because I had opened the files and seen this JS java script run, I was a little worried about what it had done, and after changing all my passwords, etc... I have paid for and installed Norton for Mac, and I have now run a full scan of my computer - 100s of thousands of files scanned - Well, after a whole night running it has found not a single threat or malware, or virus on my computer, not even the odd tracking cookie. This, after 4 years using the computer without any form of anti virus other than the natural Mac safety protections. This, to me, goes a long way confirming the impression that Macs are a lot safer than Windows - But I am not complacent and I know that the security risks are growing for Mac users, so I'll be even more careful in the future.
I got one of the malicious emails in question. I want to point out that you can not rely on poor spelling and grammar to alert you when these emails appear in your inbox. Spear phishing is becoming incredibly sophisticated, with malicious actors researching their targets by organization, affiliation, or online records, and then delivering very sophisticated and genuine looking emails. NEVER EVER click on a link or an attachment in such an email that you are not expecting or do not KNOW is genuine. The first thing in this case would have been to go to your sales history, via direct login to HipStamp, to see if you did indeed have such a sale to such an identity.
The real danger of course is that when you download an attachment or click on a link, you immediately compromise your machine with any number of possible forms of malware, up to and including root kits that basically take over and own your machine, and all your data on your machine is compromised, or encrypted and held for ransom, one of my favorites. Well, not really.
The last ten years of my professional career in computing tech was spent trying to get the members in the larger organization I supported to listen to my advice on such emails, and educate them. It has gotten so bad now (I am retired, but recently spent two hours touring and getting an update from successor who took over six years ago), that the organization now sends such target spear phishing themselves to staff, to see who will fall for them, and educate them when they do. The embarrassment factor alone makes me wish I were still there to watch those who fall for the emails react when informed of what they have done.
By the way, KUDOS to Mark and HipStamp staff who were fast and on top of this. I bow to their professionalism and immediacy.
I checked my computer after I received the message and attempted to view what appeared to be a "zipped" jpeg file. Malwarebytes identified a file called Ransom.Cerber on my computer and I got rid of it. It appears that someone is attempting to hack into Teamviewer to see what is on our computer. I removed the malware and got rid of Teamviewer on my computer but when I reboot, a Teamviewer install pops up in what possibly appears to be a Russian language version. My advice if you opened the emailed zip file is to make sure you remove Teamviewer and any reference to it on your computer. Malwarebytes has a free version that works fine when this type of problem occurs. Not sure if this is a long term remedy but it appears that none of my personal stuff has been hacked.
I would suggest opening up your Task Manager to see if a program similarly named to Team Viewer is still running. If so, I would end it and then do a System Restore to a point prior to the attack. This should eliminate the Russian "Team Viewer" and its pop-ups while at the same time restoring your original (and correct) Team Viewer.
Comments
Received this email at 5.08 am in NZ !!
New Message Received
New Message Received Notification
You have received a new message in your inbox on HipStamp.
Message details:
Sender: igazepdwar1971
Title: Invalid order
Message:
Hello dear seller about week ago,I bought your stuff, but I still do not get this position in my account, although i have this transaction in my paypal account.
I contacted Hipstamp user support, they recommend me to contact you attached a screenshots of my PayPal and hipstamp accounts.
Here are screenshots in zip-archive:
[REDACTED]
Please help me understand about the situation.
Please [ click here ] to respond to this message (do not reply directly to this email - as it will not reach the other member).
Best regards
HipStamp
Just a quick update:
- Any of the original messages on HipStamp have since been removed (although obviously we can not remove the original email copies any Seller may have received).
- We have sent out an email to all Sellers notifying them of the information we previously posted in this thread.
- We have now taken a series of additional steps to prevent similar behavior from malicious individuals in the future.
JS.DOWNLOADER!GEN39
EMAIL STATES CONTACTED HIPSTAMP ABOUT MY ORDER THEY SUGGESTED I SEND YOU SCREEN SHOT COULD YOU LOOK AT THIS. FELL FOR IT BECAUSE IT LOOKED SO GENUINE LUCKILY NORTO/N ON THE JOB AND BLOCKED / REMOVED.
BEWARE
was this not a give away.... "about week ago,I bought your stuff, but I still do not get this position in my account"
"about a week ago"... alarms bells ringing.. even with fast local mail I would question this and the wording.. "about".. any real buyer would state the date
"I bought your stuff".. really??? even louder alarms bells.. stuff? what sort of word is that to describe stamps
and finally.. "still do not get this position into my account".. well apart from the awful phase structure it is meaningless for a sale of some stamps. alarms bells are screaming at me know.. and I just laughed with my partner and deleted the email, ( had also seen Mark's message waiting to be read so realised no need to forward to him) and continued drinking my morning tea.
and finally ... and seriously .. surely rule number one.. NEVER open attachment you do not know about
I do hope no one got a virus because of this and while it seems like stating the obvious to me, who has been writing about do's and don'ts for many years, perhaps this is a wake up reminder and lesson to many new sellers and less technically aware sellers.
Have a safe internet weekend
Michael cddstamps
I have now done the obvious thing and changed all my passwords, etc... but I do not know what and how much harm was done. What I would be interested to know is whether the HipStamp team has actually gone and looked into those files to see what they (particularly the java scripts) are actually doing. Is it it just harvesting data such as passwords, credit cards, etc? Is it more harmful? Is the threat ongoing (i.e. The JavaScript runs once when downloaded, but is there a piece of java script left on the computer still running at the moment?). Also, does this affect Windows only, Apple Mac as well? Etc.... It would be nice if the HipStamp team could give us information about the actual threat so that effective measures can be taken to counter it.
In general, downloading a zip file itself would not cause any issues - nor opening the zip file. However, executing and running a javascript file (generally on a windows machine - not mac) could be potentially dangerous. If you have an anti-virus system in place, that should help to prevent malicious activity. However, if you have opened the zip file, and executed the javascript file, you may want to consider running a free anti-malware tool to check your computer.
Here's an article which explains how to do this:
http://www.pcworld.com/article/243818/security/how-to-remove-malware-from-your-windows-pc.html
In the past, I've personally used the free version of Malwarebytes, and would recommend it, which you can download (the Personal Free version) here:
https://www.malwarebytes.com/mwb-download/
Being a Mac user for the last 4 years, I have never had an anti virus on my system (although I keep some add-ons on my web browser, such as trafic light, wot, etc... that detect malware on internet pages and are meant to protect against fake web sites, etc...) Anyway, because I had opened the files and seen this JS java script run, I was a little worried about what it had done, and after changing all my passwords, etc... I have paid for and installed Norton for Mac, and I have now run a full scan of my computer - 100s of thousands of files scanned - Well, after a whole night running it has found not a single threat or malware, or virus on my computer, not even the odd tracking cookie. This, after 4 years using the computer without any form of anti virus other than the natural Mac safety protections. This, to me, goes a long way confirming the impression that Macs are a lot safer than Windows - But I am not complacent and I know that the security risks are growing for Mac users, so I'll be even more careful in the future.
The real danger of course is that when you download an attachment or click on a link, you immediately compromise your machine with any number of possible forms of malware, up to and including root kits that basically take over and own your machine, and all your data on your machine is compromised, or encrypted and held for ransom, one of my favorites. Well, not really.
The last ten years of my professional career in computing tech was spent trying to get the members in the larger organization I supported to listen to my advice on such emails, and educate them. It has gotten so bad now (I am retired, but recently spent two hours touring and getting an update from successor who took over six years ago), that the organization now sends such target spear phishing themselves to staff, to see who will fall for them, and educate them when they do. The embarrassment factor alone makes me wish I were still there to watch those who fall for the emails react when informed of what they have done.
By the way, KUDOS to Mark and HipStamp staff who were fast and on top of this. I bow to their professionalism and immediacy.
Thanks!