[sillysaurusx]

Hmm. So I don't know if this means anything, but I was googling for the IP address and wound up at https://ipinfo.io/160.116.88.235 which says hostname: visit.keznews.com. When you go to that hostname, it's one of the best phishing sites I've ever seen. They dynamically inserted my ISP's logo (Spectrum) and tried to do a phishing attempt:

https://i.imgur.com/C9HQw1c.png

The full non-clickable URL:

  https://us.poonstate.click/us/i/spectrum/?track=u.pslnk.link&key=eyJ0aW1lc3RhbXAiOiIxNjQwNjM4NTIyIiwiaGFzaCI6IjNiZjRkYTg5MTA5MzMzNmU5NjRmMjZiNDY1NWUyN2UwMjk3NzI0OTYifQ%3D%3D&tsid=7ae4766b-0de5-4865-9f1b-025a45c71c3f&bemobdata=c%3D314f53db-f844-46ea-99f8-f277456639d3..l%3Df57d9a37-1c67-4958-ac52-6f4854ce6840..a%3D2..b%3D1..z%3D0.0016..e%3Dzr4b7f4393675711ecb78f122b3efc6f65f31163358f914cea90c49d2c8cc35b7b0612682b8c773fbcf1..c1%3Dwhiskey-oar-eAcMKVvZ..c2%3Dgriseous-trout..c4%3DDOMAIN..c6%3DNON-ADULT..c8%3D1655308..c9%3Dfbb8c5b0-5140-11ec-a217-0aea8b85a94f..c10%3D0#

I went through and answered the "questions", and it tried to take me to the actual phishing site:

https://i.imgur.com/wYt5WB3.png

https://i.imgur.com/Picaw4a.png

Screenshots of the actual phishing site

https://i.imgur.com/Bh5c2lZ.png

https://i.imgur.com/q7xnSki.png

https://i.imgur.com/GX4hWnQ.png

And its url (non-clickable):

  https://welcome.myonlineeconomy.com/us/238700/25/?pubid=aff-us&pob=3&click_id=61ca28bcf92ca000011aa4c0&subid=RT-60338e1b79fcbe00012195a3-168&utm_medium=mail&utm_term=ipadpro&terms=y&email=&fname=&lname=&fp=&address=&city=&zip=&state=&lpkeyua=a17666fa4eadface9331c0311b1e8875.1640638952

Now, the interesting part is that this phishing attempt only happened once. When I tried to visit again just now, it just says "something went wrong" (on the first site) and "Access denied" (on the second site).

I saved the sites to disk as I went, but I doubt these dumps will tell you much. Just in case though:

1. https://gist.github.com/shawwn/4deace812e7c752949a0df096ef66...

2. https://gist.github.com/shawwn/721f235e760dd2257cd760edb1188...

Long story short: It sounds like all of you got phished. I suspect you installed a malicious app that somehow targeted your web browser's LastPass extension, modifying it to send your master password to these fine people. ¯\_(ツ)_/¯

[gregsadetsky]

Hey,

That's quite possible, for sure. I am not beyond/above/below being phished like anyone else, ha!

The issue -- what makes it perplexing -- is that I haven't used this LastPass password since 2017. I know because this LastPass account was only used to share passwords within an org that I left back then.

Is it possible that I was phished 4 years ago, and they sat on the password? Sure.

But 2 other people in this thread being phished from the same exact same phishing server/group?

Or we were separately phished using different techniques, and now one Brazil server attempted to use all of our logins?

That's what's rather strange.

[trevcanhuman]

Hey guys I think that maybe this has to do with an exploit in the web browser LastPass extension about 5 years ago: HN POST: [0].

[0] https://news.ycombinator.com/item?id=12171547

[gregsadetsky]

Yeah, that's not impossible. Surprising that they sat on the passwords for so long, but this is quite possible. Thanks for the reference/link!

[Nexxxeh]

You don't necessarily know they sat on it. You only just got a notification of the failed login now.

That doesn't mean they didn't try stuffing it elsewhere previously, or have login attempts you weren't notified of.

Nor do you know if the entity responsible for the failed login is the one who originally captured the credentials.

If you'll forgive the wild speculation, your credentials could have been sold recently and the new owners are less picky about alerting victims to the breach.

It could be that a bunch of credentials were captured for a specific purpose. Perhaps it was a targetted attack aiming for a specific victim, you and others here were collateral damage, and now the attacker is selling the assets.

[gregsadetsky]

Yeah, totally agreed and all great points.

I also generally am more suspicious of the idea that they sat on the credentials for years. Although that is not impossible.

One disproving fact (of sitting on the password for years) is that a few people here in this thread confirm having a login attempt from the exact same ip range, but with an account that was created this year -- in one case, in November 2021:

https://news.ycombinator.com/item?id=29710262

So... it might turn out to be a much more recent vulnerability after all.

[wutwutwutwut]

Couldn't it just be that someone got a copy of the password some years ago and now sold the list of credentials to someone else, who then tried to use it? Maybe the original owner of the list didn't realize some of the credentials was for LastPass, for example.

I'm still seeing hackers trying to log on using passwords I haven't used in ~10 years, because it's on a list somewhere.

[gregsadetsky]

I agree, that could make sense.

So LastPass (their extension) may have been hacked ~5 years ago ish, a few people here on the thread were all hacked in the same way, our passwords were sold off, and now the same Brazil IP range just tried all of those passwords.

[kreetx]

Perhaps you can ask the other victims when did they register their accounts to see if that's true?

[gregsadetsky]

I've been trying to ask this to people posting reports, and although there are many "older" accounts (like mine, circa 2017 or older), at least 2 reports are from accounts created this year:

https://news.ycombinator.com/item?id=29710262

https://news.ycombinator.com/item?id=29711950

That would make "more sense" that our credentials weren't stored and unused for years, i.e. that this is possibly a new, recent breach.

[sillysaurusx]

This seems likely.

[trevcanhuman]

I feel like this sounds more like a zero-day exploit being used to target the LastPass login servers.

[Fnoord]

Great post, seriously.

How many extensions are you using again? :-)

[sillysaurusx]

Hmm. Tabist, Twitch Now, EditThisCookie, TooManyTabs, ublock, adblock, tampermonkey, disable Reddit CSS, FreshStart, Notion, Netflix auto-skip, gist from website, Auto Kill Sticky... and a couple I don’t recognize. I’ll post a full list when I’m back at a laptop.

“Too many” :)

[eksployted]

The only ones I have that match up there are EditThisCookie and ublock (origin)

EditThisCookie was last updated November 22, 2020, so it doesn't seem likely from that.

ublock origin was updated December 2, 2021, but they haven't changed devs or anything that would make me suspicious.

[55555]

That’s not a phishing site. That’s standard zero-click /smartlink monetization. It’s a lot to explain and I’m on mobile but it isn’t anything to do with phishing.

[sillysaurusx]

But, it certainly wasn't from Spectrum (my ISP), but they designed the page to make it look like it was.

I agree that it could be totally unrelated to the root mystery though. But "everyone here fell for malware or got phished" seems like the most likely explanation, even if my answer happens to be otherwise incorrect.

[aNopBxEjtX]

the site is an advertising redirect and these same attackers (or at least users of the same IP ranges) use leaked credentials to login to Microsoft/Outlook accounts using SMTP