Psychz mail system seems to be hacked....

PhantomPain

Is anyone else who received the phishing email with title 'SERVER TERMINATION' from Psychz?

Neoon

Just because you get a phishing email dosen't mean the mail server of psychz is compromised.
Check the headers/source of the email.

DP

Phishing != "mail system hacked".

definitelyliam

I just got this (and posted it) and it freaked me out. Checking the headers, it baffles me that it passed SPF and landed on my Inbox.

MeanServers

Received the same email (we have Psychz services), not 100% sure if it is just a targeted phishing campaign or something worse.

bacloud

Yeah, got one with attachment. Antivirus was not very happy.

sibaper

any one can post the email header?

definitelyliam

@sibaper said:
any one can post the email header?

Return-Path: <[email protected]>
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42])
     by sloti37d1t10 (Cyrus 3.5.0-alpha0-519-g27a961944e-fm-20210531.001-g27a96194) with LMTPA;
     Mon, 31 May 2021 06:44:00 -0400
X-Cyrus-Session-Id: sloti37d1t10-1622457840-922412-2-16425216322047351825
X-Sieve: CMU Sieve 3.0
X-Spam-known-sender: no
X-Spam-sender-reputation: 1000 (email)
X-Spam-score: 0.0
X-Spam-hits: ME_SC_SENDERREP -100, ME_SENDERREP_ALLOW -4, SHORTCIRCUIT -0.0001,
  SPF_HELO_PASS -0.001, SPF_PASS -0.001, SUBJ_ALL_CAPS 0.5,
  LANGUAGES enfrca, BAYES_USED none, SA_VERSION 3.4.2
X-Spam-source: IP='216.99.144.35', Host='mail.psychz.net', Country='US', FromHeader='net',
  MailFrom='net'
X-Spam-charsets: plain='utf-8'
X-Attached: document230134.xlsx
X-Resolved-to: my_email@address
X-Delivered-to: my_email@address
X-Mail-from: [email protected]
Received: from mx3 ([10.202.2.202])
  by compute2.internal (LMTPProxy); Mon, 31 May 2021 06:44:00 -0400
Received: from mx3.messagingengine.com (localhost [127.0.0.1])
    by mailmx.nyi.internal (Postfix) with ESMTP id CC5111F400FF
    for <my_email@address>; Mon, 31 May 2021 06:43:59 -0400 (EDT)
Received: from mx3.messagingengine.com (localhost [127.0.0.1])
    by mx3.messagingengine.com (Authentication Milter) with ESMTP
    id 5647C1D3699;
    Mon, 31 May 2021 06:43:59 -0400
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm2; t=
    1622457839; b=pJjQidyJgBZdkWTitO3fmiUZ/kWO+C2QM/WaB11/Rsj0+3XVK7
    g+LhIcg59HmxjwI8EEtgQ+mujtoGxuMpoCIQtrdDtm4cije1nWIfhPlxUX+N8q02
    WWbW/7iQ4q4RgcKJLmfF2AERirwQ8NLKTGGTREQaENfqatO4ioK4ZAxjNaiz8m31
    rI6BojR4Oq1KlZen1oMUpDjfLXcORsFhIax851bLArhG2vsNtH1a3rcSeLFTaVfj
    RDsiCM8hY5lF4lrZ+tWyp0hpi2FCFJDl5bCt1Pq2ovneOI6AJun5Xol1YJnPKvGO
    GrPqXdT0FEr3tmAihV/1WrNyh2+l7f6HXFKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
    messagingengine.com; h=from:to:subject:date:message-id
    :mime-version:content-type; s=fm2; t=1622457839; bh=Mczb7jtw6fh4
    4Wb8Loz+KdHju8e6NMy8VmBxadZySRg=; b=qsYmOJksbv0CxFVvapdGWc3kwVRq
    zNDKXOkbLy7WafNp5S2jhfsuQF5824uyIcKUyPOlA42KNmXc32vL/jqho8qFi7w5
    p8VA4WRDxzje9R1GHFVyKoNeBiy6+RVQ4zut7Y6GhJ39HkkEQMRCByv9mvy1VV5R
    vkJsttwJtU28iQj91DDrmLg1xRicuYmCL1BcQht80ymOfTJyW1v0MMw9ko0Lw5ax
    3j4za0rIvyPzD3e6oz2c2GVyrHloKocgnYJvlI1YGg1VyNtcnH9FG0qjDfv+MTLJ
    XRB6j5SiYb38drKVwYnp3iFMnaqCn97KOl7BN1HEHsB++2fnmC1qlmxZ3g==
ARC-Authentication-Results: i=1; mx3.messagingengine.com;
    arc=none (no signatures found);
    bimi=skipped (DMARC Policy is not at enforcement);
    dkim=pass (2048-bit rsa key sha256) header.d=psychz.net
    [email protected] header.b=c1PS0gNp header.a=rsa-sha256
    header.s=default x-bits=2048;
    dmarc=pass policy.published-domain-policy=none
    policy.published-subdomain-policy=none policy.applied-disposition=none
    policy.evaluated-disposition=none (p=none,sp=none,d=none,d.eval=none)
    policy.policy-from=p header.from=psychz.net;
    iprev=pass smtp.remote-ip=216.99.144.35 (mail.psychz.net);
    spf=pass [email protected] smtp.helo=psychz.net;
    x-aligned-from=pass (Address match);
    x-csa=none;
    x-me-sender=none;
    x-ptr=fail smtp.helo=psychz.net policy.ptr=mail.psychz.net;
    x-return-mx=pass header.domain=psychz.net policy.is_org=yes
    (MX Records found: mail.psychz.net);
    x-return-mx=pass smtp.domain=psychz.net policy.is_org=yes
    (MX Records found: mail.psychz.net);
    x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384
    smtp.bits=256/256;
    x-vs=clean score=0 state=0
Authentication-Results: mx3.messagingengine.com;
    arc=none (no signatures found);
    bimi=skipped (DMARC Policy is not at enforcement);
    dkim=pass (2048-bit rsa key sha256) header.d=psychz.net
      [email protected] header.b=c1PS0gNp header.a=rsa-sha256
      header.s=default x-bits=2048;
    dmarc=pass policy.published-domain-policy=none
      policy.published-subdomain-policy=none policy.applied-disposition=none
      policy.evaluated-disposition=none (p=none,sp=none,d=none,d.eval=none)
      policy.policy-from=p header.from=psychz.net;
    iprev=pass smtp.remote-ip=216.99.144.35 (mail.psychz.net);
    spf=pass [email protected] smtp.helo=psychz.net;
    x-aligned-from=pass (Address match);
    x-csa=none;
    x-me-sender=none;
    x-ptr=fail smtp.helo=psychz.net policy.ptr=mail.psychz.net;
    x-return-mx=pass header.domain=psychz.net policy.is_org=yes
      (MX Records found: mail.psychz.net);
    x-return-mx=pass smtp.domain=psychz.net policy.is_org=yes
      (MX Records found: mail.psychz.net);
    x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384
      smtp.bits=256/256;
    x-vs=clean score=0 state=0
X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgeduledrvdelfedgfedvucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu
    rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvffuff
    fkgggtsehmtdefvcdttdejnecuhfhrohhmpehsuhhpphhorhhtsehpshihtghhiidrnhgv
    thenucggtffrrghtthgvrhhnpeeigfeiffeivefgtdfhjeeiieekveevgfelieefjeffje
    fgfedtteeijeevudeuudenucffohhmrghinhepthifihhtthgvrhdrtghomhdpfhgrtggv
    sghoohhkrdgtohhmnecukfhppedvudeirdelledrudeggedrfeehpdeghedrudegjedrvd
    dvkedrgeejnecuvehluhhsthgvrhfuihiivgepudenucfrrghrrghmpehinhgvthepvddu
    iedrleelrddugeegrdefhedphhgvlhhopehpshihtghhiidrnhgvthdpmhgrihhlfhhroh
    hmpeeoshhuphhpohhrthesphhshigthhiirdhnvghtqe
X-ME-VSScore: 0
X-ME-VSCategory: clean
X-ME-CSA: none
Received-SPF: pass
    (psychz.net: 216.99.144.35 is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'mx' matched))
    receiver=mx3.messagingengine.com;
    identity=mailfrom;
    envelope-from="[email protected]";
    helo=psychz.net;
    client-ip=216.99.144.35
Received: from psychz.net (mail.psychz.net [216.99.144.35])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mx3.messagingengine.com (Postfix) with ESMTPS
    for <my_email@address>; Mon, 31 May 2021 06:43:59 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=psychz.net;
    s=default; h=Content-Type:MIME-Version:Message-ID:Date:Subject:To:From:Sender
    :Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
    Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
    In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
    List-Post:List-Owner:List-Archive;
    bh=Mczb7jtw6fh44Wb8Loz+KdHju8e6NMy8VmBxadZySRg=; b=c1PS0gNpj3hb/gB5SD6Ag0tcKw
    kALYcVKXYXWhjpIwAXfObXqSVab7ViyNS+WPQkiHs8GqMx+5LOStL6X4iNQsgptQy6B8RU6xJYYLS
    V8v9jekcZldPDi+SZxpsTXeubXfGyyqMQLcX/XqfaY43BPg6mNVwmSR9SrTOsINYYLWaViM9on4Cn
    coRo65MHNXeLG2JWTHdPo+RqyIrBqEoNPSl6YK+Rfnv/aPYZtn6IZu6lyZB6k9J9fcrGEoxvxwGzh
    HP5sUaIF5pY0wVM5U9E1zs3g4o4TU6aOh42Eevjtg0Vdqh9+wPlKtI4MbqhDO3FOK8jJ1Z5TTI0mT
    bOCUgvtw==;
Received: from [45.147.228.47] (port=64590)
    by psychz.unixbsd.info with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.94.2)
    (envelope-from <[email protected]>)
    id 1lnfOj-0008CM-Rv
    for my_email@address; Mon, 31 May 2021 10:43:56 +0000

letbox

Well,

Maybe we will see some kind of a lot credit cards Payment attempting soon!

Regards

ploxhost

Yep… got the same email here. I’m still questioning how they got our emails?

deank

An employee sold the list is the likely case.

PhantomPain

@deank said:
An employee sold the list is the likely case.

It's not just the mail list.
Because the emails are SPF verified it is more likely there mail servers are being hacked.

jar

Yeah. I got it too. It's not good:

2021-05-31 10:45:28 1lnfQ7-00014E-VF <= [email protected] H=mail.psychz.net (psychz.net) [216.99.144.35] P=esmtps X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=950905 DKIM=psychz.net [email protected] T="SERVER TERMINATION" from <[email protected]> for [email protected]

jarlanddonnell@Jarlands-MacBook-Pro ~ % dig MX psychz.net +short
0 mail.psychz.net.

jarlanddonnell@Jarlands-MacBook-Pro ~ % host 216.99.144.35
35.144.99.216.in-addr.arpa domain name pointer mail.psychz.net.

jarlanddonnell@Jarlands-MacBook-Pro ~ % host mail.psychz.net
mail.psychz.net has address 216.99.144.35

Email: https://paste.mxrouteapps.com/?39162409d0985990#F7W52GNNbcPdom9nHDD6yAbRZgqHiGs7KjHAJ7JxUJG7

Attachment: https://www.virustotal.com/gui/file/16b1d0cbb8eb4804ccedaed0abd454606f0d237abe3d4f8ac212ff3a027270c7/detection

Initial suggestion that they've been compromised at some level is justified. Every email account that received one at MXroute looks like an address that may have been signed up for Psychz at some point.

default

isunbejo

popcorn yummy

NobodyInteresting

This corn be popping!

iHavenoName

Yes and according to Psychz:

Hello,

That email came from a spoof account using the email name of a JR tech of ours. The attachment has a virus/trojan that compromises the Windows OS workstation that opens it, so we recommend running malware and virus scan ASAP! Delete the email as well.

Our security department is currently investigating the root of this spoof, so any emails requesting personal information or payment under this email account are not official PSYCHZ billing/sales, so we ask you to delete them.

ProtonMail didn't catch it, because it's using the Psychz servers:

Parsing header:
0: Received: from psychz.net (mail.psychz.net [216.99.144.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailin021.protonmail.ch (Postfix) with ESMTPS id 4FtsCt1csBz3hhcs for <x>; Mon, 31 May 2021 10:36:42 +0000 (UTC)
Hostname verified: mail.psychz.net
Protonmail received mail from sending system 216.99.144.35

1: Received: from [45.147.228.47] (port=64545) by psychz.unixbsd.info with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <[email protected]>) id 1lnfHg-0004qg-G4 for x; Mon, 31 May 2021 10:36:39 +0000
No unique hostname found for source: 45.147.228.47
Possible forgery. Supposed receiving system not associated with any of your mailhosts
Will not trust this Received line.
Tracking message source: 216.99.144.35:
Routing details for 216.99.144.35
[refresh/show] Cached whois for 216.99.144.35 : [email protected]
Using abuse net on [email protected]
abuse net psychz.net = [email protected], [email protected]
Using best contacts [email protected] [email protected]
Reports disabled for [email protected]
Using noc#[email protected] for statistical tracking.
[email protected] bounces (37 sent : 19 bounces)
Using postmaster#[email protected] for statistical tracking.
Message is 6 hours old
216.99.144.35 not listed in cbl.abuseat.org
216.99.144.35 not listed in dnsbl.sorbs.net
216.99.144.35 not listed in accredit.habeas.com
216.99.144.35 not listed in plus.bondedsender.org
216.99.144.35 not listed in iadb.isipp.com

Please make sure this email IS spam:
From: [email protected] (SERVER TERMINATION)
View full message

Report Spam to:
Re: 216.99.144.35 (Administrator of network where email originates)
 To: postmaster#[email protected] (Notes)
 To: noc#[email protected] (Notes)

Total fucking bullshit. They still haven't sent out notices to customers, telling people to ignore those emails. I have to reply to them to be told "oh sorry, we've been compromised by a pissed off employee...please don't open those emails."

jar

@iHavenoName said: That email came from a spoof account using the email name of a JR tech of ours

Yeah, no it wasn't. It's not spoofing when someone sends an email from your mail server.

jackb

@jar said:
Initial suggestion that they've been compromised at some level is justified. Every email account that received one at MXroute looks like an address that may have been signed up for Psychz at some point.

Headers I saw earlier looked like their mailserver might be relaying for unauthenticated users, or an authenticated user on their mailserver was compromised.

Does that sound realistic to you?

iHavenoName

@jar said:
Yeah, no it wasn't. It's not spoofing when someone sends an email from your mail server.

Exactly. They have a pissed off ex-employee, who fired off some emails before their creds were locked.

jar

@jackb said: Headers I saw earlier looked like their mailserver might be relaying for unauthenticated users, or an authenticated user was compromised.

Depends whether these headers were written by 45.147.228.47 or 216.99.144.35:

X-Get-Message-Sender-Via: psychz.unixbsd.info: authenticated_id: [email protected]

X-Authenticated-Sender: psychz.unixbsd.info: [email protected]

I'd propose it was written by 216.99.144.35, writing the name given by the connecting system and the login address used to authenticate at 216.99.144.35.

jar

I would also propose that psychz.unixbsd.info is owned by Psychz. Possibly an old staging server. The unixbsd.info domain has some connection to them (ex. https://ipinfo.io/108.171.246.252), someone else might notice more connection than I do.

WilliamProfuse

Hi All -

We're still investigating the situation and will know more about the extent of the damage once we conduct a full investigation with our vendors.

At the moment we can see the what is compromised is what ever the entry level tech had access to. Essentially his workstation was compromised with a virus thus giving the hacker access to our portal system. They then used his personal email account to send emails out to those seen above.

This is one of the challenges with the pandemic when techs are working from home instead of the office. Policies were in place to prevent this such as running Ubuntu or self wipe system when working on windows system. Unfortunately that was not followed thus we need to re-visit the policies internally for all employees.

From what we can see so far is 5% of our of our clients were emailed the email seen above. Right now we have shutdown his workstation and doing a full forensics on his machine.

We're sending emails to those that were sent an email to ensure they did not open the attachment.

In terms of billing information being compromised those are highly unlikely.

1. Our database server is locked down and show no evidence of entry or downloads.
2. Server credentials are required to be changed at the first provision of server. (Thus server compromised / data are highly unlikely)
3. Router/Switches are not provided to entry level techs
4. IPMI/Router/Switches are all private networks there is no way to connect it via entry points

Right now the concern is to those who receive those emails and not to open them. While we conduct further investigation we'll know the extent of the damage.

Those that were sent the email and have concerns please reach out to our support team or DM me and we'll do the best we can to assist.

alexvolk

@jar said: Every email account that received one at MXroute looks like an address that may have been signed up for Psychz at some point.

Do you think it's fair to look up at incoming emails of your customers?

Amazing...

jar

@alexvolk said: Do you think it's fair to look up at incoming emails of your customers?

Absolutely. I do log audits every day in my efforts to protect customers from spam, viruses, and phishing emails. My customers demand that I look out for them in this way, and tying my hands behind my back doesn't help. It's part of my privacy policy and has been for as long as I can recall.

We do monitor email logs and login activity so that we might be proactive in response to any issues whether technical or security. We do not read your email unless instructed by you to do so

MXroute is a managed service provider, I am not hands-off.

serv_ee

I rarely see eye to eye with @alexvolk but in this case I do, don't think telling people that you're actually checking emails is the best way to go. Just imho. Some of that responsibility must stay on the end user as well.

jar

@serv_ee said: don't think telling people that you're actually checking emails is the best way to go

[root@gateway] ~ # darun grep 216.99.144.35 /var/log/exim/mainlog

Is the exact command I ran. If you you want to be over dramatic, I guess feel free.

I'm merely noting that the logs I observed appear to have a correlation to service providers. This is not new behavior for me, nor is making public the result of my work new. You should see this huge privacy violation where I list botnet IPs: https://github.com/mxroute/the_botnet

serv_ee

@jar said:

@serv_ee said: don't think telling people that you're actually checking emails is the best way to go

[root@gateway] ~ # darun grep 216.99.144.35 /var/log/exim/mainlog

Is the exact command I ran. If you you want to be over dramatic, I guess feel free.

I'm merely noting that the logs I observed appear to have a correlation to service providers.

Dont think I was being over dramatic but if you feel that way I'm sorry.

I never thought anything bad by that as I would never think you had any malicious intent with it but again like I said, some internet safe keeping responsibility should stay with the end user instead of you needing to look up emails.

jar

@serv_ee said: some internet safe keeping responsibility should stay with the end user instead of you needing to look up emails

That's not what my customers ask of me though, they believe it is my responsibility to keep them safe. Examining the impact of a virus email coming from a major service provider, which also was a former MXroute vendor, and then attempting mitigation if appropriate is absolutely something my customers would task me with.

I have no desire to hide the findings from my daily work, where my findings are removed from any specific customer information. Please feel free to benefit from it:

https://github.com/mxroute/rspamd_rules

https://mxrbl.com/

serv_ee

@jar said:

@serv_ee said: some internet safe keeping responsibility should stay with the end user instead of you needing to look up emails

That's not what my customers ask of me though, they believe it is my responsibility to keep them safe. Examining the impact of a virus email coming from a major service provider, which also was a former MXroute vendor, and then attempting mitigation if appropriate is absolutely something my customers would task me with.

I have no desire to hide the findings from my daily work, where my findings are removed from any specific customer information. Please feel free to benefit from it:

https://github.com/mxroute/rspamd_rules

https://mxrbl.com/

If that's what your customers want then of course, sorry to get involved.

Have a nice day

deank

A provider admits a possible fault. Thus, eliminating the need of responsibility from his customers.

Then, LE user argues back, stating that users should bear some responsibility.

Cannot please everyone.