Conversation

Notices

1. Embed this notice
   Phantasm (phnt@fluffytail.org)'s status on Tuesday, 29-Apr-2025 16:20:34 JST Phantasm
   Lol, some Jap is going through fedi, treating handles as email addresses and sending spam to them that masquerades as a e-mail service provider warning that your inbox is full. It then uses a vulnerable CRM (bitrix) on a Russian children fund (detfond dot org) to redirect to their phishing site whose main page looks like a Brazil event organizer (phishing site is located at /ne)
   
   Email translation:
   Mailbox storage has reached its limit
   
   The current inbox usage is approaching the maximum capacity. The current number of received emails is 600,000 remaining.
   
   To maintain proper mailbox functionality, please optimize your storage.
   
   [1] Manage storage
   
   If you need assistance, please contact customer service.
   
   © 2025 Mail Service Support
   
   [1] is the phishing link
   image.png
   • nyanide :nyancat_rainbow::nyancat_body::nyancat_face: likes this.
   • Embed this notice
     Phantasm (phnt@fluffytail.org)'s status on Tuesday, 29-Apr-2025 16:27:57 JST Phantasm

     in reply to
     It doesn't even seem to collect the email address when you first go there. There's a uid param in the phishing link that sets the username field automatically and then it works.
     
     Of course it first says "login failed" after a few seconds and after the second try, it redirects to the domain from the email.
     manually typed address
     manually typed address
     with ?uid set
     nyanide :nyancat_rainbow::nyancat_body::nyancat_face: likes this.
   • Embed this notice
     nyanide :nyancat_rainbow::nyancat_body::nyancat_face: (nyanide@lab.nyanide.com)'s status on Tuesday, 29-Apr-2025 16:30:00 JST nyanide :nyancat_rainbow::nyancat_body::nyancat_face:

     in reply to
     @phnt Back in the day Roblox phishing games used to send phished credentials to a discord webhook, so the norm was to go into a game, make your password @everyone, and then just jitter click the fake log in button
     Phantasm likes this.
   • Embed this notice
     Phantasm (phnt@fluffytail.org)'s status on Tuesday, 29-Apr-2025 16:33:27 JST Phantasm

     in reply to
     email comes from info @ chiakireien.com with the name in the From header set to <Your domain with first letter capitalized> E-Mail
   • Embed this notice
     Phantasm (phnt@fluffytail.org)'s status on Tuesday, 29-Apr-2025 16:45:12 JST Phantasm

     in reply to
     Fuck, this is a good rabbit hole. The barely legit looking branch of bitrix in Czechia uses broken grammar as their company name (correct spelling: v jednom).
     image.png
   • Embed this notice
     Phantasm (phnt@fluffytail.org)'s status on Friday, 02-May-2025 15:36:38 JST Phantasm

     in reply to

     • 夜化
     @Yoruka https[://]detfond[.]org/bitrix/redirect.php?goto=https[://]lbaeventos[.]com[.]br/ne/?uid=some@email.tld
   • Embed this notice
     夜化 (yoruka@eientei.org)'s status on Friday, 02-May-2025 15:36:39 JST 夜化

     in reply to

     • 夜化
     @phnt tho i dont have ze website as there is no such email as yoruka@eientei.org
   • Embed this notice
     夜化 (yoruka@eientei.org)'s status on Friday, 02-May-2025 15:36:40 JST 夜化

     in reply to
     @phnt What a gemstone im checking that out after work
     Phantasm likes this.
   • Embed this notice
     Phantasm (phnt@fluffytail.org)'s status on Friday, 02-May-2025 15:50:11 JST Phantasm

     in reply to

     • 夜化
     @Yoruka At least they borrowed an old roundcube logo for their favicon. That was their extent of trying to mimic something.
   • Embed this notice
     夜化 (yoruka@eientei.org)'s status on Friday, 02-May-2025 15:50:13 JST 夜化

     in reply to

     • 夜化
     @phnt they can enjoy my nigger@faggot.com email
   • Embed this notice
     夜化 (yoruka@eientei.org)'s status on Friday, 02-May-2025 15:50:14 JST 夜化

     in reply to
     @phnt kek what a dumb system they didnt even try to recreate any existing mail login page. Nice try i guess
   • Embed this notice
     夜化 (yoruka@eientei.org)'s status on Friday, 02-May-2025 16:10:39 JST 夜化

     in reply to
     @phnt i guess first scammer outside india has shit to learn about
     Phantasm likes this.
   • Embed this notice
     Phantasm (phnt@fluffytail.org)'s status on Friday, 02-May-2025 16:27:33 JST Phantasm

     in reply to

     • 夜化
     @Yoruka It's all kinds of jank. If you don't specify the UID it doesn't even send the email to them, just the password.
   • Embed this notice
     夜化 (yoruka@eientei.org)'s status on Friday, 02-May-2025 16:27:34 JST 夜化

     in reply to
     @phnt Lol it redirects based on the UID not even the entered email address
   • Embed this notice
     Phantasm (phnt@fluffytail.org)'s status on Friday, 02-May-2025 16:36:26 JST Phantasm

     in reply to

     • 夜化
     @Yoruka Correct. If you don't specify the uid, it sends a post request with the email address field blank.
     
     Probably like that to make sure only those who got spammed end up in their db, but it's done in the most backwards way possible.
   • Embed this notice
     夜化 (yoruka@eientei.org)'s status on Friday, 02-May-2025 16:36:28 JST 夜化

     in reply to
     @phnt wait it sends the UID in and the input field for email is ignored?
   • Embed this notice
     夜化 (yoruka@eientei.org)'s status on Friday, 02-May-2025 16:56:23 JST 夜化

     in reply to
     @phnt what a fucking gem they could at least have checked if the uid and the email field match
     Phantasm likes this.