Be on the lookout for a phishing email a la:
From: "Easy DNS" <iem@easydns.com>
Reply-To: mark***@easydns.com
Subject: , Your account was hacked!
Hey,
Your account was
hacked.
please click
here.
The link goes to hxxp://pasilpowers.com/r/easydns/EMAIL, where EMAIL is the email address the message was delivered to.
(Update) How it happened
Some of you may have received the spearphish to a canary address you used for easyDNS. To be clear, there has been no compromise of the easyDNS database or customer portal.
We had a self-hosted version of a third-party email delivery CRM (Interspire) on a stand-alone VM outside of our VPN and completely segmented from our production DB and customer platform.
That CRM suffered an unauthorized access and it still had some old easyDNS (and Zoneedit) email lists. We used this to email Zoneedit customers when we acquired them last year, so it was configured to relay out via mail.easyzone.ca (64.68.198.156). This is what they used it to send the phish.
If you received this phish to a canary email address, we’re sorry to tell you that canary has now been burned and you’ll have to reset a new one. The good news is that CRM instance has no visibility into the customer facing database (we used to have to manually dump lists and import them into the CRM. Sometimes PITAs pay off).
That VM has been terminated and we were already in process of shifting both easyDNS and Zoneedit communications CRM into another system.
We will be even more vigilant about compartmentalizing data used in communications and not leaving stale lists hanging around.
We sincerely apologize for any alarm and/or confusion this may have caused.
Leave a Reply