Was I hacked?

[Sylvander]

1. I use "SaveMyModem" [smm] to check all my incoming emails whilst they are still on the Blueyonder POP3 server.

2. Saw an email that pretended to be [or WAS?] from "Love Film" with whom I have an account.
It looked legitimate, so I downloaded it using Thunderbird.
Thunderbird blocks links to stuff out on the web.
Cant remember if I allowed those links.

3. The email was saying that I needed to change my login details for Love Film, so as to use my Amazon login details.
I was suspicous of this and decided to do nothing, but didn't delete the email.

4. Next Time I booted the Puppy [Precise-5.6.1 frugal install on a partition on an internal HDD] and ran Thunderbird [its files are held at /mnt/home and can be used by all copies of TB on various Puppies], it fetched an email [using my existing/unchanged username & password], and reported that the server was unable to use the provided username & password [obviously false, since smm and Thunderbird were both successfully accessing the POP3 server and downloading stuff].
I deleted the LoveFilm email!

5. I booted my Slacko [frugal install] held on a Flash Drive and ran Thunderbird.
This TB doesn't use the TB files held at /mnt/home, but instead uses its own files held within the pupsave file.
It reported no problem accessing the POP3 server, even though using the same username & password as all other Thunderbird copies.
I deduced that either the TB program files had been messed with, or else the email files [default & profiles].

6. I used Slacko to delete the precisesave file and replace it with a HotBackup copy made about 2wks ago.
Having booted back into Precise, and ran Thunderbird, there was no longer any report of a problem.
A good email fetched OK, both in smm and Thunderbird.

Does anyone understand what happened?

[Jasper]

google
phishing love film

[Sylvander]

google
phishing love film

Done.
If I ever again get such an email, I hope to remember this, go again to the webpage found, and apply the advice given by LoveFilm.
At least I didn't get badly bitten this time around.

[Jasper]

If some phishing protection is desired:

(1) google the demo site - internetbadguys

(2) google - sc0ttman internet security helper
(that's scZero)

(3) download and install the pet from the 1st post (or read the entire thread if more than phishing protection is sought).

(4) Click Setup DNS, use the arrow and choose OpenDNS - then OK out.

(5) now repeat item (1) and the site should now be blocked (as per screen shot).

[Sylvander]

1. All above steps completed successfully, and the site was blocked.

2. I installed:
[Linked at THIS thread]
netsecurity_all-0.1-i486.pet [all buttons available]
NOT
netsecurity-0.1-noarch.pet [only 2 were not grayed]

3. How does this prevent me being subject to phishing scams?

[Jasper]

PM Nooby - doubtless he could make one of his wild guesses along the lines of - those that can not get near the fire cannot have a finger burnt nor have their life destroyed by financial fraud.

It's "some" protection from our human frailty, but not total protection all the time.

[Sylvander]

After reboot, nothing I tried could connect to the internet...

So I deleted the precisesave file and replaced it with my most recent backup copy.
So I can now once again connect to the web.

[RetroTechGuy]

After reboot, nothing I tried could connect to the internet...

So I deleted the precisesave file and replaced it with my most recent backup copy.
So I can now once again connect to the web.

I'm still a little puzzled (and concerned)...

It would seem that merely downloading this email was sufficient to break Thunderbird, and/or the internet connection...

That reminds me, it's probably time to make another copy of my save file...

[Jasper]

Hi Sylvander,

sc0ttman wrote about the pet you installed:
"...... but here's one that might not work in your pup! "
which is why I wrote:
"...... (or read the entire thread if more than phishing protection is sought)."

Please, for the sake of others, try the smaller pet that you linked to and just try the OpenDNS option again - and please report in sc0ttman's thread if your problem is repeated.

[Sylvander]

1. Used smm to look at emails on the POP3 server.
All was well, only one email = notification of your post above.
So...

2. Used Thunderbird to fetch the email.

3. The "Alert" has returned, which says:
"Sending of username did not succeed. Mail server pop3.blueyonder.co.uk responded: Protocol error."
When I close the Alert, the following window tries to get me to specify [reset to] another password.
Didn't do that.
Emails are being fetched OK.

4. Last night...
For the 1st time ever...
When working within Slacko-5.3.3.1 frugal install running from a Flash Drive ...
This is capable of not saving session changes...
When I copied and pasted the usual webpage address for my banking website account login page...
From within my encrypted "Acerose Password Vault"...
I got "page not found".
Phoned my bank's help desk...
She told me the address for the bank's home webpage...
Then to click the login button to be taken to the login page.
The address was [slightly] different to the address saved inside my "Acerose Password Vault", that I've use successfully for years, [to prevent me being sent to a false/spoofed webpage].
She wouldn't [couldn't] either confirm or deny that the new login page address was correct.
Or whether the change of address was/is legitimate.
I had little alternative but to login there.
Did so, and all looked/seemed OK.
I'm worried that something malicious may be happening!

5. I'll intall "netsecurity-0.1-noarch.pet" once again, but I think SetupDNS will be one of the grayed buttons.
All's well, it is there.
I've once again enabled OpenDNS, and internetbadguys.com is being blocked.
Should this block the "Alert" mentioned in 3 above?
Or else, what to do about it?
Is it genuine or malicious?
I'll click "Save..." on the desktop to manually save the changes [installed program].

6. I need a good screen capture utility [to show you the "Alert"] that can capture a chosen region of screen.
I've used one in the past that I liked, but cannot remember it's name.
Not keen on those I have now = Pupsnap, Screeny, mtPaint.

--------------------------------------------------------------------------------------------------------

7. Having rebooted...
Used smm to check for new emails, and there were none.
Ran Thunderbird.
All seemed OK...
No emails fetched...
No "Alert" displayed; does that have any significance?
Able to connect OK to the internet using the usual programs [smm, Nightly].

[Jasper]

Sylvander,

Please let us know if you get any new email or banking peculiarities.

Hopefully others can analyse your experience and proffer advice.

[Sylvander]

I notice there is only an "Alert" when I fetch emails during the session that follows a reboot from a session during which a "session save" was completed.
If no save...then no alert.
Normally I never save, so there is normally no alert.

Last time I tried a fetch and got the "Alert", the mails didn't fetch.
But they did then fetch when I did it manually using the menu entry.

I think the malicious email must have made change[s] to the Thunderbird files [default and profiles] held in /mnt/home [sda5].

The only copy I have of those files were when I made a backup [using Xfe] of the sda5 folder/file partition contents [to backup the emails+] way back in January.
I'd like to avoid losing recent emails.
Might it be possible to copy the up-to-date emails over to a restored copy of the old backup?

I can make unmetered calls 24/7 to any landline phone in the UK, so...
If you were happy for us to speak by landline phone, and gave my your number by PM....
I could call you.