Hmm. So I don't know if this means anything, but I was googling for the IP address and wound up at https://ipinfo.io/160.116.88.235 which says hostname: visit.keznews.com. When you go to that hostname, it's one of the best phishing sites I've ever seen. They dynamically inserted my ISP's logo (Spectrum) and tried to do a phishing attempt:
Now, the interesting part is that this phishing attempt only happened once. When I tried to visit again just now, it just says "something went wrong" (on the first site) and "Access denied" (on the second site).
I saved the sites to disk as I went, but I doubt these dumps will tell you much. Just in case though:
Long story short: It sounds like all of you got phished. I suspect you installed a malicious app that somehow targeted your web browser's LastPass extension, modifying it to send your master password to these fine people. ¯\_(ツ)_/¯
That's quite possible, for sure. I am not beyond/above/below being phished like anyone else, ha!
The issue -- what makes it perplexing -- is that I haven't used this LastPass password since 2017. I know because this LastPass account was only used to share passwords within an org that I left back then.
Is it possible that I was phished 4 years ago, and they sat on the password? Sure.
But 2 other people in this thread being phished from the same exact same phishing server/group?
Or we were separately phished using different techniques, and now one Brazil server attempted to use all of our logins?
You don't necessarily know they sat on it. You only just got a notification of the failed login now.
That doesn't mean they didn't try stuffing it elsewhere previously, or have login attempts you weren't notified of.
Nor do you know if the entity responsible for the failed login is the one who originally captured the credentials.
If you'll forgive the wild speculation, your credentials could have been sold recently and the new owners are less picky about alerting victims to the breach.
It could be that a bunch of credentials were captured for a specific purpose. Perhaps it was a targetted attack aiming for a specific victim, you and others here were collateral damage, and now the attacker is selling the assets.
I also generally am more suspicious of the idea that they sat on the credentials for years. Although that is not impossible.
One disproving fact (of sitting on the password for years) is that a few people here in this thread confirm having a login attempt from the exact same ip range, but with an account that was created this year -- in one case, in November 2021:
Couldn't it just be that someone got a copy of the password some years ago and now sold the list of credentials to someone else, who then tried to use it? Maybe the original owner of the list didn't realize some of the credentials was for LastPass, for example.
I'm still seeing hackers trying to log on using passwords I haven't used in ~10 years, because it's on a list somewhere.
So LastPass (their extension) may have been hacked ~5 years ago ish, a few people here on the thread were all hacked in the same way, our passwords were sold off, and now the same Brazil IP range just tried all of those passwords.
I've been trying to ask this to people posting reports, and although there are many "older" accounts (like mine, circa 2017 or older), at least 2 reports are from accounts created this year:
Hmm. Tabist, Twitch Now, EditThisCookie, TooManyTabs, ublock, adblock, tampermonkey, disable Reddit CSS, FreshStart, Notion, Netflix auto-skip, gist from website, Auto Kill Sticky... and a couple I don’t recognize. I’ll post a full list when I’m back at a laptop.
That’s not a phishing site. That’s standard zero-click /smartlink monetization. It’s a lot to explain and I’m on mobile but it isn’t anything to do with phishing.
But, it certainly wasn't from Spectrum (my ISP), but they designed the page to make it look like it was.
I agree that it could be totally unrelated to the root mystery though. But "everyone here fell for malware or got phished" seems like the most likely explanation, even if my answer happens to be otherwise incorrect.
the site is an advertising redirect and these same attackers (or at least users of the same IP ranges) use leaked credentials to login to Microsoft/Outlook accounts using SMTP
https://i.imgur.com/C9HQw1c.png
The full non-clickable URL:
I went through and answered the "questions", and it tried to take me to the actual phishing site:https://i.imgur.com/wYt5WB3.png
https://i.imgur.com/Picaw4a.png
Screenshots of the actual phishing site
https://i.imgur.com/Bh5c2lZ.png
https://i.imgur.com/q7xnSki.png
https://i.imgur.com/GX4hWnQ.png
And its url (non-clickable):
Now, the interesting part is that this phishing attempt only happened once. When I tried to visit again just now, it just says "something went wrong" (on the first site) and "Access denied" (on the second site).I saved the sites to disk as I went, but I doubt these dumps will tell you much. Just in case though:
1. https://gist.github.com/shawwn/4deace812e7c752949a0df096ef66...
2. https://gist.github.com/shawwn/721f235e760dd2257cd760edb1188...
Long story short: It sounds like all of you got phished. I suspect you installed a malicious app that somehow targeted your web browser's LastPass extension, modifying it to send your master password to these fine people. ¯\_(ツ)_/¯