Announcement

Collapse
No announcement yet.

Aussie Feeders

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • We have eleven confirmed FR24-exclusive email addresses (users that created specific email addresses for their FR24-accounts) that have received spam recently.
    All eleven accounts were registered more than a year ago.

    We have checked all our servers over and over again, all logs and everything else we could think of. So far no sign of intrusion in any of our servers.

    Since we do not share customer data with any third parties, we take this matter very seriously.

    Comment


    • Originally posted by Ressy View Post
      Just a word of warning in case you have not followed other threads, some of us are seeing spam to fr24 specific not used elsewhere or in public email addresses so it seems flightradar24 has had its systems compromised.
      Haven't had any spam with the address I use. Could be a number of ways it has happened without a server being compromised.
      F-YSWG1 and T-YSWG2

      Comment


      • Originally posted by nomad77 View Post
        Significant number of Tamworth CT4B's now ADSB equipped with some unusual C/S. Does anyone know what these are:

        HARR
        CHLE
        CHCK

        ROLR I assume is RAAF as the CT4's used to use it in RAAF service

        Any thoughts


        These are just guesses, need to get an airband radio.

        HARR - Harry?
        CHLE - Charlie or Charles?
        CHCK - Chuck?

        ROLR is Roller
        Last edited by YSWG; 2016-02-10, 09:00.
        F-YSWG1 and T-YSWG2

        Comment


        • Originally posted by Olov View Post
          We have eleven confirmed FR24-exclusive email addresses (users that created specific email addresses for their FR24-accounts) that have received spam recently.
          All eleven accounts were registered more than a year ago.

          We have checked all our servers over and over again, all logs and everything else we could think of. So far no sign of intrusion in any of our servers.

          Since we do not share customer data with any third parties, we take this matter very seriously.
          I too got 3 spam mails to my unique email address in the last 3 days (wrote about it here: http://forum.flightradar24.com/threa...-FlightRadar24). They are not personalised and pretend to come from DHL. Inside seems to be malware written in JavaScript. I wrote down my login credentials on 30.10.2014 so it seems to be in the same time range.

          Olov, can I send you the 3 emails in a password protected ZIP file via PM, if it helps you somehow?
          Last edited by StanE; 2016-02-10, 21:21.

          Comment


          • PS: I de-obfuscated the JavaScript malware payload and can confirm, that it is indeed a downloader, which downloads a windows executeable to your system...

            Here are the VirusTotal scanning results: https://www.virustotal.com/en/file/c...is/1455138279/

            Based on the few name matches, it seems to be one of those stupid malware, which encrypts your system, so you have to pay money for decryption (just guessing...).

            Comment


            • Originally posted by StanE View Post
              PS: I de-obfuscated the JavaScript malware payload and can confirm, that it is indeed a downloader, which downloads a windows executeable to your system...

              Here are the VirusTotal scanning results: https://www.virustotal.com/en/file/c...is/1455138279/

              Based on the few name matches, it seems to be one of those stupid malware, which encrypts your system, so you have to pay money for decryption (just guessing...).
              spamassassin has caught all of these anyway - but trying to install a windaz executable on my linux desktops/laptops (I do not use windaz - period) wont get them far


              Easy enough to stop everything destined to that address except from fr24 at MTA stage now with milter-regex

              Comment


              • Originally posted by StanE View Post
                Olov, can I send you the 3 emails in a password protected ZIP file via PM, if it helps you somehow?
                Thats OK, we already have them.

                Still haven't found any signs of intrusion in any of our servers, and all users with fr24 exclusive email addresses that received spam registered 12 months+ ago.

                We have one theory involving a confirmed security breach at our email provider around that time, but it is very difficult to confirm it 100%. Still working on it!

                Comment


                • Originally posted by Olov View Post
                  We have one theory involving a confirmed security breach at our email provider around that time, but it is very difficult to confirm it 100%. Still working on it!
                  Did you already rule out Tapatalk as a possible intrusion vector?
                  T-EDDI15RasPi2 + RTL2838 USB dongle + stock antenna

                  Comment


                  • Thank you for this info. Can you say something about similarities (except the time range)? I'm from Germany, use the local client Thunderbird, email address is not from a "public" email server, but from my own domain of my hosting provider all-inkl.com, Emails are downloaded locally and do not reside online. Also, my email address begins with fr24@... (I saw that at least one another affected user here seems to use exactly the same email prefix too).

                    Comment


                    • Originally posted by StanE View Post
                      Thank you for this info. Can you say something about similarities (except the time range)? I'm from Germany, use the local client Thunderbird, email address is not from a "public" email server, but from my own domain of my hosting provider all-inkl.com, Emails are downloaded locally and do not reside online. Also, my email address begins with fr24@... (I saw that at least one another affected user here seems to use exactly the same email prefix too).
                      Basically all we have at this point is the time range.

                      It is likely that only users with Flightradar24-specific email addresses would report this issue to us, the rest would never know the source that leaked their email address.
                      It is also likely that a fair share of the users with Flightradar24-specific emails has choose to name them fr24, flightradar24, radar24 and so on.

                      Did you report this to support btw? We are interested in all users with Flightradar24 specific email addresses that received spam to report this.. to be able to narrow down the time period even more.

                      Thanks
                      Olov

                      Comment


                      • Originally posted by mbirth View Post
                        Did you already rule out Tapatalk as a possible intrusion vector?
                        Yes, it is 100% ruled out to be linked to the forum database.

                        Comment


                        • Yes, I used the contact form here and used my affected email address. Not sure, if I added my registration date (I think 30.10.2014) and my forum nick.

                          Comment


                          • Originally posted by YSWG View Post
                            These are just guesses, need to get an airband radio.

                            HARR - Harry?
                            CHLE - Charlie or Charles?
                            CHCK - Chuck?

                            ROLR is Roller
                            For those interested :-
                            HARR - Harrier (RSAF)
                            CHLE - Charlie (RAAF BFTS Solo Student)
                            CHCK - Check (RAAF BFTS Check Ride / Test)

                            Comment


                            • Originally posted by Shadow75 View Post
                              For those interested :-
                              HARR - Harrier (RSAF)
                              CHLE - Charlie (RAAF BFTS Solo Student)
                              CHCK - Check (RAAF BFTS Check Ride / Test)
                              Thanks for the info.

                              Comment


                              • F-YTNK1 Tennant Creek
                                Great to see this feeder back after quite a while off air.

                                Comment

                                Working...
                                X