Re: [PLUG] Hacker question

[Chad Waters via plug <plug@lists.phillylinux.org>]

On Tue, Dec 28, 2021 at 6:06 PM Randall Detra via plug <plug@lists.phillylinux.org> wrote:

Sorry if this is not a direct Linux question but I only use Linux.  I am not sure if that matters in this case.

I have been occasionally getting phishing emails claiming to be from CVS and promising some wonderful gifts if I take a short survey.  I know it is a scam, of course, and so I have examined the email source data.  It always has the same Google address, specifically for Mountainview CA.  It passes all tests for DKIM, SPF and DMARC.  The language is often grammatically screwed up.  and there is usually a very long base64 encryption which seems to be necessary for this scheme.  When translated I usually find scattered pieces from LA Times and material from, what appears to be random web pages.  They can be from Brazil, Australia or some other advertising from companies in the USA. 

I am curious if Google knows their IP address is being used this way.  I wonder also, how do they do this?  I also wonder if the companies whose web pages have been evidently hacked this way have any reason to be concerned. 

I have reported it to Google and even the District Attorney.  There has been no interest in it.  I did report it to a computer society in Australia and they thanked me but that is all I have heard.

It sounds like spam that is coming from a legitimate gmail account. 

There’s really not much you can do but :

1) report it to google abuse

2) report any websites to their ISP (ip whois)

3) block the address 

You’ll probably won’t hear anything back beyond automated replies.

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug