Attention! new kind of security scam

Hello,
I just made this account because I received an email saying that the let's encrypt team is contacting me to update the security for my Shopify store.
The scam might be convincing for some so I just wanted to point it out, and since let's encrypt name is being used I thought it should be posted here.

They will ask you to put your Shopify login details and then redirect you to your website.
This the email of the sender: tlsreport@securemailer.net
and this is the phishing page, https://error-prevention-sys.com/?u=(some generated code)
I didn't know what to do with this information, so I wanted to warn people about it

6 Likes

Thanks for posting this! Always good to warn people.

I'm curious, are you actually a Let's Encrypt user? Looking at the blurring you are. And was the e-mail send to an e-mail address you've used for Let's Encrypt usage perhaps?

@lestaff Any idea what this is? And how it can be possible that LE users are being spammed? Or is it perhaps due to a data leak at Shopify?

3 Likes

I'm assuming it's just due to some public email (whois data maybe, or posted on the sites themselves), combined with looking up certificate transparency data.

In terms of "what to do with this information", you can report the sites to Google Safe Browsing and Microsoft Smart Screen (See the links in the FAQ), and you can report the email however you report other spammy emails depending on your mail provider. (You can dig through the headers, find the IP that sent it to your mail system, and find an abuse contact for that IP, but that sadly isn't always worth doing nowadays.)

4 Likes

Thanks for your vigilance and your report! I DMed you directly about getting more details.

We had several reports of scam e-mails with a similar template, pointing to tls-internalserver dot com, on February 3.

I've reported this new campaign to the domain registrar and Web host, and am submitting the target URL to Safe Browsing and similar services.

5 Likes

I have mails

  • from my own domain (no webspace, no mail space), sometimes from info to info, so completely stupid
  • from my server provider, my domain would expire (but the domain uses a different dns provider, not the server provider as dns provider)

Conclusion: Every domain with some traffic -> such mails are sent.

Always to check: The link in the mail.

2 Likes

That does still work, but there is an even more effective approach to use in this case...

Because the email mentioned Shopify, the recipient or LetsEncrypt can reach out to them for "help". Large vendors and tech companies typically have legal and compliance teams that work with ISPs, and they tend to be very effective in deplatforming scammers/phishers.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.