Posted by CarolynCO on 5/15/05 12:03pm
Msg #37930

signing service databases have been hacked

It appears from my own e-mail and reading the thread at GMN that someone has hacked into several SS databases and sending mail in German, Dutch and English. Some have several links attached, and some just come from Postmaster as undeliverable. The header in the last one I received shows it coming from signing-services.com and lists the names of several posters from NotRot and GMN. Norton is throwing all of mine in my spam folder, but jsut in case, I have updated all my virus checkers and run a virus check after each e-mail and have set my firewall to be more aggressive.

Reply by ERNA_CA on 5/15/05 12:07pm
Msg #37932

I have been getting them too.

Reply by BrendaTx on 5/15/05 12:45pm
Msg #37938

I am getting them as well. The first thought I had was that a database has been hacked into.

However, since I have more than one email posted on my website some of which go into my catch-all email address account, I think they are coming from email harvesters which are crawling the notary boards and notary websites linked to the notary boards.

Reply by ERNA_CA on 5/15/05 1:03pm
Msg #37940

I have more that one email address and it was not comming to the one I use for loan packages,so I just blocked the one that was sending the garbage. Problem fixed, at least for now.

Reply by Alan65/CA on 5/15/05 3:47pm
Msg #37964

I am in no one's database, and I have been getting them also.

Reply by CarolynCO on 5/15/05 10:23pm
Msg #37991

Alan,
You haven't signed up with any signing services?

Reply by CarolynCO on 5/15/05 4:27pm
Msg #37965

Bren,
The one that I got in English, and the reason I posted was that included in the body of the e-mail was about 50 names and e-mail addresses of people on NotRot and GMN. Many of the names I have never corresponded with, either online or through e-mails. There was also reference to NASCO and Nations and signing-services.com. As Harry suggested, I ran the Sober Tool Remover -- took me three tries to get an *authentic* one, and I'm not infected. After getting about 25 German/Danish or whatever language at one time last night (after 3-5 every day during the past week), I set Norton up to block and immediately throw them into my Spam folder. Between that and tweeking my three firewalls, I haven't received any in about three hours.

Reply by BrendaTx on 5/15/05 4:49pm
Msg #37967

Not the same as what I refer to...

different kind of email junk than I have been getting.

I have not gotten any of these you refer to.

I am running the Sober Checker Tool right now.

Reply by CarolynCO on 5/15/05 8:25pm
Msg #37979

Re: Not the same as what I refer to...

This past week and this weekend I've had several different types of e-mails -- I've had the postmaster returned ones, the German ones, the registration confirmations -- everything everyone else has had, plus the one with everyone's names and e-mail addresses in the body of the e-mail. Three or four years ago I got infected with the Opserve worm. What a PITA that one was. It was written so everytime Norton would find it and wipe it out, it would write itself as an .exe file, and send itself to everyone in my Outlook contacts, thus infecting them as well. All my attorney clients just loved me for that. NOT. As a safety precaution, I've wiped out all my contacts off each computer, because I don't want to have it going to my attorneys again and manually typing in the name when I've been sending e-mails. I don't know if everyone else is still getting bombarded, but I haven't received any today since about 10:00 a.m.

Reply by BrendaTx on 5/15/05 9:18pm
Msg #37982

Okay, I got an email tonight with about 50...

Okay, I got an email tonight with about 50 [e-mail address] in the body of it. (xxx being the various email addys).

Okay...now, does this mean I am infected? The "genuine" Norton tool said I am not.
--------
The detail.txt said:

Reporting-MTA: dns;njrarsvr214b.us.ups.com
Received-From-MTA: dns;ups.com
Arrival-Date: Sun, 15 May 2005 16:07:40 -0400

Final-Recipient: [e-mail address]
Action: failed
Status: 5.1.1

Final-Recipient: [e-mail address]
Action: failed
Status: 5.1.1

etc. etc.

Reply by CarolynCO on 5/15/05 10:02pm
Msg #37988

Re: Okay, I got an email tonight with about 50...

I honestly don't know Brenda. I have Norton Professional on the 3 desktops and the one laptop. According to Harry's post, the worm, or whatever it is, attacks Norton's Live Update (which is what updates new virus definitions, etc.) As with you, after 3 tries of getting an authentic Norton tool remover, each computer says it's not infected. Comcast has built in McAfee, as well. There is a Stinger tool you can also use to remove the infection. If you go to http://us.mcafee.com/virusInfo you can read about McAfee's tool.

Reply by BrendaTx on 5/16/05 12:42am
Msg #37999

Re: Okay, I got an email tonight with about 50...

I think I have some of that built-in protection with my email accts.

Reply by CarolynCO on 5/16/05 7:36am
Msg #38008

Re: Okay, I got an email tonight with about 50...

Brenda, I'm assuming you have firewalls, too. When I got Opserve a few years ago, it wasn't through an e-mail or attachment at all -- it was through a port scan. I've been reading so much about this one, that I *think* I remember it can infect the computers through port scans, too.

Reply by BrendaTx on 5/16/05 8:07am
Msg #38010

Carolyn - yes to firewalls...

and something scans me all the time according to my report / log info.

Reply by CarolynCO on 5/16/05 11:35pm
Msg #38242

Re: Carolyn - yes to firewalls...

My firewall has an option that I can turn on and watch the number crawlers and their hits/attempts of trying to gain access through open ports -- thankfully, they are all blocked.

Reply by Susan Axelrod on 5/15/05 12:15pm
Msg #37934

Re: signing service databases have been hacked-To Carolyn

I have noticed the very same thing, an increase in my junk mail. Thanks for bringing this up.

Reply by Harry [NR] on 5/15/05 1:33pm
Msg #37945

What you're seeing might, in fact, be due to a mass-mailing worm rather than a hacked database. I recently sent the following message to one of our members because we were receiving a large number of bounced e-mail messages that were originally sent from her computer masquerading as [e-mail address]. The recipients were primarily notary-related, which the virus probably pulled from her address book. Looking at the mail headers and subjects, it appeared to be the Sober Worm. Here it is:


Dear [Notary Rotary Member] -

Based on rejected e-mail messages we've been receiving, there appears to be a good possibility that your computer is infected with the Sober virus, which is a mass mailing worm. We believe your computer has sent a large number of messages pretending to be from our domain, notaryrotary.com, since we received a large number of rejected messages. One of the IP addresses referenced in those messages was yours.

If this e-mail reaches you, please run an antivirus scanner if you have one. For more information on this virus, you can visit the Symantec website:

http://securityresponse.symantec.com/avcenter/venc/data/[e-mail address]

If we continue to receive messages from mail servers that appear to have been originally sent from your computer, we will call to follow-up.

Best,

Harry Shoemaker
Notary Rotary, Inc.
http://www.notaryrotary.com

Reply by ERNA_CA on 5/15/05 1:59pm
Msg #37951

I downloaded and ran the tool on that site. I am not infected. Good idea for all that are getting the junk emails to run it.
Thank you Harry

Reply by LaurieCPA on 5/15/05 2:09pm
Msg #37954

Thank you for clearing up the mystery as to how I had 8 emails in German this am!

Reply by Mike/NJ on 5/15/05 2:46pm
Msg #37961

100 emails in the last 2 days...what a PITA..

Reply by ERNA_CA on 5/15/05 5:36pm
Msg #37975

Might explain why one of the signing services could not get a loan package through to me because it was too big. Might have a worm attached to everything they send. I had just printed two sets of doc's so it had nothing to do with anything on my end. I sent them the tool in case that is the problem.

Reply by Mike/NJ on 5/15/05 6:59pm
Msg #37977

Seems NotaryRotary Dbase was hit.. I have 4 from [e-mail address]

Reply by MI_Notary on 5/15/05 8:42pm
Msg #37981

I am getting them as well.

Reply by monica/OK on 5/15/05 10:55pm
Msg #37994

These internet criminals are bright and can do all kinds of things to make it look like the emails are coming from anywhere. After all if you could track where it was really coming from the Police or FBI would be knocking down their doors. I recieved emails last week from now less than five new emails addresses with our domain name as the extention. None of those email addresses exist and none of those emails came from our email server.
I'm getting all the German Stuff as well and regret that my email has been so openly shared over the years, yet it was necessary and I would have missed corresponding with so many wonderful people. There is no need to hack into the data bases of Signing Services because if you advertise your services or list on any web site there are programs that can strip, or as the other poster wrote "harvest" them for further use.
We can get worms and virus's no matter how hard we try not too...but usually it's just spoofers. I'd like to give Spoofing a new meaning and turn the tables on them....
Maybe some day! lol.
My baby Graduates Highschool this week! I' think I'm going to cry!

Reply by SamIam_CA on 5/16/05 9:52am
Msg #38013

Re: spoofing

***These INTERNET criminals are bright and can do all kinds of things to make it look like the emails are coming from anywhere.***

This is SO true. One of my garden gnomes was 'liberated' and I get e-mails from all kinds of addresses. If my gnome can do it - imagine what actual criminals can do.

Reply by Mary Pierce/PA on 5/16/05 6:09am
Msg #38001

I am getting them too. Geeez what a PITA. I even have received from the fedex.com and ups.com domains.

Reply by Mary Pierce/PA on 5/16/05 6:21am
Msg #38002

I don't know if this means anything or not but when I clicked on my norton's to run a live update I had an error on my email scanning. It seemed like it was turned off but when I clicked on the preferences I had it enabled. I restarted my computer and it's back up and running. I wonder if one of these emails disabled it.

Reply by PAW_Fl on 5/16/05 6:49am
Msg #38004

During the "Live Update", NAV must disable the email virus scanning during the download. If it didn't, then you wouldn't be able to receive the updated signature file. After the update is completed, NAV re-enables email scanning (if it was turned on before the download).

It's not an error to see email scanning disabled during the live update process.

Reply by Mary Pierce/PA on 5/16/05 6:53am
Msg #38006

I wasn't running the live update yet.

Does anyone recognize this email address [e-mail address]?

Reply by CarolynCO on 5/16/05 7:33am
Msg #38007

Re: Read the links regarding the virus/bug

Mary,
If you've read links regarding the worm (i.e., Norton and McAfee), the addresses mean nothing. Also, the worm goes after Norton Live Update. I suggest you take Harry's advice and download the tool from Norton. Print off all the instructions first and follow them exactly. Also, make sure you get an *authentic* tool, because the same people that create these worms/viruses also create fake tools. Additionally, as Norton's instructions tell you to do, after using the tool, you need to download Live Update again to make sure that Live Update hasn't been affected.

Reply by Mary Pierce/PA on 5/16/05 10:03am
Msg #38014

Re: Read the links regarding the virus/bug

I realize the address doesn't mean anything. Amazing how these people can do this stuff. I was just curious because that address looked familiar to me for some reason. Anyway, I will check out what Harry said. I did download that took from Norton's site and ran it and came up uninfected. What a PITA that you have to sift through all these emails to see if there are any genuine. Good thing most of the have the subjects in German. You can easily pick them out.

Reply by Mary Pierce/PA on 5/16/05 10:58am
Msg #38019

Re: Read the links regarding the virus/bug

You know the interesting thing about these is these emails are never actually directed right at my email address. it's either info@ or something [e-mail address]. Never my actual email address.

Reply by Teasa/Ny on 5/16/05 12:13pm
Msg #38030

Re: Read the links regarding the virus/bug

I just received an email that said my email failed and in it was the a huge amount of email addresses from Nations Sign Closers in Kansas. I never sent an email to Nations. It looks like the addresses in the email are of their whole database of people? Bizzare.

Reply by Kiso on 5/16/05 12:28pm
Msg #38035

Re: Read the links regarding the virus/bug

I dont think anyone is hacking into any notary databases, I'm here at work and we're getting those emails....I'm in a lot of notary databases and I'm not getting any of these, it's just other users. I think it's a new thing that came out over the weekend...not sure, but they're in German, too.

Reply by ERNA_CA on 5/16/05 1:36pm
Msg #38050

Re: Read the links regarding the virus/bug

Everything I have been reading says that the email addresses are being harvested off sites so that indicates hacking into databases. Correct me if i am wrong

Reply by CarolynCO on 5/17/05 10:31pm
Msg #38510

Re: Harvested names/e-mail addresses

*Everything I have been reading says that the email addresses are being harvested off sites so that indicates hacking into databases. *

I have set it up so all these e-mails are going into my spam folder. I also have the preview turned on, so I don't actually have to open the e-mail, but I can see the contents of the e-mail. Between Friday night and tonight, I have seen just about everyone's name from NotRot and GMN included in either the text of the e-mail, or in the address field of the e-mail, along with names of signing services and loan companies. Random, coincidence or just flukes that notary names are grouped together in these e-mails ...

Reply by CarolynCO on 5/18/05 5:28am
Msg #38563

Re: P.S. Harvested names/e-mail addresses

I know other people have posted that they are also receiving these e-mails on accounts not used for signings. However, my situation is just the opposite. Before I got Broadband, I had a dialup service with MSN for several years. Although I've now had Broadband for more than three years, many of my attorneys have failed to update their contact records, thus, MSN converted the account to a hotmail account so I am able to get my mail from people who still use the MSN e-mail address. SSs know nothing of this e-mail address (which still uses the same MSN address using an @MSN extension as opposed to most @hotmail extensions), nor is the address posted in any database. Although I receive all the really dirty smut through the MSN address, I have not received ONE e-mail through my free MSN account thats now flooding my paid Broadband biz account.

Reply by PAW_Fl on 5/16/05 2:20pm
Msg #38062

SS Databases have NOT been hacked ...

Reply by PAW_Fl on 5/16/05 2:22pm
Msg #38064

Re: SS Databases have NOT been hacked ... (hit enter 2 soon)

From Computerworld ...

Latest Sober worm sends German spam
Sober.q began spreading quickly online over the weekend


News Story by Scarlet Pruitt

MAY 16, 2005 (IDG NEWS SERVICE) - E-mail users perplexed by the barrage of German-language spam waiting in their in-boxes this morning can blame the latest version of the Sober mass-mailing worm, which began rapidly spreading over the weekend.

Sober.q uses both German- and English-language messages to direct recipients to Web sites with right-wing German nationalistic content, according to an advisory from e-mail security company MX Logic Inc. in Englewood, Colo. One of the URLs points to the Web site of the right-wing German National Democratic Party, the security firm said.

MX Logic said that it had seen over 125,000 instances of Sober.q overnight Saturday and into Sunday and labeled it as a high-severity threat. The variant is downloaded by computers already infected by the Sober.p worm, which began circulating earlier this month, MX Logic said. The virus writers appear to have remote control over the Sober.p-infected machines (see story), giving them a network from which to launch future spam and denial-of-service attacks.

The latest Sober variant is one of a relatively new type of "propaganda spam," meant to spread political messages rather than sell a product or service, MX Logic said. Circulation of the worm coincides with ceremonies marking the 60th anniversary of the end of World War II in Europe and examples of subject lines it sends include "Dresden 1945" and "Du wirst zum Sklaven gemacht!!!" ("You are made slaves!!!").

"We are certainly seeing more propaganda spam," said Graham Cluley, a senior technology consultant at Sophos PLC. Security researchers began detecting religious spam selling a particular view of life last year, Cluley said.

Although Sophos is seeing a lot of German-language spam sent by the new Sober variant, the worm itself doesn't appear to be spreading anymore, Cluley said.

E-mail users are advised to update their spam filters to guard against the new Sober spam.


Reprinted with permission from IDG (visit IDG.net)
Story copyright 2005 International Data Group. All rights reserved.