[conspire] conspire list hacked?

Rick Moen rick at linuxmafia.com
Sun Feb 17 12:28:31 PST 2019


Quoting Paul Zander (paulz at ieee.org):

> I just had an odd email.  From the list of messages, it appeared to have come from the Conspire list.  After reading it, I found the deception.
> 
> From: AddThis Share Tools <email at addthis.com>
> To:conspire at linuxmafia.com

Short version, no.  That's not what happened.  Longtime CABAL member
Howard Sussman was sharing a news item at online news site
bleepingcomputer.com about yet another variety of malign USB cable using
'social bookmarking service' AddThis.



Longer version:

It's good to do SMTP header analysis, so I applaud your trying that, but
the From: header in this case was a forgery.  You have to look more
closely:

Received: from mtaout-63225-pao.dynect.net ([208.76.63.225])
        by linuxmafia.com with esmtp (Exim 4.72)
        (envelope-from <bounces+conspire=linuxmafia.com at dynect-mailer.net>)
        id 1gvQdI-0006Ax-9v
        for conspire at linuxmafia.com; Sun, 17 Feb 2019 09:53:47 -0800
Date: Sun, 17 Feb 2019 17:53:33 +0000
To: conspire at linuxmafia.com
From: AddThis Share Tools <email at addthis.com>
Sender: howard at scsurplus.com
Message-Id: <20190217175333.05FEB8065238 at legacyapi6-26-ussnn1.prod.dc.dynback.net>
X-EmailId: 60142745-6f8b-4dc1-84d7-7bcac5625aa0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-DynectEmail-Msg-Hash: byPkDFxves6EOGDn1peRNeIe02OIJH5CdLqxMLzUeO9TUD/XOys5iQVFOJgG2lVE4Nf69NZkK5bXDdejdLf1xizM7c3ogfa/3eNIaiVFqU4aDGeIn06gDdDYreEWCltIX-DynEmail-Meta: DLxwAJvSJ4XoNxJj5ByihG5HNWSXz7iF2aj8J2FkVGiHAzW5GSuo83q1QAF5S0Ptyf/y+Jd3EDB4XoNMp05DMGeo/94RBwKRt0DA7AXSUCd7RwGh5dJm9sJxXc9IdTM+GKLO2KkSdKRHr/n9eM5C2p35DhB1Wb0eU3YsZPQJame9AArDRM8Jw8Ap6VvDx4zrGjgAJRsrBWPaubjuL e3XLC6VFi0djvK8sVKSQSUMo3o=
X-DynectEmail-Msg-Key: 20190217175333.0000009f8ace at mail6-64-ussnn1
X-DynectEmail-X-Headers:
X-Feedback-ID: UXVpYmlkc1ZNVEFz:489773:423886:dyn06
X-SA-Exim-Connect-IP: 208.76.63.225


So, it actually got robo-sent through the workstation of subscriber
Howard Sussman <howard at scsurplus.com> by business called Clearspring
Technologies d/b/a AddThis.  There is an AddThis 'share' button on many
Web sites, that Web-browsing users can use to notify their friends about
links.  And so, the takeaway is that Howard was using that widget to 
let Conspire users know about the 'New Offensive USB Cable Allows Remote
Attacks over WiFi' story at BleepingComputer.

Since I don't see an AddThis widget on that story itself, I suspect
Howard saw mention of the story on a third-party news-aggregation site
that has the AddThis 'share' widget.

Howard, to avoid this sort of follow-up discussion, you might want to
just post links directly to Conspire _yourself_, and not using 'share'
widgets.  (For one thing, those widgets might do other mischief.)






More information about the conspire mailing list