Unknown person sent a message on Telegram (probably knew my number). Also sent some attachment
Have deleted the message. Probably was a phishing attempt
Anything else I should do? (Antivirus scan using MalwareBytes shows nothing)
For the past few weeks, I have frequently been receiving error messages from websites stating that the certificate is invalid. This tends to happen for a while and then resolve itself. Other devices on the same network connection are also experiencing odd behaviour, including a very sporadic internet connection that is either very slow or turns on and off. We had an engineer visit this week to diagnose whether there was a faulty connection, but they left, happy that the connection is working properly.
I understand that receiving ‘bad’ certificates can sometimes be a sign of the system clock or internet settings being poorly configured. I had assumed this might be the case, until I interrogated one of these ‘invalid certificate’ messages more closely (from Firefox on Mac):
Web sites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for eur03.safelinks.protection.outlook.com. The certificate is only valid for the following names: cloudflare-dns.com, *.cloudflare-dns.com, one.one.one.one, 22.214.171.124, 126.96.36.199, <…>
The website I was trying to visit in this case has nothing to do with cloudflare, and the links above lead to a website that appears to be selling a VPN-type service.
Should I be concerned that my internet connection has been tapped, and what would be the appropriate action to take to shake this off?
I’m building a user authentication system in Nodejs and use a confirmation email to verify a new account is real.
The user creates an account, which prompts him/her to check the email for a URL that he/she clicks to verify the account.
It works great, no issues.
What’s unusual is that in testing, when I email myself (to simulate the new user process), and after I click the verify-URL, immediately afterward there are two subsequent connections to the endpoint. Upon inspection, it appears the source IPs belong to Google. What’s even more interesting is that the user agent strings are random versions of Chrome.
Here’s an example of the last sequence. The first one is the HTTP 200 request and the next two — the HTTP 400s are Google. (I remove upon user verification the user’s verification code from the database so that subsequence requests are HTTP 400s.)
188.8.131.52 - - [03/Jul/2020:20:35:40 +0000] "GET /v1/user/verify/95a546cf7ad448a18e7512ced322d96f HTTP/1.1" 200 70 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" "hidden.com" "184.108.40.206" "US" "en-US,en;q=0.9" 220.127.116.11 - - [03/Jul/2020:20:35:43 +0000] "GET /v1/user/verify/95a546cf7ad448a18e7512ced322d96f HTTP/1.1" 400 28 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36" "hidden.com" "18.104.22.168" "US" "en-US,en;q=0.9" 22.214.171.124 - - [03/Jul/2020:20:35:43 +0000] "GET /v1/user/verify/95a546cf7ad448a18e7512ced322d96f HTTP/1.1" 400 28 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36" "hidden.com" "126.96.36.199" "US" "en-US,en;q=0.9"
Now I’m using Cloudflare so the first IP address in each line is a Cloudflare IP address but the second one you see is the real one [as reported by Cloudflare] … I modified my "combined" log format in Nginx.
Anyhow, any idea what this is? Or why Google would be doing this?
It’s just incredibly suspicious given the use of randomized user agent strings.
And one last note, if I inspect my console w/Chrome and go into the network tab before I click a verification link from my email, the 2 subsequent connections never come. It’s like Google knows I’m monitoring … this is just so incredibly odd that I had to ask the community. I’m thinking maybe this is an extension that’s infected w/some kind of tracking, but how then do the IPs come back as Google?
I’ve been poking around the Services tab on my Windows machine and saw some services with a "normal" name but this termination
_1f699ad as in the next examples:
Here some pictures taken from the services tab.
My question is simple: Is this OK or should I be worried?
Because some of them have access to ScreenCapture and others which can potentially be harmful (i.e data theft) and I see no reason to add a meaningless termination other than supersede and stay hidden.
I received a suspicious message today from a friend of mine’s inbox, I suspect it’s been compromised.
I analyzed the header and obviously coming from the mail server gmail has all the authentication parameters configured (SPF,DKIM,DMARC) and correctly passed.
I’m suspicious of the first hop that the mail performs on an IPV6 with HTTP protocol
Is it considered a regular activity?
Around a month ago, I received this SMS:
Translation: “Package XXX-xxxxx could not be delivered on 31.01.2020 because the delivery charges were not paid in full. Check delivery: http: //4jm.us/xxxx“
Me receiving a delivery isn’t that unusual, as I backed a game on Kickstarter, which is in the process of shipping backer rewards, but this is the first time that a delivery was put “on hold” because of something not being paid. Is that normal? It looks a lot like a scam to me, but I also fear that maybe different packages are delivered by different companies and those companies simply handle things differently. How should I proceed?
On the last few days, one of our endpoints calls to testgvbgjbhjb.com
I used TCPView to find suspicious connections and checked if there any unknown extension.
The owner of the domain made it a 127.0.0.1 record and set the next txt record:
“The owner of this domain does not know why your machine is reaching out to it. Owner saw suspicious traffic in multiple networks and bought it.”
I read the next analysis but I can’t find the cause of these calls.
This question is partially inspired by this video.
In case I find a suspicious device somewhere in a public space. What should I do with the device?
I’d assume it’s best to hand it to the authority, but again, should I take the device to them?