[darkskiez]

Sorry, mein Deutsch ist nicht so gut, ich hoffe, dass dieses Forum in Ordnung ist mit dem gelegentlichen Beitrag in Englisch ...

I'm pretty confident either the shop I bought my Stromer from, or Stromer itself has managed to leak its customer data. They had slightly the wrong name and phone number for me initially when I bought the bike, and I just received a very good targeted virus email with exactly these details in it. (it was caught by gmail in my spam box, maybe check your spam box too)


If other customers of the same shop (I not sure I should name them because they are pretty awesome otherwise) or Stromer got this email then this can be narrowed down to where needs to improve their security.

So, be careful with this email if you have it, and I'd be interested if anyone else received it.

----

"Subject: Fragen zu der Einkommensteuererklarung Ihre Rufnummer 07xxxxxx ist nicht erreichbar

Sehr geherte Frau xxxxxx , sehr geherter Herr xxxxxx.

Ich bin Liana Bärtschi, ich bin Steuerinspektor in Ihrem Bezirk.

Es gibt einige Fragen zu Ihrer Einkommensteuererklärung

Dieses Dokument schliesst in sich....ein die Liste von Fragen zu Ihrer Einkommensteuererklärung und meine Telefonnummer.


Mit freundlichen Grüssen
Liana Bärtschi


Eidgenössische Steuerverwaltung ESTV
"

[CCRider]

Hallo

habe die e-Mail auch erhalten. Etwas erstaunt war ich im ersten Moment auch darüber.

Da mir das Schweizer Steuersystem jedoch bekannt ist, war mir klar, dass es mit diesem Absender ein Fake sein muss, denn die Zuständigkeiten sind hierzulande anders geregelt.

Deshalb habe ich diese e-Mail gleich und ohne weitere Gedanken und Zeit darauf zu verwenden, gelöscht.

Dass die Datenquelle bei Stromer sein soll, überrascht mich dann doch auch. Dies kann, rückblickend auch bei mir, durchaus möglich sein, denn die genutzte e-Mailadresse und die genannten Telefonnummern habe ich nur bei der Registration des Stromers angegeben.

Grüsse, CCRider

[CCRider]

Hello

got the e-mail as well. I was a bit astonished at the first moment.

Since the Swiss tax system is known to me, however, it was clear to me that this sender must be a fake because the responsibilities are differently regulated.

Therefore I deleted this e-mail the same and without further thoughts and time to use it.

The fact that the data source should be at Stromer, surprises me but then synonymous. This can be, with hindsight also with me, quite possible, because the used e-Mailadresse and the mentioned telephone numbers I have only indicated when the registration of the current.

Greetings, CCRider

[Washy]

Hallo

Auch ich habe diese Mail heute morgen erhalten.
Leider war ich doof genug den Anhang zu öffnen auf meinem Smartphone...

[darkskiez]

It looks like its a MS-Word virus that downloads something else... I don't think your phone is at too much risk.

Its not very well detected yet:

[URL]https://www.virustotal.com/#/file/08ca60f2e242a752efa325791b75c80c27e3f98b8e76c082f69928d59c406631/detection
[/URL]

[bluecat]

Yes, this dedicated mail is a phishing message, the malware is hidden into the attached document.

As the Stromerforum is hosting only plain text and no e-mail accounts, the leak must be somewhere else. Probably, one of the mail-servers of an internet provider was hacked.

Read more about this mail under admin.ch (Swiss Gov.)

[bluecat]

Leider scheint unser Mail-Absender für einen neuen Schwall an ESTV Phising Mails missbraucht geworden zu sein.

Die gefälschten E-Mail sehen "echt" aus. Nur wer weiss, dass die Steuerveranlagung in CH eine Sache der Gemeinden ist, kann ahnen, das etwas faul ist.

Die ESTV kennt das Problem seit Januar.

[darkskiez]

Thanks bluecat for the links.

This is not from Stromerforum, but either Stromer itself, or a shop. My concern is that Stromer has leaked all of our customer data that has been used for these emails and they need to tighten their security.

[bluecat]

This is not from Stromerforum, but either Stromer itself, or a shop.

Do you still have the message in the trashcan?

What is the exact sender address (might be hidden behind another "address")?

I expect, the attacker is using several real existing sender-addresses to avoid being blocked very early.

[darkskiez]

This is still moving away from the problem with stromer/shop being the source of the customer data leak and focusing on this specific issue, which I would like to avoid, but will answer anyway

As for the "multiple senders", thats not how email spam/viruses works.. Anybody can send mail from any (real or not) email address. The receiver can try to validate some of them with technologies such as SFP, DMARC, DKIM). Email is not authenticated very well. This email originated from an IP address in Russia and spoofed an email from info@afgh.ch


https://pastebin.com/M9LgWX2x has the full email headers for the curious.