The sad reality is that the advancements in security measures to protect sensitive data are accompanied by advancements in cyber threats as well. These threats include phishing emails that are designed to trick you into visiting malicious sites that steal sensitive data like passwords, credit card details, usernames, and so on.
A large amount of spam emails were sent using the EspoCRM cloud in the period from August 3rd to August 8th, 2023. This article is a reminder to you to stay vigilant regarding emails that request sensitive information or seem suspicious.
Please note that all information provided below is published for informational purposes only and under no events can be used in any illegal activity.
What happened
Our company offers a cloud-hosted version of EspoCRM, which can be used by our clients. Unfortunately, it has come to our attention that an individual who registered for a free trial of EspoCRM cloud has used our platform for malicious purposes.
So, how did it happen?
- The individual visited our landing page with cloud CRM pricing plans and clicked Free Trial to register for a free 30-day trial of EspoCRM cloud.A malicious actor filled out the registration fields and signed up for the EspoCRM cloud trial.
- Once the trial was registered, the individual logged in to the system as an admin user and altered the Access Info template to make it a spam message.
Note! The ability to edit Access Info and Password Change Link templates was added to the system solely for branding purposes.
To edit the template, the admin user has to navigate to Administration > Template Manager > Select the Access Info template > Make the necessary edits and Save.
The malicious actor altered the template used for sending user credentials to access the system, changing its subject, text, and the access link itself to his own custom text and links.
After that, the individual wrote a script that included the parameter “sendAccessInfo:true”. Using this script, a new user was created through the API and the user’s email address was specified. The system then automatically sent an email containing access information to the specified email address. Finally, the script removed the user from the system.
To illustrate how it worked, we will describe how it can be achieved manually. To create a new user in the system and add the email address, go to Administration > Users > + Create User and fill in the required fields (Username, Name), as well as the user’s email address.
If this checkbox remains checked, the email will be sent automatically. To disable this, simply uncheck the Send Email with Access Info to User checkbox.
Since the malicious actor had previously changed the Access Info template, the system sent this altered template with spam links that looked like the system access links to the newly created user’s email address.
- Afterward, the algorithm was repeated: creating a new user > sending access information > deleting this user.
Links
These were the links the individual used in the altered Access Info template to send spam emails:
https://tinyurl.com/2nen345j
https://tinyurl.com/bdctwep4
https://tinyurl.com/zpn7xab6
When we investigated the issue, two of these links pointed to website content that was already removed or moved to another URL.
One of them redirected users to https://beyeda.pythonanywhere.com/.
Actions we have taken
After the investigation, we have come to the conclusion that there was supposedly a Python script involved, but we were unable to locate it. We have contacted the relevant companies and issued warnings. As of now, we have received a response from PythonAnywhere that notified us that they took down the site and locked that user account due to phishing attempts.
While no data breach occurred from our side, we take this situation very seriously and are continuously working to enhance our security measures to prevent similar incidents in the future.
What you can do to protect your data from phishing attacks
Phishing attempts are becoming more sophisticated and won’t disappear any time soon. To avoid becoming a victim of a phishing attack, you can use the following tips:
- Do not click on URLs and download attachments from unknown and suspicious sources or email senders.
- Check whether the hover-text link matches the content of the email. If not, do not click on it.
- Remain vigilant when it comes to emails, messages and calls that ask for your personal and financial information. Do not share sensitive information via email.
- If possible, enable two-factor authentication (2FA) as an additional layer of security.
- Update your passwords regularly and do not use the same password for multiple platforms.