# I guess DamnVPS/ThrustVPS got hacked



## NodeKid (Jan 17, 2014)

Got this little gem this morning (haven't been a customer in a very long time); obviously the return address is NOT Damn/Thrust but watch out!




> This is a notification to let you know that we need to verify for reduce fraud.
> 
> 
> 
> ...


----------



## MannDude (Jan 17, 2014)

Yeah that's a pretty obvious scam email. I hope no one falls for it. I suspect you've already reached out to DamnVPS and let them know? Have they returned a statement?

Crazy stuff.


----------



## NodeKid (Jan 17, 2014)

I flagged it as soon as I read the badly worded first sentence.

Yes, it's pretty obvious but perhaps not to all which is why I posted. I cross posted this to LET but go the usual smart arse attitude completely missing the point that the reason scams work is because some people _are_ vulnerable. Whatever.

Yeah I pinged them but no reply, not going to waste any time on it since I'm no longer a customer.


----------



## Epidrive (Jan 17, 2014)

So really, whos so stupid to fall for that


----------



## fisle (Jan 17, 2014)

Why don't they at least try to make it look professional.. :/


----------



## fixidixi (Jan 17, 2014)

Never underestimate the stupidity of mankind.

There are more jacks then one at the fair.



FrapHost said:


> So really, whos so stupid to fall for that


----------



## NickM (Jan 17, 2014)

I'm a former customer, and haven't gotten the email, so I don't think it was a database leak.  Unless they just haven't gotten to me yet, or it just got completely rejected.


----------



## sv01 (Jan 17, 2014)

NickM said:


> I'm a former customer, and haven't gotten the email, so I don't think it was a database leak.  Unless they just haven't gotten to me yet, or it just got completely rejected.


I'm a former customer too, and I got these email but with different email :


Data is sent to Email : [email protected]
Thanks in advance for your patience and support.
http://damnvps.com - Damn::VPS - We give a damn
IP Sender match with rDNS


Received: from server.damnvps.com ([87.117.244.16]:47085)
    by xxxxxx with esmtps (TLSv1HE-RSA-AES256-SHA:256)
    (Exim 4.82)
    (envelope-from <[email protected]>)
    id 1W4Ma2-0004Xl-5o

```
server.damnvps.com has address 87.117.244.16 
16.244.117.87.in-addr.arpa domain name pointer server.damnvps.com.
inetnum:        87.117.244.0 - 87.117.244.31
netname:        ThrustVPS_HH
descr:          Thrust::VPS
```
Last time I got email from them about Urgent Maintenance on 2012-12-20 17:13


using same IP


Received: from server.damnvps.com ([87.117.244.16]:41958)
    by xxxxxx with esmtps (TLSv1HE-RSA-AES256-SHA:256)
    (Exim 4.80)
    (envelope-from <[email protected]>)
    id 1Tld8X-0006D0-0m
    for xxxxxxxxx; Thu, 20 Dec 2012 17:13:58 +0700
maybe someone send phising email using their mail server


----------



## Nathan (Jan 17, 2014)

I just received it as well. Bummer.


----------



## raindog308 (Jan 17, 2014)

Just got this email.  Sheesh.


----------



## MannDude (Jan 17, 2014)

Yep: https://vpsboard.com/topic/3253-damnvps-aka-thrustvps-phishing/

Crazy stuff. I'll merge the two threads.

EDIT: merged


----------



## raindog308 (Jan 17, 2014)

http://www.webhostingtalk.com/showthread.php?t=1340822

I haven't been a customer there since at least 2008, and I think it may have been a couple years earlier than that even.


----------



## jarland (Jan 18, 2014)

Password was f0ster?


----------



## danmactough (Jan 19, 2014)

Got the phishing email yesterday. Woke up this morning to find that my OS had been reinstalled. 

F*cker's IP was logged as 67.213.218.73


----------



## mikho (Jan 19, 2014)

danmactough said:


> Got the phishing email yesterday. Woke up this morning to find that my OS had been reinstalled.
> 
> 
> F*cker's IP was logged as 67.213.218.73


Did you reply to the email?


----------



## raindog308 (Jan 19, 2014)

Their site is still offline - guess they're gone - ?

Not that I really care.  I thought their service was garbage when I tried it.


----------



## Jack (Jan 20, 2014)

raindog308 said:


> Their site is still offline - guess they're gone - ?
> 
> Not that I really care.  I thought their service was garbage when I tried it.


If they're IOMart hasn't announced anything.


----------



## Francisco (Jan 20, 2014)

> Dear (customer name)
> 
> Further to our email earlier regarding the phishing email that was sent out - it turns out it had came from our server - upon further investigation the attacker had managed to gain access to the whmcs installation and upload his own files namely a php shell and a mailer script.
> 
> ...


@Jack - What are the data breach laws like in the UK? I'm wondering if IOMART has already gone to the authorities over it.

Francisco


----------



## George_Fusioned (Jan 20, 2014)

Francisco said:


> @Jack - What are the data breach laws like in the UK? I'm wondering if IOMART has already gone to the authorities over it.
> 
> Francisco


http://ico.org.uk/for_organisations/privacy_and_electronic_communications/the_guide/security_breaches


----------



## raindog308 (Jan 21, 2014)

News even made The Register:

http://www.theregister.co.uk/2014/01/21/thrustvps_penetrated_by_phishing_attack/


----------



## sv01 (Jan 24, 2014)

from their twitter page  @thrustvps


The time of exposure to risk was minimal, and there is no evidence to suggest that any customer data was taken.

```
We do not believe the database was copied, as this would have required much longer than the time of the compromise.
```
LOL

let's see if they not lies


----------

