To ALL affiliates - WARNING: Several affiliate account hacked

[dfiocch]

This thread is to warn all affiliates, please check your accounts and look for a change in payment method.

I had several affiliate accounts hacked by someone (Fortune Affiliates, Brightshare and AffiliateEdge).
This piece of sh*t changed my usual payment method to its own, flooding (in two cases) my money into him e-wallet accounts (Webmoney and Skrill).

All started on August 15th when I noticed that Fortune Affiliates paid my July commission to a "stranger" WebMoney account.
I checked my profile at Fortune Affiliates and all was correct except for the payment method.
This "awesome" guy used this WebMoney account number:

Z101694651166

Firstly, I contacted via Skype my affiliate manager at FA, Wayne W.
After a quick chat, I sent him all details regarding this issue (with screenshots) by email.
They are still finding a solution to get money back...

During my investigations, I found in my FA account a "sub-user" NEVER AUTHORIZED under its own email:

ngcangtrade@gmail.com

I don't know him, never heard about this mail.
I tried to contact him and, of course, no responses...

Still waiting FA to came back with a solutions...

September 1st, some strange things are happening...
Firstly, I was unable to login into my AffiliateEdge account (login failed).
I contacted Stephen (AE) to see if something fault with my login credetials: in no time he solved the issue and I was able to login with a new password.

After one hour or so, another strange thing... I received a mail from BrightShare, a warning of "payment method updated"(!).
I logged in into my BrightShare account, checked for payment method and I found that it was changed from my usual (Neteller) to Skrill with email:

eyauhh93@yahoo.com

I was lucky: BrightShare payments came on 20-21 of each month...

Changed payment method and changed password...

Today: this evening I had a "buzz" from Martyn, AffiliateEdge... he asked me if following payment details are correct:

Skrill

cs.flopturnriver@yahoo.com

HELL, NO! It's not correct!

AffiliateEdge Staff is currently looking into this.
Martyn was very nice and provided me a list of IPs that logged in on Septeber 1st:

2014-09-01 04:51:10.193 198.143.45.1
2014-09-01 04:53:05.843 149.126.78.1
2014-09-01 06:34:39.040 149.126.76.33
2014-09-01 11:59:37.150 198.143.41.33
2014-09-01 12:32:23.533 149.126.78.1

On September 1st I was away from office, so this is the "guy"...
I "looked up" all these IPs and they seems to be proxies...

I will keep you ALL updated on this "strange pattern" (I will update this post).

In the meantime, please, CHECK ALL YOUR ACCOUNTS!

Reading this: https://www.gpwa.org/forum/urgent-al...219035/p5.html

... we are under attack?

@antihacker, your collaboration is needed!

I have serious doubt... since... no password retrieval attempts found... mumble...

[antihacker]

This thread is to warn all affiliates, please check your accounts and look for a change in payment method.

I had several affiliate accounts hacked by someone (Fortune Affiliates, Brightshare and AffiliateEdge).
This piece of sh*t changed my usual payment method to its own, flooding (in two cases) my money into him e-wallet accounts (Webmoney and Skrill).

Holy pizza. That sux. Since payment went in to the different account, that can be traced as simple as 1,2,3...

All started on August 15th when I noticed that Fortune Affiliates paid my July commission to a "stranger" WebMoney account.
I checked my profile at Fortune Affiliates and all was correct except for the payment method.
This "awesome" guy used this WebMoney account number:

Z101694651166

Contact Webmoney fraud department ASAP...

Firstly, I contacted via Skype my affiliate manager at FA, Wayne W.
After a quick chat, I sent him all details regarding this issue (with screenshots) by email.
They are still finding a solution to get money back...

You won't like me saying this: You are responsible for your accounts. Even if they can't get back your cash, you best forget about it. They can't do nothing if you don't secure your account. Sounds crap, but it is the way it is. ALWAYS secure ALL of your details. Change passwords often etc.

During my investigations, I found in my FA account a "sub-user" NEVER AUTHORIZED under its own email:

ngcangtrade@gmail.com

I don't know him, never heard about this mail.
I tried to contact him and, of course, no responses...

Do not contact that mail. Contact Google ASAP. Tell them this gmail has stolen money from you, explain it in detail. Post a message on the Google product (Gmail) forum. Don't mention gambling!! Just say this person has stolen commissions etc. No need to mention gambling, as they don't like us. Do the same for the YAhoo email, and contact the companies where the money went to. As in NOW! They have abuse emails etc, phone numbers the lot. Call / email them asap.

Still waiting FA to came back with a solutions...

I know how you feel...

September 1st, some strange things are happening...
Firstly, I was unable to login into my AffiliateEdge account (login failed).
I contacted Stephen (AE) to see if something fault with my login credetials: in no time he solved the issue and I was able to login with a new password.

Ask them to further investigate. They are very helpful. Always. Since this is theft, you should get all details from them and contact law enforcement of this.

After one hour or so, another strange thing... I received a mail from BrightShare, a warning of "payment method updated"(!).
I logged in into my BrightShare account, checked for payment method and I found that it was changed from my usual (Neteller) to Skrill with email:

eyauhh93@yahoo.com

I was lucky: BrightShare payments came on 20-21 of each month...

Changed payment method and changed password...

Do this for ALL your accounts, including gmail, yahoo, and all other emails you store this type of info in.

Today: this evening I had a "buzz" from Martyn, AffiliateEdge... he asked me if following payment details are correct:

Skrill

cs.flopturnriver@yahoo.com

HELL, NO! It's not correct!

AffiliateEdge Staff is currently looking into this.
Martyn was very nice and provided me a list of IPs that logged in on Septeber 1st:

2014-09-01 04:51:10.193 198.143.45.1
2014-09-01 04:53:05.843 149.126.78.1
2014-09-01 06:34:39.040 149.126.76.33
2014-09-01 11:59:37.150 198.143.41.33
2014-09-01 12:32:23.533 149.126.78.1

When pulling the information for 198.143.41.33, we found that the organization tied to this IP is Incapsula. They are the company that is being used to stop DDOS on affiliate edge. So, this is odd. Very odd.

All of these ip's are linked to incapsula. So, either this person was able to 'hack incapsula' or something else is going on. Contact Incapsula and ask immediately!

Here:

Incapsula Inc. is a Cloud-based application delivery platform. It uses a global content delivery network to provide website security, DDoS protection, load balancing and failover services to clients.

Incapsula Inc
Dover, DE 19901
UNITED STATES
Administrative Contact

Incapsula AbuseDesk
Telephone: 18662507659
Email:
Technical Contact

Incapsula Operations Bronstein, Tomer
Telephone: 18662507659 18662507659

On September 1st I was away from office, so this is the "guy"...
I "looked up" all these IPs and they seems to be proxies...

I will keep you ALL updated on this "strange pattern" (I will update this post).

In the meantime, please, CHECK ALL YOUR ACCOUNTS!

Good advise.

Reading this: https://www.gpwa.org/forum/urgent-al...219035/p5.html

... we are under attack?

Not sure. The thread you mention, is about site hacking on wordpress. Not theft as you say you have to deal with.

@antihacker, your collaboration is needed!

... That is a compliment, thank you. I'm always willing to help, but, I am not sure where I will find the time to do so. I've put in weeks of work in the case I am exposing.. And, I've got to do my own work too, in order to not lose my own business.

Again, I'll help where I can.

I have serious doubt... since... no password retrieval attempts found... mumble...

Serious doubts about what? What ever the case: Make sure you contact law enforcement asap. And, contact Incapsula to ask just why their ip's show up in your account.

My question: What is the main email account you've used for you aff. accounts? Gmail? Did you use ONE email for all of these accounts?

If so, change it and never ever do that again.

I sincerely hope your damages are not big and that your money can be recovered.

This should pose as a big warning to all affiliates.

[dfiocch]

Holy pizza. That sux. Since payment went in to the different account, that can be traced as simple as 1,2,3...

You are right

Contact Webmoney fraud department ASAP...

I did it. Still waiting for them to come back...

You won't like me saying this: You are responsible for your accounts. Even if they can't get back your cash, you best forget about it. They can't do nothing if you don't secure your account. Sounds crap, but it is the way it is. ALWAYS secure ALL of your details. Change passwords often etc.

Yes, I know. And, of course. But... it's odd, very odd... no password retrieval attempts... who knows my passwords? All direct accesses...

Do not contact that mail. Contact Google ASAP. Tell them this gmail has stolen money from you, explain it in detail. Post a message on the Google product (Gmail) forum. Don't mention gambling!! Just say this person has stolen commissions etc. No need to mention gambling, as they don't like us. Do the same for the YAhoo email, and contact the companies where the money went to. As in NOW! They have abuse emails etc, phone numbers the lot. Call / email them asap.

I did also this. And still waiting...

Ask them to further investigate. They are very helpful. Always. Since this is theft, you should get all details from them and contact law enforcement of this.

Yes, they are. And doing also this. Thank you for the advice.

When pulling the information for 198.143.41.33, we found that the organization tied to this IP is Incapsula. They are the company that is being used to stop DDOS on affiliate edge. So, this is odd. Very odd.

All of these ip's are linked to incapsula. So, either this person was able to 'hack incapsula' or something else is going on. Contact Incapsula and ask immediately!

Here:

Incapsula Inc. is a Cloud-based application delivery platform. It uses a global content delivery network to provide website security, DDoS protection, load balancing and failover services to clients.

Incapsula Inc
Dover, DE 19901
UNITED STATES
Administrative Contact

Incapsula AbuseDesk
Telephone: 18662507659
Email:
Technical Contact

Incapsula Operations Bronstein, Tomer
Telephone: 18662507659 18662507659

This is very, very odd...
However, I will send all details also to Incapsula.
Thanks again.

... That is a compliment, thank you. I'm always willing to help, but, I am not sure where I will find the time to do so. I've put in weeks of work in the case I am exposing.. And, I've got to do my own work too, in order to not lose my own business.

Again, I'll help where I can.

Take you time, Man!
Your business is more important...
Thank you for your time!

Serious doubts about what?

Someone that knows my passwords... maybe. Just my idea... all accesses are direct accesses and I don't share my passwords with ANYONE.

My question: What is the main email account you've used for you aff. accounts? Gmail? Did you use ONE email for all of these accounts?

My corporate email (website). So, I have all logs on my hands and I don't see any deleted, modified or moved emails (attempts of password retrieval or whatever)

I sincerely hope your damages are not big and that your money can be recovered.

The damage is mainly with Fortune Affiliates, I was away and I noticed the "robbery" some days after...
With AffiliateEdge... I can say they are very nice guys! I work with them since 2006 and also this time they was very, very responsive (Thanks Martyn!)

This should pose as a big warning to all affiliates.

Correct. PLEASE, check ALL YOUR ACCOUNTS!

[universal4]

Hmmmm, wonder if the Incapsula server root was breached and therefore gave them access to capture packets.

Also, I would be interested to know whether the scumbag also has their OWN affiliate accounts at any of the programs where they changes payment details without the knowledge of the affiliates affected.

Rick
Universal4

[antihacker]

Hmmmm, wonder if the Incapsula server root was breached and therefore gave them access to capture packets.

Also, I would be interested to know whether the scumbag also has their OWN affiliate accounts at any of the programs where they changes payment details without the knowledge of the affiliates affected.

Rick
Universal4

Could be. I've notified Martyn. I am 1000000000% sure they are proper. I have noticed recent outages there, also of which I notified Martyn.

There is a lot going on.

NOT sure if this is the same person.

[universal4]

Yep Martyn and his team are top notch.

I have heard through the grapevine that a few managers have been made aware of this.

Rick
Universal4

[edgarf76]

That is outrageous and they should be brought up on criminal charges under whatever jurisdiction they are in.

[antihacker]

Yep Martyn and his team are top notch.

Agreed.

I have heard through the grapevine that a few managers have been made aware of this.

That Martyn rocks harder than the Rocky mountains? Or of this horrendous news of possible hacking / stealing?

(Duh... I know... Just trying to make some fun after ALL the stress I went through...

Rick
Universal4[/QUOTE]

[antihacker]

That is outrageous and they should be brought up on criminal charges under whatever jurisdiction they are in.

Besides stating that, we must form a unity. We all must take action and do something. If it happened once, it can happen again.

WE ALL must Start with re-securing all of our accounts ASAP.

Antihacker.

[antihacker]

Hmmmm, wonder if the Incapsula server root was breached and therefore gave them access to capture packets.

Also, I would be interested to know whether the scumbag also has their OWN affiliate accounts at any of the programs where they changes payment details without the knowledge of the affiliates affected.

Rick
Universal4

IF that is the case, I guess we know where to go to claim compensation for dfiocch ..? They best have an explanation.

Everybody must double double double check their accounts. And, re secure with new very complex passwords.

Antihacker

[JackTenSuited]

I had a few accounts hacked a while ago, one of my domains (stupidly) expired which a few of my aff accounts are setup under so they were able to retrieve passwords that way (also even more stupidly I used the same pass for multiple accounts).
Very frustrating trying to get some of them sorted as a lot of the program couldn't care less.

Now I use roboform and very long passwords on each program

[Renee]

dfiocch have you scanned your computer for malware?
Perhaps you have a keylogger?

We have a system whereby we are alerted every single time payment details are updated. We also do not allow the email address on the account to be changed by the affiliate, so if the payment details come back and they do not match the email address on the account (or other details) we contact the affiliate immediately. Since they can't change the email address, we know we can still contact the correct person. If we don't hear back from the affiliate, they don't get paid. Simple as that. It's better to falsely not pay someone because we fear a data breach than to pay the wrong account and then have to pay twice.

An automatic email also goes out to the email address on file when the password has been changed. So the affiliate will know immediately if something has happened.

Since we have this system in place, not a single affiliate commission has been compromised.

I don't really understand why other affiliate programs wouldn't do this. Seems like a few have this in place already but why it's not more widespread I don't really understand.

With things like keyloggers etc it's going to be nearly impossible to prevent this 100%. There is no such thing as 100% secure. The best the community can do is warn everyone if it does happen, and in the meantime take precautions in order to ensure their accounts are as secure as can be.

[antihacker]

(also even more stupidly I used the same pass for multiple accounts).

This is a big warning to all of you who have the same. Or, who are using simple passwords. Do not. Make them difficult. And change them periodically.

Very frustrating trying to get some of them sorted as a lot of the program couldn't care less.

That sux harder than a zanussi industrial strength vacuum cleaner. Which aff programs, do you remember? It is never too late to apply a bit of tar and feathers to those who do that.

Now I use roboform and very long passwords on each program

Well done. I'm sorry you had to learn the hard way.

Antihacker

[Renee]

I should also mention I've had our fraud team send an email to skrill to close both of the skrill accounts with the reason they are hacking into aff accounts and stealing commissions.

The other groups could have done this too. In fact they could still do it and it would give them more reason. You may even get your money back from fortune that way.

Just a thought.

Cheers

[antihacker]

dfiocch have you scanned your computer for malware?
Perhaps you have a keylogger?

We have a system whereby we are alerted every single time payment details are updated. We also do not allow the email address on the account to be changed by the affiliate, so if the payment details come back and they do not match the email address on the account (or other details) we contact the affiliate immediately. Since they can't change the email address, we know we can still contact the correct person. If we don't hear back from the affiliate, they don't get paid. Simple as that. It's better to falsely not pay someone because we fear a data breach than to pay the wrong account and then have to pay twice.

An automatic email also goes out to the email address on file when the password has been changed. So the affiliate will know immediately if something has happened.

Since we have this system in place, not a single affiliate commission has been compromised.

I don't really understand why other affiliate programs wouldn't do this. Seems like a few have this in place already but why it's not more widespread I don't really understand.

With things like keyloggers etc it's going to be nearly impossible to prevent this 100%. There is no such thing as 100% secure. The best the community can do is warn everyone if it does happen, and in the meantime take precautions in order to ensure their accounts are as secure as can be.

Awesome to read about the extensive security measures your organization has taken. Very positive indeed. Chapeau

Antihacker.

[antihacker]

I should also mention I've had our fraud team send an email to skrill to close both of the skrill accounts with the reason they are hacking into aff accounts and stealing commissions.

The other groups could have done this too. In fact they could still do it and it would give them more reason. You may even get your money back from fortune that way.

Just a thought.

Cheers

Great advise. I hope he can get his money back that way. Hopefully the others will follow your lead and AWESOME initiative.

Antihacker

[antihacker]

I had a few accounts hacked a while ago, one of my domains (stupidly) expired which a few of my aff accounts are setup under so they were able to retrieve passwords that way (also even more stupidly I used the same pass for multiple accounts).
Very frustrating trying to get some of them sorted as a lot of the program couldn't care less.

Now I use roboform and very long passwords on each program

Dean,

A bit off topic, but not completely: I've just visited your blackjack site, it loads extremely slow in firefox and IE. (Keeps loading, loading... loading, then after a while it shows the site. Is everything ok there?

Antihacker

[dfiocch]

dfiocch have you scanned your computer for malware?
Perhaps you have a keylogger?

Hello Renee

Of course but... it's hard to install malwares on a Mac. So, no keyloggers or other worms

[Renee]

Hard, but not impossible.
It just means that if you have it, you told the program to install itself

If you have checked though and it's clean I'm out of theories.

Can you post a list of programs you have running?
Perhaps someone might be able to figure out what it is from your list.

[dfiocch]

Hard, but not impossible.
It just means that if you have it, you told the program to install itself

If you have checked though and it's clean I'm out of theories.

Can you post a list of programs you have running?
Perhaps someone might be able to figure out what it is from your list.

I checked my Mac once, twice... and now. And I check it regularly.
No weird background processes, no strange programs running.

However, currently (now) I'm running:

Chrome
Opera
Safari
Firefox

PHP editor
Jquery/Javascript editor
CSS editor
HTML editor
A virtual server emulator (linux) to work on local site (on machine instead of server)

Text Editor (OSX)
Word
Excel
Mail (OSX)

All running processed are OSX related.

That's all