Blackmagic Forum

Please be advised that someone has set up a duplicate forum and is sending phishing emails to obtain usernames and passwords. If you get a topic response that doesn't point to a black magic subdomain but instead an ip, do not try to log in.


Hello HaveBlue,

You are receiving this notification because you are watching the topic,
"Cant play any media without crash" at "Blackmagic Forum". This topic has
received a reply by turbo2ltr since your last visit. You can use the
following link to view the replies made, no more notifications will be sent
until you visit the topic.

If you want to view the newest post made since your last visit, click the
following link:
http://54.172.192.242/viewtopic.php?f=2 ... 8&e=598568

If you want to view the topic, click the following link:
http://54.172.192.242/viewtopic.php?f=21&t=108355

If you want to view the forum, click the following link:
http://54.172.192.242/viewforum.php?f=21

If you no longer wish to watch this topic you can either click the
"Unsubscribe topic" link found at the bottom of the topic above, or by
clicking the following link:

http://54.172.192.242/viewtopic.php?uid ... atch=topic


--
Thanks, Blackmagic Design

WOW they did a good job by cloning the whole forum including themes

Xtreemtec wrote:WOW they did a good job by cloning the whole forum including themes

Even more amazing is they cloned it onto the same IP address as the real forum

We've already reported this to the team. We'll have to wait to hear from them this afternoon.

It's a good catch.

I'm not sure it's accurate to say we've been hacked because it looks like a phishing attempt. This means our server is likely fine.

But people definitely do need to pay attention.

We'll give an update as soon as we have one.

The above message referring to http://54.172.192.242/ is forum.blackmagicdesign.com as suggested by codedeltajames- that is why it looks exactly like our forum.

Topic notification messages use https://forum.blackmagicdesign.com/ in them; so the advice to not click on messages containing IP addresses and using http rather than https is good.

So, in summary: The message does not refer to a duplicate forum, but clicking on http links to IP addresses is not a good idea.

How does the Phisherman know what threads I’m following if there’s no security breach? Is that information public somewhere?

Thanks

To get the Theme, and general setup of the forum page.. They probably hashed a copy of the database and folders containing all files..

If you have that info.. You have names of users, topic names.. And just random send users a message based on what topic you reacted on..

Not sure how much someone would be able to pull from a database copy. For sure login info is encrypted.. But settings on what topic you subscripted might not be..

When I clicked on the links originally, I got a message "Topic does not exist" and also my browser refused to auto-fill login info. I therefore assumed someone had cloned the board to capture people logging in and then gain access into the board. If an Admin did this on a duplicated board, their credentials would have been compromised and the board could easily be hacked.

I think best practices is not to use the ip in the url for notification emails. It leaves an opening for someone to duplicate the board and send phishing emails with a different ip and it will go unnoticed. It would be trivial to follow an admin around the board, even in this thread, and send them notification emails on their board that redirects to a phpBB clone I loaded on a linux server.

Thank you HaveBlue for bringing this to our attention.

To clarify my earlier response:

54.172.192.242 is forum.blackmagicdesign.com.

You can verify this for yourselves by using "nslookup forum.blackmagicdesign.com" or
"dig forum.blackmagicdesign.com"

Code: Select all

$ nslookup forum.blackmagicdesign.com

Non-authoritative answer:
Name:   forum.blackmagicdesign.com
Address: 54.172.192.242

This issue does not indicate a breach.

The questionable links do not refer to a duplicate forum.

Howard Roll wrote:How does the Phisherman know what threads I’m following if there’s no security breach? Is that information public somewhere?

Thanks

Howard, it was not a Phisherman sending the message, it was this forum. The message format was not in it's typical form.


Http access was previously allowed to the forum- this has been changed and we now only allow https connections.

The http access made it possible to post messages to a thread, that would send the 'odd' looking notfications to people subscribed to the thread. It should no longer be possible to do this.

Hope this clarifies the situation,
regards,
Martin

Thank you so much. I've had websites hacked and it's a pain. Wanted to catch the possibility as early as possible for you.

I'm getting this as well. About 8 emails a day.

Any advice on how to stop them coming?....while also still getting real notifications from the forum?