Xfinity Data breach detected through email alias service

3 points by encryptluks2 ↗ HN
This is a warning to Xfinity customers. Today, I got a sophisticated spam email to an email address that was only ever provided to Xfinity. Note I am no longer an Xfinity customer since a few months ago, but my account still exists with Xfinity. I am using SimpleLogin to generate unique email addresses for every service that I signup for. Due to the way SimpleLogin forwards emails, I only have limited email header information. The email appears to be an invoice from Quickbooks for Norton AntiVirus suggesting I have a balance due of 256.89 for 5 copies of AntiVirus. The phone number provided, 1 (850) 806-2408, has a live person answer when called immediately suggested that I provide my credit card to cancel the order.

The email appears to have been sent from Teamnort@saless.cc. Interestingly enough when trying a WHOIS on saless.cc it appears the domain is not registered. However, according to this article the TLDs have been hijacked before:

https://labs.detectify.com/2021/01/15/how-i-hijacked-the-top-level-domain-of-a-sovereign-state/

I immediately tried calling Xfinity to explain the issue to their security team, but their entry-level employees couldn't understand the issue. I did some searches and appears that other Xfinity customers have experienced similar phishing emails. In this instance, the only way someone could have gotten that email is if an Xfinity employee is leaking emails or there has been a data breach with customer emails. This email was updated in April of 2021, so the breach would have had to occur after that time. The email is unique enough that it wouldn't have been randomly sent, and note this is the first phishing email I've ever received from someone to my 400+ aliases that I'm using currently.

2 comments

[ 5.2 ms ] story [ 16.4 ms ] thread
> The email appears to have been sent from Teamnort@saless.cc. Interestingly enough when trying a WHOIS on saless.cc it appears the domain is not registered.

What?! That’s even more interesting than your main problem.

However considering your main problem I see 2 possibilities:

1. SimpleMail service was compromised

2. A local Xfinity store was compromised. I used to work at a telecommunications provider brick n mortar store and there was a common scam going around where sophisticated threat actors would call the store phone and convince the (low wage, low competence) employees that they’re calling from the “corporate office” and provide instructions to install a RAT, thus compromising the computer systems at the store. (There was no admin password on the computers, this was a franchise for one of the most popular US cellular companies in 2021, im positive this scam is still happening every day)

After further review, it appears that the email may have actually been sent through Intuit using fake info with Teamnort@saless.cc as the reply-to. If you call the number, they usually answer saying they are Norton or PayPal. I've already notified Intuit and RingCentral who they appear to be using. This is the link to the "invoice" in the email which is on the intuit.com domain:

http://links.notification.intuit.com/ls/click?upn=LEV65WI9EZ...