thrustvps compromised?

I have not used thrust since my last contract expired. I left them because of their appalling actions at around this time last year. However, today I received the following email from them:

From: Admin
To: xxx@yyy
Subject: Damn::VPS aka Thrust::VPS
Date: Sat, 18 Jan 2014 03:28:06 +0000

This is a notification to let you know that we need to verify for reduce fraud.

We want your data as soon as possible.

The data that we need is as follows:

Server Username (Included)
Server Password (Included)
Full Name (Included)
Address (Included)
City(Included)
State (Included)
ZIP (Included)
Phone Number (For Call To Verify)
Country (Included)
Paypal Email (If Order With Paypal)
Paypal Password (If Order With Paypal)
Credit Card Information (If Order With Credit Card)
Scan Of Credit Card Front And Back (If Order With Credit Card)

Data is sent to Email : thrustvps@yahoo.com

Thanks in advance for your patience and support.

https://damnvps.com – Damn::VPS – We give a damn

Now, apart from the fairly obvious phishing nature of this email (you want me to scan my credit card front and back and send you a picture? Right…), and the request to reply to an address other than the sender (“Data is sent to….”) it actually looks to me as if the email really came from Thrust. Certainly the full headers (including “Return-Path:”, “Reply-To:”, “Received:” and even “Message-Id:”) look remarkably similar to the real ones I have from earlier mails from Thrust. A normal phishing email will usually spoof the “From:” address and use the “Reply-To:” to capture return emails at the scammer’s address. The fact that this email actually asks (in grammatically poor english) that you reply to a yahoo address suggests that the scammers are not that sophisticated.

I may not have much time for Thrust, but I have even less time for spammers and scammers so I forwarded the email to Thrust with a recommendation that they check it out and let their customers know that there appeared to be a scam going on in their name. I also checked their website to see if they had any alert thereon. The website (as at 15.00 today) appears to be unreachable (and I have tested from the UK, SanFrancisco, NYC and Amsterdam). With a website down and dodgy mail appearing to come from a legitimate Thrust mailserver address it suggests to me that they may have suffered a compromise. Certainly it looks to me as if their customer email database has been compromised (the address I got the email on was not my normal address, rather it was the one I use for contacts such as this). Whether that means any of their other account details have also been stolen I cannot be sure.

But I am glad that I am no longer a customer.

Permanent link to this article: https://baldric.net/2014/01/18/thrustvps-compromised/