I reply to all queries on the forums and via email, once per day, Monday to Friday (not weekends).

If you are new here, please see some information on how to ask for support. Thank you!

Reply To: Coinpayments email about new IP for IPNs

dashed-slug.net Forums CoinPayments.net Wallet Adapter extension support Coinpayments email about new IP for IPNs Reply To: Coinpayments email about new IP for IPNs

July 9, 2021 at 7:54 am #10756
alexg
Keymaster

Hello,

IF this email is true, then this would mean that you’d have to contact your hosting provider, and have them add this IP to the whitelist of your firewall.

HOWEVER this sounds fishy! This is also what a hacker would say if they were trying to forge deposits to your site. I am listing the reasons why this looks suspicious to me:

– I am also signed up to CoinPayments and have not yet received such an email.

– Furthermore, it would probably be simple for CoinPayments to route all IPNs from the old IP, even if they have to change their infrastructure on the back-end.

– I find it suspicious that the last two sentences in the email have obvious grammatical errors. Only a person not proficient in English would make such mistakes. Doesn’t sound like an official communication from a serious service such as CoinPayments. As we all know, most black-hat hackers are in Russia and the Balkans, not in English-speaking countries.

– It is somewhat surprising that they would give you only a small window of time to do this change. July 15th is in a week’s time, and you’d have to contact your hosting provider to let them know about the change. Not enough time for everyone to react without service disruption.

– Finally, all communication coming from CoinPayments is signed with their PGP key. Is there such a signature in the email, and have you verified it with their key? Their key can be found here: https://www.coinpayments.net/help-signed-emails The signature can be verified with Kleopatra or similar software.

I am curious. If this is indeed a social engineering effort as part of a larger hacking attempt, how would the attackers forge the HMAC signatures required on IPN messages? Perhaps they think I never bothered to add code that checks for HMACs? Is it possible that they are not even targeting this coin adapter, but only some other implementation that has this weakness? Maybe they scraped emails from the CoinPayments support forums and are sending this email to potential users of the platform?

Please check the email you received more carefully. If necessary, check the full email headers. What is the originating IP? Does it actually belong to CoinPayments? Does the PGP signature check out?

Be careful with this. I might be a bit paranoid but with such things you need to be paranoid because money is involved. IF it turns out that the email is legitimate, then you’d have to contact the hosting provider for your site and let them know that you want incoming IPNs from this IP whitelisted. But first let’s make sure. You could also show your email to CoinPayments support and ask them if it’s legit. If it’s not, they should probably know about this.

with regards