July 8, 2021 at 9:11 am #10753LeinAdParticipant
i got this mail from CP:
We are writing to inform you that starting on July 15th, 2021 the notifications we send your server (IPNs aka webhooks or callbacks) will start coming from a new IP address:
In most cases no action will be required on your part however you may need to if you are in one of these situations:
1. If you are using an anti-DDoS such as Cloudflare or another firewall you may need to whitelist the new IP address in it/them, or
2. If your IPN handler is set to only accept IPNs from certain IPs in addition to the default HMAC verification.
We apologize for any inconvenience this may cause but was needed to expand capacity. IPNs may continue to come from the old IP as well so don’t remove it from your whitelists.
is this important for you? Or me??July 9, 2021 at 7:54 am #10756alexgKeymaster
IF this email is true, then this would mean that you’d have to contact your hosting provider, and have them add this IP to the whitelist of your firewall.
HOWEVER this sounds fishy! This is also what a hacker would say if they were trying to forge deposits to your site. I am listing the reasons why this looks suspicious to me:
– I am also signed up to CoinPayments and have not yet received such an email.
– Furthermore, it would probably be simple for CoinPayments to route all IPNs from the old IP, even if they have to change their infrastructure on the back-end.
– I find it suspicious that the last two sentences in the email have obvious grammatical errors. Only a person not proficient in English would make such mistakes. Doesn’t sound like an official communication from a serious service such as CoinPayments. As we all know, most black-hat hackers are in Russia and the Balkans, not in English-speaking countries.
– It is somewhat surprising that they would give you only a small window of time to do this change. July 15th is in a week’s time, and you’d have to contact your hosting provider to let them know about the change. Not enough time for everyone to react without service disruption.
– Finally, all communication coming from CoinPayments is signed with their PGP key. Is there such a signature in the email, and have you verified it with their key? Their key can be found here: https://www.coinpayments.net/help-signed-emails The signature can be verified with Kleopatra or similar software.
I am curious. If this is indeed a social engineering effort as part of a larger hacking attempt, how would the attackers forge the HMAC signatures required on IPN messages? Perhaps they think I never bothered to add code that checks for HMACs? Is it possible that they are not even targeting this coin adapter, but only some other implementation that has this weakness? Maybe they scraped emails from the CoinPayments support forums and are sending this email to potential users of the platform?
Please check the email you received more carefully. If necessary, check the full email headers. What is the originating IP? Does it actually belong to CoinPayments? Does the PGP signature check out?
Be careful with this. I might be a bit paranoid but with such things you need to be paranoid because money is involved. IF it turns out that the email is legitimate, then you’d have to contact the hosting provider for your site and let them know that you want incoming IPNs from this IP whitelisted. But first let’s make sure. You could also show your email to CoinPayments support and ask them if it’s legit. If it’s not, they should probably know about this.
with regardsJuly 9, 2021 at 10:42 am #10759LeinAdParticipant
iam paranoid too :-p but i searched my mailbox and got the same mail on june 16th too (same content)
if needed i can send you the mailsJuly 12, 2021 at 7:08 am #10769alexgKeymaster
As discussed before, the best course of action would be to show the email you have to CP support and ask them if it is legitimate.
You did not mention whether there is a PGP signature present, but if it is, you should verify it.
Also check the email’s full headers for details.
I have still not received any such email from CoinPayments, and nobody else has mentioned this to me. I have not seen this mentioned on the CoinPayments website, blog, or twitter account. Such an important announcement should be more prominent if it was legitimate.
- You must be logged in to reply to this topic.