Thunderbird virus /hack ?

MrNice · May 21, 2018, 8:36pm

Hi there,

Strange thing happened few minutes ago.
I was surfing Internet and suddenly a thunderbird write window appeared. See the picture attached.
I immediately disconnected my modem, removing the wire from the connector. I took the picture and closed the window. This was a thunderbird window, I opened the thunderbird Menu>Help>about to get the version.
In the from address, was my email address, to was georgemalley@gmail.com
Subject: Send Me Backdoor Link for Immediate Access with NO Account Needed
The text about access to porn site.

Then I tried to find this georgemalley in my address book or email but there is no such name.
Then I switched off the modem, waited few minutes and on again, hoping I have a new IP address.

I found that georgemalley is on some web pages
Removed two URLs ]]]

How this can happen? Do I have a virus? Hack?
Any explanation and advice welcome.
I am worried and need to understand and solution to avoid that.

Many thanks

I_A · May 21, 2018, 10:03pm

sounds like some javascript initiated the mailto: protocol which in turn started your default mail client
the best solution would be to use an ad blocker like ublock-origin a better solution would be uMatrix see this howto about hardening firefox
https://vikingvpn.com/cybersecurity-wiki/browser-security/guide-hardening-mozilla-firefox-for-privacy-and-security

MrNice · May 21, 2018, 11:00pm

Thank you

I use uBlock Origin, maybe I need to tweak the setting with the advices in your link. I’ll read it carefully.

Can I know what site started this javascript? Could the script be more dangerous?
one of the sites you wore browsing

nrickert · May 21, 2018, 11:18pm

You could try looking through browser history. But the chances are that it will be very difficult to find.

By the way, I do agree with the assessment of I_A. That’s the most likely explanation.

Could the script be more dangerous?

If you are logged in as an ordinary user, then it is hard for such an attack to damage the system. It could easily damage your own files (which is why backups are important).

Often these nefarious scripts are attached to advertisements.

I_A · May 21, 2018, 11:21pm

it might not have been a javascript it could have been a php script here’s a page with some more info

Darleenprangue · August 11, 2018, 10:42am

The same thing happened to me today.

The site that gave me this thing is : rhinoplasty.co

I checked 2 times to be sure and that is.

Do you think that site could have gave me any other virus?

Can someone check please?

Thanks