Closing Account: Phishing?

  • I received an odd email, which purported to be from Opera (sent to my personal name), not at my registered address with Opera (where I do receive notices of people commenting on my posts), but another I often use. I don't remember if at some point I gave Opera this backup address for purposes of being able to contact me.

    Now the letter said: "It has been a long time since we've seen you! So long, in fact that we're starting to wonder what happened to you. As a security measure, we've put your account on hold. Currently, you can no longer log in to any Opera services. If you still want to be friends, we'll keep a space for you. Otherwise, we'll delete your account and any data associated with it. If you still want to use our services, and enjoy the Opera community, it's not too late to let us know. Click this link: https://auth.opera.com/account/reactivate-profile key= [and then a lot of numbers and letters with a userid number at the end]. Take your time to think about it. We won't take any action for the next 7 days. IF we don't hear from you by then, we'll remove all the data, content, comments, images, cute GIFs, and other information associated with your account.

    All the best,
    Your friends at Opera".

    Now unwisely, perhaps, I did click on the link, and I believe I got a instant flash type response that the account was reactivated (though that's a bit fuzzy to me). As to the email I received, it was from Opera Software at the address, noreply@opera.com. I also sent an email back to noreply@opera.com, and got no response that the email was not received, accepted by the server, bounced, etc. as you do sometimes when the address is bad.

    Now I'm thinking this could not have come from Opera? but might well have been a strange sort of spam/phishing (though that Opera link to click on looked pretty official). Indeed, when I type in the address bar without the numbers and letters at the end the introductory portion of the link sent to me, "https://auth.opera.com/account/reactivate-profile?key=" it does take me to an Opera page, entited, Account reactivation, that says, "Reactivation failed. Please use the link provided in the email that was sent to you." So that makes it sound like the link was from Opera. While I haven't been as active in the Opera forum as in the past, I did start a discussion on Nov. 20, 2014 and commented on discussions on Dec. 6 and Dec. 20. I mean how active do you have to be today to not have your account threatened with closure?

    I'm wondering if anyone else has received anything like this. I've been a member of the Opera forum since 2005. At times I've been active in it, at other times not at all. I've never received an email like this before, purporting to come from Opera with the reference to taking a security measure to close the account.

  • @lem729, if you reopen the original "Opera" eMail and examine the underlying URL hiding beneath the visible link-text in the message, does it still show the exact same text as the cover-text URL? That is the primary issue of question, because that's where you actually navigated before getting the "Flash"-like response. If it's the same URL as the cover-text, then I would believe that the *.opera.com domain should be OK, regardless of whatever else might be going on with Opera and your account. If it's not the same URL, then you may have an "issue", particularly if the actual domain embedded in the underlying URL is not an opera.com domain.

  • Not sure what you mean by "examine the underlying URL hiding beneath the visible link-text in the message, and whether the exact same text is as in the cover-text URL. How do I see the URL hiding beneath the visible link-text?

    If I copy the URL onto Word 2007, it looks the same as what I see in the email. When I inspect the element, which is a gmail option, when I right click on the link, I get (on the bottom of my browser window) an html type look at the email, and the link address (for me to respond to) there is the same as what appeared to me in the email. In other words, I can't see anything hidden. The address in the html (when I inspect the element) and the address that appears in the email are identical.

    My first worry was, was this some sort of elaborate pfishing (where I dumbly clicked the link) 🙂 If no, assuming, as it now seems to appear, that the email came from Opera, it's kind of odd that I was sent such an email from them, was it not? And they didn't send it to the email address registered with Opera for the account, but then again, I may have at some point in registration given them the backup contact email address.

  • We have seen these before, it actually could be from Opera if you for example had a second username at MyOpera registered under the other address. Either way, it really doesn't matter if you just ignore it.

  • I did click on the link, and say to keep my account open.

    Now I was thinking maybe from the long distant past, I may have had another account, so I logged into Opera with the other email address (the one they wrote me too), and said I forgot my password. They sent me a temporary password, and when I logged into Opera with the other email address and the temporary password, I got taken to a page where I was asked to set up a new "handle/user name." I was curious if I already had a user name with that address. It seems that I didn't. So I'm not convinced that this was with reference to a second account, though that's the only explanation that makes sense

    Anyway, I guess it's no big deal. Now if they were writing me about lem729, I would be really wondering. And I am glad it doesn't seem to have been a pfishing thing, as I did click on the link.

  • Not sure what you mean by "examine the underlying URL hiding beneath the visible link-text in the message, and whether the exact same text is as in the cover-text URL. How do I see the URL hiding beneath the visible link-text?
    If I copy the URL onto Word 2007, it looks the same as what I see in the email. When I inspect the element, which is a gmail option, when I right click on the link, I get (on the bottom of my browser window) an html type look at the email, and the link address (for me to respond to) there is the same as what appeared to me in the email. In other words, I can't see anything hidden. The address in the html (when I inspect the element) and the address that appears in the email are identical.
    My first worry was, was this some sort of elaborate pfishing (where I dumbly clicked the link) If no, assuming, as it now seems to appear, that the email came from Opera, it's kind of odd that I was sent such an email from them, was it not? And they didn't send it to the email address registered with Opera for the account, but then again, I may have at some point in registration given them the backup contact email address.

    Depending on the eMail client program one might be using, an "underlying" URL can often be observed in a status-bar display somewhere on the screen while mousing over the visible URL in the text, a lot like browsers often do. I'm not a G-mail user, but perhaps that's the same thing you're seeing with the right-click look at the 'element'.

    In phishing messages, either the perps are trying to get a user to download/open something (openly or covertly) or they're trying to get a user to visit a malicious site containing exploits or they're simply trying to get the user to visit a site whose actual URL is "customized" to link to the eMail address to which the original message was sent (to confirm its validity for further exploitation attempts). So it's always important to make sure the link one is going to visit is the exact same thing as the link that appears in the visible text, and that link appears to be legitimate. This matters because eMail can be crafted in such a way that the underlying, hidden, operative URL that governs where the browser actually goes can be made different from the text that "overlays" it in the message body. Hence, the commonly-stated, safe-hex rule of thumb: never click on a link in an unfamiliar eMail... instead, assuming the visible URL appears legitimate, retype it into the browser as it appears in the visible text or else proof the underlying URL in the manner I noted earlier (or via your right-clicked element) before clicking on a link.

    In your case, if the domain of the URL is actually opera.com, it should be safe - assuming Opera hasn't just been hacked... which, if that happens, a lot of folks would be in deep doo-doo.

  • Thanks, those are great tips, blackbird '71.

Log in to reply
 

Looks like your connection to Opera forums was lost, please wait while we try to reconnect.