GoKawiilSomeone used my open source project to phish 14,000 people
Thursday morning, Resend emailed me. My sending quota for cloud.kaneo.app was exhausted. I had not sent anything in days.
I run an open source project management tool called Kaneo. Simple, all you need and nothing you don’t. The cloud version exists so people can try it without standing up Postgres. It’s the same software my self-hosted users run, and until last weekend it was almost exclusively used by developers evaluating it for their teams.
Last weekend someone else found it.
What I found
I sshed in and ran a query. The new workspaces looked like this:
🔒Paul Brown from BANKING OPERATION invited you to join 3.4090_BTC receipt ...
There were 949 of them. All created in a three-hour window on May 28th. Each came from a different throwaway email provider: yomail.info, dropmail.me, spymail.one. Each account had created one workspace whose name was a complete phishing email subject line, then sent roughly a hundred invitations from that workspace to a list of strangers. 14,520 invitations total, mostly while I was asleep.
The invitation email went out from my verified Resend domain. Subject line: the workspace name. Body: a polite “<phishing payload> invited you to join <phishing payload> on Kaneo.” Click here to accept. The “click here” pointed at my actual site, which made the email look real, and the workspace name carried the scam, a link to craftum.io with a tracking suffix.
Whoever did this was patient. They had clearly tested. The workspace names weren’t random. They followed a template, with rotating variations on bank names, crypto amounts, and presenter names. They had a recipient list ready, presumably bought. They timed it for 4am UTC on a Thursday. They got about an hour and a half of clean sending before Resend’s rate detection kicked in and stopped them.
... continue reading