Spam? Phishing? Genuine notification from musescore.org?

• Dec 11, 2016 - 22:15

I just received two e-mail messages saying this:

Aldo,

A request to reset the password for your account has been made at MuseScore.

You may now log in to MuseScore by clicking on this link or copying and
pasting it in your browser:

https://m.musescore.com/user/reset/4792/1481490649/RW2RQgCpo4umSJ30UnIn…

This is a one-time login, so it can be used only once. It expires after one
day and nothing will happen if it's not used.

-- Team MuseScore

I didn't click anything, of course, 'cause I can't be sure if it's spam, phishing or genuine notification from musescore.org. What do you think?


Comments

I suspect that ChurchOrganist is correct. Maybe one of the perils of being near the beginning of the alphabet (as a naive hacker works his way through a list)?

In reply to by underquark

This appears to be a relatively sophisticated scammer; Whois search efforts to locate the registered owner of m.musescore.com default to a search for musescore.com, the results for which are legit.

Searching for the registered owner of the domain m.com, otoh, turns up a vague result with no useful information. I smell a rat.

It would be useful if you would go into the e-mail properties of the message and verify if that link did not overlay a completely different URL. Right click on the message in your mail client or webmail server, select Properties>Details>View Source. Read through the gibberish until you spot the text of the link and see if there isn't a completely different URL buried under it.

If you, within the past one minute, did, in fact, ask to reset your password at some web-site or another, then such an e-mail might, conceivably, be legitimate.

However, a scammer could just-as-easily send you an e-mail which, although it displayed a perfectly-legitimate-looking email address in the text of the embedded hyperlink, actually had a destination that was altogether different.

Bottom line:   if you did not expect it, then it is not legit.

Hi Aldo and everyone,

Thank you for raising the question and sharing your concerns.

This is a totally legit email sent by the MuseScore server. It is sent when someone requests a password reset link via https://musescore.com/user/password or our mobile domain m.musescore.com, by submitting the email address or username.

It may happen that people mistakenly enter another email address (typo) or username (typo as well). As a result, you may receive such an email even when you didn't request one yourself. In that case, simply discard the email.

Improvements

It's clear from reading all your reactions, that this is causing quite some confusion and even made some believe this is a fishing attack.

In order to reduce these fears, I have logged a todo for myself to:
* Append a small text to the email: "If you didn't make this request, ignore this email." (done already)
* Append FAQ in the footer of the email: "How do I know an email is from MuseScore?" (todo)
* Protect the password reset form with a captcha
* Protect the password reset form with an anti-flood mechanism
* Adding a user setting to require personal information to reset your password
* Add links to the email to help and security questions
* ... learn from other services to further improve.

If you have questions or remarks, please let me know.

My previous comment was specifically addressed at the issue of deliberate scammers who forge emails that exactly replicate the legitimate emails sent out by forum servers such as this one ... except for the location that the URL actually leads to.   (And they can, with JavaScript, make it very difficult to visually detect any discrepancy.)   They are up to no good.   They are purposely trying to deceive, and to thereby do harm.   And they are treading on the goodwill of the legitimate sites, creating much vexation for the site owners.

Thus:   if you know to expect it, based on your very recent actions on the forum in question, then it is likely to be legit.   But, if it “just shows up in your inbox one day,” it probably isn’t.

In short, it pays to be skeptical.

The same thing is true, say, of “FedEx® Package Notifications.”   Are you really expecting a package from someone?   Does this e-mail contain details that you know to be true for this package?   And, so on.

Many thanks to all of you for your kind replies.

I think that Thomas probably got what really happened:

"It may happen that people mistakenly enter another email address (typo) or username (typo as well). As a result, you may receive such an email even when you didn't request one yourself."

I will check my mail box for new messages of the same type in the next days. If none will be there, then Thomas must be right for sure. Otherwise, I will perform some more investigations and let you know (being informed is never a Bad Thing).

Do you still have an unanswered question? Please log in first to post your question.