Justin 261 Posted March 2, 2020 (edited) This is a very long post, but I believe everyone should read this if you have an account with CMEG. I was hoping that CMEG was going to announce something this morning, but it looks like they wont. TL;DR: CMEG’s website had a DNS hijack deployed against it, and was redirecting users to a fake website in order to capture sensitive information. If you have a new user registration pending, or you attempted to log into the Secure Portal recently, at the least, change your password, and think about locking your credit. Facts • CMEG's DNS server was hijacked. (Look at the image below to understand how that works) • The hijack targeted new user registrations, users who had registrations pending, and users attempting to log into the Secure Portal. • The hijackers could have taken very sensitive information. • If you have logged into CMEG recently, you could be exposed. • This does not mean your deposited money isn't safe. • This was fixed in the late evening Feb 28, 2020. What happened? The hijackers redirected the "Open an Account" button/link and the "Secure Portal" login link to go to different URLs. Instead of sending users to the real URLs: https://www.cmelitegroup.com/open-an-account https://secure.cmelitegroup.com/login They were sent to the wrong URLs: https://secure.cmelitegreup.com/pro?pthh=repister https://secure.cmelitegreup.com/pro?pthh=login The fake site was designed to look identical to the real Open an Account page and the Secure Portal login page. Although after attempting to log in it Who does this affect? The hijack affects four types of users: 1. Users that attempted to log into the Secure Portal (further, users that also used the same password for the Secure Portal as they used for their new Account Management account. 2. Users that had a new account registration pending 3. Users that attempted to sign up for a new account (Only your name, email and attempted password could have been taken) What could they have taken? If you either, a) had a registration pending or b) attempted to log into the Secure Portal while the hijack was active they could see this information if your password hasn't been changed: • Name • Tax Return • Social Security Number • Bank Statements • Passport • Drivers License • Messages between you and CMEG One note about the Secure Portal - it is not the same place where you can go to see your account balance, trades, or instigate a withdrawal. These things are in the Account Management page, and use a different login (assuming you didn't use the same password). Additional thoughts This was not a DNS hijack targeting me alone. CMEG didn’t believe me (as the hijack was being hidden on their network - they couldn’t see that their URLs were changed). I verified it by getting different people around the country to test and see that the URL was changed for them too. If you used the same password when signing up for an account (the Secure Portal) as you did when creating a login for the Account Manager, they could log in and see your trades and account size. While I think people's money is safe, unfortunately the withdrawal request is simply a PDF document; the hijackers would have all the information needed to request a withdrawal. That being said, I believe it would not work because: 1. CMEG does require KYC (Know Your Customer) documentation. So the name on the bank account would have to be yours (although they could set up a new bank account in your name with all the information they could have taken). 2. Hopefully they would see the bank information wouldn't match the original deposit method. 3. CMEG would see that the request was coming from a different email address (but maybe they could spoof that too). I do not know how long CMEG's DNS server was hijacked for. So I can't tell you if you're safe if you haven't logged in for the past 1 day, 1 month or 1 year. My belief is that the hijackers would want the lowest hanging fruit: your email. For the sole purpose of trying to send you phishing emails. Edited March 2, 2020 by Justin 2 Share this post Link to post Share on other sites
Alastair 110 Posted May 9, 2020 (edited) Justin u real sharp man !! Thks for letting ppl know this will look out for this type of stuff on other brokers. Edited May 9, 2020 by Alastair Share this post Link to post Share on other sites
