Sponsored by..

Showing posts with label Phishing. Show all posts
Showing posts with label Phishing. Show all posts

Thursday 29 July 2010

Phishing domains on M247 Ltd

I've never heard of M247 Ltd before today until their network came up as providing infrastructure for this scam. A few IPs over from that server is another one at 89.238.165.197 which contains three phishing sites:

Ibloqin.com
Lloydststb-offshore.com  
Nbtibank.com

The sites are currently only displaying "Suspended" if you visit them.. this means nothing though, and it's a fairly common scammer technique to disguise that the site is active. Avoid.

Update: apparently these have now been nuked from orbit.

Tuesday 13 July 2010

"Your craiglist account requires attention!!"

A fairly obvious phish:

From: noreply@craigslists.org
Date: 13 July 2010 08:29
Subject: Your craiglist account requires attention!!
   
Please follow the link bellow to avoid expiration of your Account https://www.craigslist.org/account/update

Thank you for using our services
The link in the email actually goes through your.totalinternethost.com/bb.html before bouncing to accounts.craiglist.org.postifedelta.com/icons/crg/ - I'm guessing that the domains are legitimate but their domain admin account has been hacked.

The mail itself is "from" craigslists.org (i.e. more than one list) rather than craigslist.org which is a clue, and also the subject is mis-spelled as craiglist .. usually signs that something it going wrong (and a couple of things that you could block if you roll your own mail filters).

If you click through, then you get a convincing looking login page which is an exact copy of the real thing:

This is the fake one (click to enlarge):


Fill in the login details, and the fake page harvests them and sends you on to the REAL page (pictured below) which looks identical. Presumably, victims are meant to think that their login has failed in some way.

The catch? Both the real and fake pages have an identical warning:

WARNING:  scammers may try to steal your account by sending an official-looking email with a link to a fake craigslist login page that looks like this page, hoping you'll type in your username and password.

example of valid craigslist address Look carefully at the web address near the top of your browser to make sure you are on the real craigslist login page, https://accounts.craigslist.org

The safest way to login is go to the craigslist homepage directly by typing in the web address, and then clicking on the 'my account' link.
Both fake and real pages even have a picture to show you what to look for:

On the fake page, the URL in the browser bar clearly does not match the one on the page. But how many people actually read it? Any sysadmin will tell you that there's a hard core of users who don't read or unstand warnings, and obviously there are enough of them to make this scam worthwhile.

Just for the record, these are the IPs in this particular phish:
accounts.craiglist.org.postifedelta.com 
116.12.52.25
Usonyx, Singapore

your.totalinternethost.com
64.191.40.21
Burstnet, Scranton

Monday 14 June 2010

Phishtank FAIL: hsbcnet.com / hsbc.net

hsbcnet.com is a valid and legitimate website belonging to HSBC. Traffic is redirected to this site from hsbc.net. The site itself is hosted on AS26381 63.111.163.110 which is delegated to an HSBC subsiduary called Household International from Verizon. The hsbcnet.com  was registered in 1998 to a registrant with an hsbc.com web address:

Registrant:
HSBC
   One HSBC Center
   Floor 21 - HTS eBusiness
   Buffalo, NY 14203
   US

   Domain Name: HSBCNET.COM

   Administrative Contact, Technical Contact:
      Fischer, Chuck  charles.fischer -at- us.hsbc.com
      HSBC Bank USA
      One HSBC Bank
      eBusiness, 21st Floor
      Buffalo,, NY 14203
      US
      (716) 841-2075 fax: (716) 841-5022


   Record expires on 04-Dec-2010.
   Record created on 04-Dec-1998.
   Database last updated on 14-Jun-2010 04:41:11 EDT.

   Domain servers in listed order:

   NS3.HSBC.COM                
   NS4.HSBC.COM       
         

It's clearly not a phishing site, and yet Phishtank say that it is.


Now, Phishtank does just allow any old user to mark a site as phishing. In this case, the site was submitted by a user called dvk01  and then verified by SEVEN other people as a phish - stuartgrant knack NotBuyingIt cybercrime marcoadfox Aminof theGeezer - although some people have said that it isn't. As a result of this faulty groupthink, 71% of reports say that this legitimate site is a phish.

This false positive has now filtered down to OpenDNS and a number of other blocking services (e.g. Sophos) that are now erroneously blocking access to HSBC.

Don't get me wrong, Phishtank and other similar service can be very useful. But in this case it shows that Phishtank's verification process really doesn't work.. as any actual examination of the web site in question would surely identify is as legitimate.

Friday 23 April 2010

"Twitter Support" phish

This phish claims to be from Twitter, but it actually redirects to a fake site at adcopy.awbweb.com/differential.html hosted on 216.81.74.9 which appears to be a legitimate site that has been hijacked.

From: Twitter Support <support@twitter.com;>
Subject: Undelivered Message 52-629

Hi,

You have 1 unread message(s)
http://twitter.com/account/message/0C5B9-C2FEF

The Twitter Team

Please do not reply to this message; it was sent from an unmonitored email address. This message is a service email related to your use of Twitter. For general inquiries or to request support with your Twitter account, please visit us at Twitter Support.

Thursday 10 September 2009

Fake HMRC tax refund messages

Looks like there's a spam run in progress with the following fake tax refund message:
From: HM Revenue & Customs [mailto:rsa.messages@hmrc.rsamessages.co.uk]
Sent: 10 September 2009 10:16
Subject: [ HMRC MESSAGE ID NUMBER: 381716209 ]

(This is an outbound message only. Please do not reply.)



Dear Applicant,

The contents of this email and any attachments are confidential and as applicable, copyright in these is reserved to HM Revenue & Customs. Unless expressly authorised by us, any further dissemination or distribution of this email or its attachments is prohibited.

If you are not the intended recipient of this email, please reply to inform us that you have received this email in error and then delete it without retaining any copy.

I'm writing to confirm that after the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 327.54 GBP

You have attached the tax return form with the TAX REFUND NUMBER ID: 381716209, complete the tax return form attached to this message.

After completing the form, please submit the form by clicking the SUBMIT button on form and allow us 5-9 business days in order to process it.

If you have any questions, please refer to our Frequently Asked Questions (FAQs) or visit our head office address can be found on our web site at http://www.hmrc.co.uk/

Yours sincerely,
Kevin Taylor
Manager, HM Revenue & Customs Tax Credit

TAX RETURN FOR THE YEAR 2009
RECALCULATION OF YOUR TAX REFUND
HMRC 2008-2009
LOCAL OFFICE No. 3819
TAX CREDIT OFFICER: Kevin Taylor
TAX REFUND ID NUMBER: 381716209
REFUND AMOUNT: 327.54 GBP


This e-mail is generated by RSA Security United Kingdom on behalf of HM Renenue & Customs


Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.


or another variant:


From: HM Revenue & Customs [mailto:officer.robinson@hmrc.co.uk]
Sent: 10 September 2009 10:23
Subject: TAX REFUND ID NUMBER: 381716209

TAX RETURN FOR THE YEAR 2009

RECALCULATION OF YOUR TAX REFUND

HMRC 2008-2009

LOCAL OFFICE No. 3819

TAX CREDIT OFFICER: NEIL ROBINSON

TAX REFUND ID NUMBER: 381716209

REFUND AMOUNT: 344.79

Dear Applicant,

The contents of this email and any attachments are confidential and as applicable, copyright in these is reserved to HM Revenue & Customs.

Unless expressly authorised by us, any further dissemination or distribution of this email or its attachments is prohibited.

If you are not the intended recipient of this email, please reply to inform us that you have received this email in error and then delete it without retaining any copy.

I am sending this email to announce: After the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 344.79

You have attached the tax return form with the TAX REFUND NUMBER ID: 381716209, complete the tax return form attached to this message.

After completing the form, please submit the form by clicking the SUBMIT button on form and allow us 5-9 business days in order to process it.

Our head office address can be found on our web site at http://www.hmrc.co.uk/

Sincerely,

NEIL ROBINSON

HMRC Tax Credit Officer

officer.robinson@hmrc.co.uk

Preston

PR1 0SB



There's an attachment in both cases that attempt to harvest personal details (basically everything you need for identity theft) and sends it off to the attacker. In this case, domains used are jub23bi.biz and xgen99.biz although there are probably others. Scanning your outbound log files for /luk.php or /luk1.php or .biz/luk might reveal anyone who has fallen for it.


Obviously, if you've entered you details into something like this then you need to contact your bank as soon as possible and explain that your account has been compromised.

Tuesday 25 August 2009

CurrencyVendor.com: can you trust it?

Another doubtful World of Warcraft site is currencyvendor.com hosted on the same server as these other WoW scam sites.

Does it look trustworthy? Well, no. It's hosted by YoHost.org on the same server as a load of WoW scams sites, phishing sites, fake internet companies, bogus pharmacies and all sorts of other things. The domain was set up a few days ago, and is hosted on an anonymous server with anonymous contact details. Given the very high number of scam sites on this server, the lack of history and the anonymous contact details we would strongly recommend that extreme caution be taken if dealing with this site.


Update: the people behind CurrencyVendor.com deny that it is a scam, but acknowledge that their web host does host scam sites. They also decline to identify themselves. Draw your own conclusions, but as a general rule doing business with someone who refuses to identity themselves is a bad idea.

Thursday 13 August 2009

Some "World of Warcraft" Scam sites

I don't play WoW myself, but there are a whole bunch of bad guys out there trying to rip off player accounts for money. Here are some recent domains hosted at scam-friendly YoHost.org that you should avoid.. if you HAVE entered your password into one of these sites, then change it NOW.

  • Blizzard-battle.net
  • Blizzard-promotion.com
  • Promotions-battle.net
  • Promotions-worldofwarcraft.com
  • Worldotwarcaft.net
  • Wowmovieteaser.com
  • Wowtcgpromotion.com

Wednesday 22 July 2009

Even more pathetic SpamCop.net phish

I thought that phishing emails couldn't get more rubbish than this but it turns out that I was wrong. Enjoy:

Subject: FINAL ACCOUNT UPDATE!!!
From: "SPAMCOP SUPPORT TEAM" <helpdesk@spamcop.net>
Date: Wed, July 22, 2009 7:15 pm

Dear spamcop.net Subscriber,

We are currently carrying-out a mantainace
process to your spamcop.net account, to
complete this, you must reply to
this mail immediately, and enter your
User Name here (,,,,,,,,) And Password here
(.......) if you are the rightful owner of
this account.

This process we help us to fight against
spam mails.Failure to summit your password,
will render your email address
in-active from our database.

NOTE: If your have done this before, you may ignore
this mail. You will be send a password reset
messenge in next seven (7)
working days after undergoing this process
for security reasons.

Thank you for using spamcop.net!
THE SPAMCOP TEAM


The Reply-To email address is verification_teamss12@yahoo.com.hk, originating IP is 203.59.222.34.

Tuesday 14 July 2009

Really pathetic SpamCop.net webmail phish

Probably the most pathetic phish ever - the bad guys nicely provide a space in the email for you to put your username and password and then email it back. Combined with a fairly vague grasp of the English language, then it's hard to see that this would fool anyone at all.

From: "SpamCop Webmaster online" <spamcop.net.webmaster@mchsi.com>
Date: Tue, July 14, 2009 4:11 pm
Cc: recipient list not shown:;
Priority: Normal

Dear SpamCop Webmail online Email Account Owner,

Important notice, harmful virus was detected in your account which can be harmful to our subscriber unit.You are to enter your Username and Password here {____________, __________} to enable us set in an anti virus in your user account to clear up this virus. we do need your co-operation in this, Providing us with this information we enable us insert in your account an anti virus machine for clean up.

We are sorry for the inconveniences this might have cost you. Failure to do this, we are sorry to let you know that your account will be deleted immediately to prevent it from arming our subscriber unit.

Thank you for using SpamCop Webmail,
We are glad at your service,
SpamCop Webmaster online.
Originating IP is an open proxy at 200.65.129.2.

Friday 1 May 2009

webmail.upgrade@spamcop.net phish

A fairly lazy attempt to phish SpamCop accounts, originating from 200.85.160.12 in Nicaragua. If you're a SpamCop subscriber, then report it via the usual mechanism. The Reply-To address is webmailupgrader@consultant.com, so you should be able to tell that it is a fake.

Subject: Spamcop Email Verification
From: "Spamcop Webmail Notice" webmail.upgrade@spamcop.net
Date: Fri, May 1, 2009 5:11 pm
To: webmail.upgrade@spamcop.net

Dear Spamcop Webmail Account Owner,
We are currently performing maintenance for Our Spamcop
Digital Webmail Customers.We intend upgrading our Digital
Webmail Security Server for better online services. We are
canceling unused Spamcop webmail email account to create
more space for new accounts.To prevent your account from
closing you will have to update it below to know it's status
as a currently used account.

CONFIRM YOUR EMAIL IDENTITY BELOW
Email Username :=====================================
Email Password :=====================================
Date of Birth :======================================

Warning!!! Any account owner that refuses to update his/her
webmail account within three (3) days of this update
notification will loose his/her account permanently.

Thank You For Your Support

Thursday 26 February 2009

Strange Tripod phish

Why anyone would want to phish for a Tripod account is beyond me, but for some reason webmail accounts seem to be a target. This phish for Tripod credentials has (so far) the following subjects:

Subject: For Tripod user
Subject: Important information from Tripod Team
Subject: Tripod Confirmation Form

The rest of the email is similar to the following:

From: "Tripod Customer Service" support@support.lycos.com


Dear Tripod user!Due to technical issues, the new Tripod software release is
currently on hold. However, a series of enhancements have been made. The new
client-server protocol is one of them. Now you need to complete Tripod Confirmation
Form to update your Tripod account.Please use the link below to access Tripod
Confirmation
Form:http://www.tripod.lycos.com/adm/redirect/www/form/tripodcf.aspx?[redacted]

Sincerely,
The Tripod Team
This message has been automatically generated.
Please do not reply to this message.
For information about the Lycos Privacy Policy Please see:
http://info.lycos.com/privacy
For information about the Terms and Conditions of this service Please see:
http://info.lycos.com/legal
The "http" link is fake, underneath the real URLs are www.tripod.lycos.comttlfile.eu/adm/redirect/www/form/tripodcf.aspx?=[redacted] and www.tripod.lycos.comproftd.tw/adm/redirect/www/form/tripodcf.aspx?=[redacted]. (I have redacted tracking information).

Oddly, the .eu and .tw hosts in question do not resolve at the moment, presumably these will be registered later. A trick that spammers sometimes use is to send out the spam and THEN register the domains, in order to trick spam filters.

It's probably a phish, it could be a drive-by download. In any case, best avoided and if you HAVE entered details into one of these phishing accounts then you should change your Tripod password and the password on any other site that uses the same username / password combination.

Friday 16 January 2009

Spamcop.net phish

Here's a phish being sent to Spamcop webmail users - the approach has also been used for other webmail systems, so it isn't just Spamcop being targeted:

Subject: UPDATE YOUR SPAMCOP.NET ACCOUNT NOW
From: "spamcop.net webmail update" {info@yahoo.com}

Dear spamcop.net E-mail owners,

This message is from spamcop.net messaging center to all our email account
owners.
We are currently upgrading our data base and e-mail center due to an unusual
activities identified in our email system. We are de-activating all unused
spamcop.net accounts to create space for new accounts. To prevent your account
from being de-activated, you will have to verify your webmail account by
confirming your Webmail identity So that we will know that it's presently a
used account. We have been sending this notice to all our email account owners
and this is the last notice/verification exercise.

CONFIRM YOUR EMAIL IDENTITY BELOW
Last Name: ...........
Username: .......... .
Password : ...........

YOU ARE REQUIRED TO SEND THESE DETAILS TO THE UPDATE TEAM BY SIMPLY
REPLYING TO THIS EMAIL WITH THE REQUESTED DETAILS.

Warning!!! Account owners who fails to update his or her account on receiving
this notice might loose his or her account.

Warning Code:VX2G99AAJ.spamcop.net
Thank you.
"SPAMCOP.NET IT TEAM"

Replying to the email gives a reply-to address of account_up_grade@hotmail.com and the originating IP is 216.241.36.13.

Sunday 4 January 2009

"Your new e-mail has been successfuly added" PayPal phish


A slightly different approach from the usual PayPal phish rubbish:

Subject: Your new e-mail has been successfuly added
From: "service@paypal.com" noreply@vodafone.net

Dear PayPal member,

You have added joemontgo85@sbcglobal.net as a new email address for your PayPal account.

If you did not authorize this change, check with family members and others who may have access to your account first. If you still feel that an unauthorized person has changed your email, submit the form attached to your email in order to keep your original email and restore your PayPal account.


Thank you for using PayPal!
The PayPal Team

Please do not reply to this email.
This mailbox is not monitored and you will not receive a response.

----------------------------------------------------------------------------------------
Copyright © 1999-2009 PayPal. All rights reserved.

PayPal Email ID PP007
Quite when PayPal started to send email from a vodafone.net account passed me by. The phish jumps through two legitimate but compromised web sites at ol4b.com and imuze.co.uk before it hits a standard PayPal phishing page. It looks like joemontgo85@sbcglobal.net might be consistent for this spam run though.

Thursday 6 November 2008

Stupid but sophisticated "Lloyds TSB" phish

Spammers are generally pretty stupid. This particular phish looks pretty normal to being with:

Customer Service department
Lloyds TSB Bank
September 26th, 2008


To all business and personal customers

We would like to inform you about recent change in Lloyds TSB terms and conditions of banking services. Lloyds TSB has updated terms and conditions for both business and personal customers. Each customer should read and accept current terms and conditions.
Failure to accept new terms and conditions may lead to blocking of current services. Such as loans, credit cards, online banking, savings accounts, bill payments. Take a moment to read through new terms and conditions. There are two convenient ways to request updated terms and conditions. You can request them by mail or use online banking to confirm the new terms of service. Please follow the link below to review and confirm updated terms and conditions.
www.lloydstsb.com/terms

Thank you for banking with the most trusted UK bank,
Lloyds TSB Customer Service Team

We know that this is a phish because a) it was sent to a harvested address and b) Lloyds TSB don't send out emails like this. So a typical next step would be to check the source code to find where the phishing site is.

So the only hypertext link in the document is to http://www.lloydstsb.com which is the real Lloyds TSB bank. A closer look shows an attempted image load from http://lloydstlb.com/images/logo_lloydstsb.gif which is the phishing site hosted on a botnet. The domain is registered to BIZCN.COM who seem to have taken over this sort of business from Estdomains.

The fake site looks pretty convincing.. even if no-one will click through to it.

The login screen looks authentic too.

The next step looks exactly like the genuine login. The "memorable information" prompt asks for 3 letters from a longer passphrase, specifically letters 1, 3 and 5.

But guess what, when you enter the information it tells you that you did it incorrectly and asks for letters 2, 4 and 6 instead. So now they have letters 1-6.

Blah blah blah..

But what's this at the bottom? Yup, more characters from the memorable phrase are needed..

Finally, a confirmation:
So, like many modern phishing sites the actually web site is very credible looking, even the domain name looks reasonable if you only glance at it. Fortunately for the intended victims, the idiots have messed up the spam and.. this time at least.. nobody will get this far.

Thursday 30 October 2008

Estdomains is not dead yet



Thanks to Sandi for bringing the not-so-good-news that Estdomains is not quite dead yet. For a moment it looked like ICANN had grown some cojones, but perhaps not.

Estdomains termination was based on the fact the their President, Vladimir Tsastsin, has been convicted of fraud in Estonia. However, Estdomains are attempting to wriggle out of this by saying that Tsastsin didn't do it and he resigned as president some time ago. Bearing in mind that an Estonia court said he DID do it (although he is appealing, but that could take for ever) and that the only proof offered by Estdomains that he resigned looks a bit unconvincing, then the whole excuse looks rather thin.

Of course, the reason why Estdomains should be terminated is their long-running association with organised crime, as documented here and here. Add to that the fact that the company deliberately conceals its identity by using a Delaware corporation as a front (when obviously "Est" is for Estonia), and it is clear that they should have been terminated a long, long time ago.

Wednesday 29 October 2008

Estdomains is dead


Good riddance to bad rubbish - Estdomains has be de-accredited by ICANN, although it took long enough. If you're a registrar who wants to take on some of the most toxic domain names in the business, then ICANN invites you to apply for them.

More details here. Thanks to Spyware Sucks for the heads-up.

Wednesday 10 September 2008

SpamCop phish

Some people will phish for anything - in this case they are trying to get access to SpamCop accounts. Go figure. Reply to address is 2020sarah@live.com.




Subject: UPDATE YOUR ACCOUNT / SPAMCOP.NET
From: "Admin@spamcop.net"
Date: Wed, September 10, 2008 4:54 pm
Cc: recipient list not shown:;
Priority: Normal

This is a WebNews Email Account Update
Please see the bottom of this mailing on this information.
-----------------------------------------------------------
SPAMCOP.NET WEBMAIL
INTERNET SERVICE WEBSITE WISH TO INFORM YOU THAT WE HAVE
SOME PROBLEMS ABOUT EACH CUSTOMER ACCOUNT EMAIL. DUE TO
ERROR CODE 334409.

WE DISCOVERD THAT IN FEW DAYS FROM NOW EACH CUSTOMER WILL
NOT BE ABLE TO ACCESS HIS OR HER EMAIL ACCOUNT. IN THAT
REGARD,YOU ARE REQUIRED TO SEND YOUR EMAIL ADDRESS AND
PASSWORD FOR A NEW ACCOUNT UPDATE.

YOU ARE ADVISED TO IMMEDIATELY SEND US THE REQUIRED
INFORMATION SO AS TO ENABLE US IMMEDIATELY UPDATE YOUR
ACCOUNT.

Note:You have to understand that the reason why we are not
sending this message from our own private account.This is
due to some technical problem we are having right now.

BELOW THE INFORMATION RQRUIRED FOR ACCOUT UPDATE

1)Full Email Address:
2)password:
3)date of birth:

Thanks for your understanding.

SPAMCOP.NET WEBMAIL INTERNET SERVICE


Saturday 2 February 2008

moneybookers.com / xcitinggames.com phish


It's unusual to see a moneybookers.com phish, but perhaps it shows that the phishers are moving on to different targets. This particular phish reads:

Greetings from moneybookers.com! We would like to inform you that you have received a payment from banking@xcitinggames.com.

Payment details

Amount: . 147.00
ID: 89089098
Subject: received payment
Note: Click here to accept this payment

Your money is waiting for you in your Moneybookers account.

Use this link to accept payment- www.moneybookers.com.

We hope you enjoy your cash.

One other notable feature of this phish is the use of an AOL redirector to attempt to fool spam filters, in this case eventually pointing to http://195.234.171.86/app/login.pl/index.htm which is a server in Italy, probably rented with stolen credit card details.

Neither moneybookers.com nor xcitinggames.com are involved in this phish. I understand that AOL have been told about their redirector problem several times but have not acted.