Sponsored by..

Showing posts with label Phishing. Show all posts
Showing posts with label Phishing. Show all posts

Wednesday 23 September 2015

Phish: "SHIPMENT LABEL" / "DHL Courier Services [roger@community.mile.org]"

This DHL-themed spam is actually a phishing email:

From:    DHL Courier Services [roger@community.mile.org]
Date:    23 September 2015 at 11:15
Signed by:    community.mile.org

Dear customer,

Your shipment arrived at the post office.Our courier was unable to deliver the shipment to your address.To receive the shipment,please visit the nearestDHL office and take your mailing label with you.

The mailing label is attached in this email.Please print and show at the nearest DHL office to receive the shipment.

Thank you for using DHL services.

Princess Court 11
Wapping Ln,London,
E1W2DA,United Kingdom
Toll Free:+442075532200
Office Hours:9:00am-7:00pm
Attached is a PDF file shipmentt_label.pdf which is not malicious in itself, but contains a hypertext link (as you can see in this Hybrid Analysis report).

If the potential victim clicks "Click here" then they are directed to ow.ly/Sq9to and from there to a phishing page at br1-update.be/wg/lhd.php on (Inetserver Inc, US) which belongs to a netblock which also looks highly suspect.

The phishing page itself is a complex script which is Base 64 encoded, then hex encoded (Pastebin here) which is presumably phishing for email accounts. The spam itself appears to have been sent from a compromised webmail account at community.mile.org

For the moment, I would suggest that the entire range is malicious and should be blocked.

Thursday 11 June 2015

Phish: "New_Order_#056253_Hf_Constructions" / "joseph.zhou@hong-kee.com"

I've seen a few of these today, presumably they aren't quite spammy enough to get blocked by our mail filters..

From: Kang Li [mailto:joseph.zhou@hong-kee.com]
Sent: 10. juni 2015 09:35
Subject: New_Order_#056253_Hf_Constructions


Please find attached our new order and send P/I against 50% advance payemnt

best regards
The attachment is New_Order_#056253_Hf_Constructions.pdf which looks like a purchase order, but there is a blurred out section.

An examination of the underlying PDF file shows two URLs listed:


In turn these redirect to:


The second URL listed 404s, but the first one is active. According to the URLquery report, it looks harmless, just leading to a phishing page. But when I tried it in a test environment, the behaviour was somewhat different and it also attempted to load a page at:


This page 404s, but was previously hosted on a bad server at [VT report]. That server has been offline for a few days, but the URL is suggestive of an exploit kit of some sort.

The "megatrading.hol.es" (hosted on by Hostinger - VT report) landing page looks like a straightforward phish:

Entering the username and password always seems to return an error, even if you are absolutely certain the combination are correct..

I suspect that all this portion is doing is collecting email addresses and passwords for use later. Webmail accounts have some value to the bad guys, and of course many people re-use passwords all over the place, so it could be used as a way to get access to other services. Take care.

Recommended blocklist:

Friday 24 October 2014

Do people really fall for this?

Here's a simple phishing spam..
From:     info@kythea.gr
Date:     24 October 2014 13:50
Subject:     payment

this mail is to inform you that the payment have been made
see the attached file for the payment slip

Attached is a file payment Slip (2).html which displays a popup alert:
You have been signed out of this account this may have happened automatically cause the attachement needs authentication. to continue using this account, you will need to sign in again. this is done to protect your account and to ensure the privacy of your information
The victim then gets send to a phishing page, in this case at uere.bplaced.net/blasted/tozaiboeki.webmail.html which looks like this..

Ummm... do people really fall for this? The frightening answer is.. probably, yes.

Tuesday 7 October 2014

DHL-themed phish goes to a lot of effort and then spoils it with Comic Sans

This DHL-themed phish is trying to harvest email credentials, but instead of just spamming out a link, it spams out a PDF file with the link embedded in it.

Date:     6 October 2014 23:32
Subject:     Package has been sent.

Your shipment(s) listed below is scheduled for delivery on Thursday next week.

Scheduled Delivery Date: Thursday, 10/09/2014

Shipment 2


Kindly please see attached file for shipment /delivery details and tracking procedure. You can also request a delivery change (e.g. reschedule or reroute) from the tracking detail.

Approximate Delivery Time: between 3:00 PM and 7:00 PM
DHL Service: DHL 2nd Day Air

We are pleased to provide you with delivery that fits your life.

© 2014 Parcel Service of the World. DHL, the DHL brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
All trademarks, trade names, or service marks that appear in connection with UPS's services are the property of their respective owners.
For more information on DHL's privacy practices, refer to the DHL Privacy Notice.
Please do not reply directly to this e-mail. DHL will not receive any reply message.
For questions or comments, visit Contact DHL.

This communication contains proprietary information and may be confidential.  If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Notice
DHL My Choice Service Terms
Contact DHL

Look closely at the blurb at the bottom and it confuses DHL with UPS, but who reads that? Attached is a non-malicious PDF file DHL (1).pdf which contains a link to the phishing site.

So far, so professional. And a neat trick to use PDF files in this way as a lot of spam filters and anti-phishing tools won't spot it. The link in the PDF goes to where it has a rather less professional looking webpage that is phishing for general email addresses rather than DHL credentials.

With the grotty graphics and injudicious use of Comic Sans, it's hard to see how this would fool anyone into turning over their credentials.. but presumably they manage to harvest enough usernames and passwords to make it worthwhile.

Friday 8 August 2014

"Security concern on your AmericanExpress Account" spam

This fake AmEx spam appears to lead to a phishing site on multiple URLs:

From:     American Express [AmericanExpress@welcome.aexp.com]
Date:     24 July 2014 10:35
Subject:     Security concern on your AmericanExpress Account   

Dear Customer:

We are writing to you because we need to speak with you regarding a security concern on your account. Our records indicate that you recently used your American Express card on August 8, 2014.

For your security, new charges on the accounts listed above may be declined. If applicable, you should advise any Additional Card Member(s) on your account that their new charges may also be declined.

To secure your account , please click log on to : http://americanexpress.com

Your prompt response regarding this matter is appreciated.


American Express Identity Protection Team   
Please do not reply to this e-mail. This customer service e-mail was sent to you by American Express. You may receive customer service e-mails even if you have unsubscribed from marketing e-mails from American Express.

Contact Customer Service | View our Privacy Statement | Opt Out

This email was sent to [redacted].

American Express Customer Service Department
P.O. Box 297817 | Ft. Lauderdale, FL 33329-7817

2014 American Express Company. All rights reserved.

In this case the link goes to a phishing site at anerican-fortress.com/americanexpress/ but there seem to be a bunch of them at the moment:


IPs in use are: (FLP Kochenov Aleksej Vladislavovich, Ukraine) (SC CH-NET SRL, Romania)

I recommend blocking these IPs (

Wednesday 9 July 2014

NatWest fails when it comes to basic phishing precautions - report

It's late, so I'll just copy-and-paste this release about a rather stupid failure by NatWest to set an SPF record for one of their critical domains..

NatWest Fail To Adequately Protect Customers Online From Increasingly Sophisticated Cyber Crime Threats 

London UK, Wednesday 9th July 2014 – A leading email security specialist organisation has identified a simple yet important flaw in online banking systems which could be exposing unknowing customers to cyber-orientated threats.

Graeme Batsman, director of the London based IT and email security company 'Atbash', has identified a vulnerability in the system used by NatWest – highlighting a susceptibility to phishing emails (spoofed) and malware.

The flaw identified in the current email security set up employed by NatWest bank has been found to decrease the possibility of phishing emails being identified and filtered out safely, thus protecting online customers.

Mr Batsman commented “Being a security techy, I spent time pulling software, spoofed emails or viruses apart to see exactly how they work and where the possible flaws can be seen. During early July I was handed a sample of an email from NatWest which slipped past the security system. After inspecting the problem and testing the vulnerability I identified that the problem was a missing SPF record.”
A 'Sender Policy Framework' (known as an SPF) is a free, open source method of identifying and capturing dangerous and compromised emails by comparing records saved online against the actual email received. A full configuration to close the vulnerability would have taken around 30 minutes and costs nothing to implement.
Graeme Batsman continued “To put it simply NatWest’s email servers are based within the United Kingdom, so if someone was sending an email from New Zealand pretending to be NatWest, it should get blocked. When an email is sent there is a simple check done in the background to see where the email should come from (in this case UK) and where is actually comes from (in this case New Zealand), If the 2 do not tie up then email servers will determine the email to be fake and it will be blocked.”

Unlike other cyber threats facing large corporations with an obligation to protect customer data, this particular vulnerability in the NatWest system would have cost nothing to address. By integrating an SPF record on the system, the bank would have increased the chance of email spam filters detecting that the email is a fake and as a result, offering better protection for their customers.
Whilst NatWest.com does have SPF records set up, the critical domain nwolb.com which is used for online banking login does not. This leads to cyber criminals being particularly attracted to the nwolb.com domain.

This is obviously a major concern to NatWest online banking customers, however other major banks such as Metro Bank, Barclays, Santander and Lloyds already have SPF records setup for their domains which relate to online banking login paths.
Knowing banks it would have taken a lot more than 30 minutes to fix this and millions of pounds of money. Oh yes.. taxpayer's money in the case of NatWest. But it certainly does look like a basic security failure that makes me glad that I bank elsewhere..

Thursday 8 May 2014

Maersk Line Shipping Phish

Some people will phish for anything, this seems to be looking for credentials to My Maersk Line, I guess to allow the scammers to illegally ship items at someone else's expense.

From:     Maersk Line Shipping [sunil.dharmappa@stalliongroup.com]
Reply-To:     shipping@maersklines.com
Date:     8 May 2014 14:55

Dear Sir/madam,

we  want to inform you that your supplier/seller shipped your goods  through our shipping services, we hope your supplier must have given you the details about your container vessel ,we strongly recommend that you confirm your goods/cargo immediately by tracking your goods online.
 All shipped container/goods must be tracked  to enable  you to know the location of your shipment and to know the arrival date of vessel. This is why MAERSK LINE has enabled a user friendly interface for our customers to track there goods by themselves without the help of the agents.

Download the container tracking form attached and  log in with your email now to know the status and location of your container/shipment. You must use the email which you used in communicating with your supplier/seller that is the email our tracking system will recognize because it is the email your supplier registered your goods with .You will be able to save the search criteria for easy reuse at a later stage. You will also have the opportunity to search for shipment from/from specific locations and many other features.

Check the attached now .

Best regards

Maersk shipping company.

Terms of use | Privacy policy | Sitemap | Maersk Line. All rights reserved.

Attached is a file maersk container tracking.htm ..

This attempts to harvest credentials and then POSTS them via a dedicated phishing site at send.apbem.org.br/zolamaersksend.php ( / Brasil Telecom, Brazil). Once the username and password have been stolen, the victim is sent to the real My Maersk site (which doesn't actually require a password for basic container tracking).

Not many people will have a relevant shipping account at Maersk, but you can imaging the potential value of being able to ship stolen or illegal goods for free..

Monday 6 January 2014

"Unauthorized Activity on your Amazon account" phish

The New Year seems to have brought a new wave of phishing emails, here's a new one looking for Amazon credentials.

Date:      Mon, 6 Jan 2014 08:19:39 -0000 [03:19:39 EST]
From:      Amazon [noreply@trysensa.com]

Case- 91289-90990

Unauthorized Activity on your Amazon account.

We recently confirmed that you had unauthorized activity on your Amazon account.

Please be assured that because your card includes "zero-liability fraud protection" , you are not responsible for unauthorized use of your card.

Unfortunately, we have not confirmed your complete information , please follow the instructions below.

Click the link below to validate your account information using our secure server:

Click Here To Active Your Amazon Account

For your protection, you must verify this activity before you can continue using your account

Thank You.
Amazon LTD Security System
The link in the email goes to [donotclick]immedicenter.com/immedicenter/images/yootheme/menu/Amazon/index.php and comes up with a convincing-looking Amazon login page:

The next page phishes for even more information:

And now it goes after your credit card information:

And having stolen all your information, you get a nice message to say thank-you:

The hapless victim then gets sent to the genuine Amazon.com website.

In most email clients, floating over the link would clearly demonstrate that this was not the legitimate amazon.com website, and certainly once visited (not something I would recommend) then the address bar at the top of the browser would clearly indicate it is not amazon.com.

If you have accidentally clicked through this email and provided all the details then you should contact your bank immediately and also change your Amazon password plus any other places that you use that same username/password combination.

Friday 18 October 2013

"Microsoft Windows Update" phish

A random and untargeted attempt at phishing with a Windows Update twist.

From:     Microsoft Office [accounts-updates@microsoft.com]
Date:     17 October 2013 02:54
Subject:     Microsoft Windows Update

Dear Customer,

Evaluation period has expired. For information on how to upgrade your windows software please Upgrade Here.

Thank you,

Copyright © 2013 Microsoft Inc. All rights reserved.
The email originates from [mail.andrustrucking.com] which is a trucking company called Doug Andrus Distributing.. so perhaps Microsoft are farming out the updates to a random Idaho company. Or perhaps they have had their email system compromised (maybe by someone using the same phishing technique).

Anyway, the link in the email goes to a legitimate but hacked site and then lands on a phishing page hosted on [donotclick]www.cycook.com/zboard//microsoft-update/index.php.htm. Despite the email saying "Windows Update", the landing page has had Office branding crudely pasted into it.

Entering your credentials simply takes you to a genuine Microsoft page:

Phishing isn't restricted to stuff like bank accounts, the spammers also like a fresh supply of email accounts to abuse, so as ever.. exercise caution.

Thursday 10 October 2013

Companies House phish

This fake Companies House spam appears to be some sort of phishing attempt:

Date:      Thu, 10 Oct 2013 11:57:31 +0300 [04:57:31 EDT]
From:      Companies House [contact@companieshouse.co.uk]
Subject:      Compulsory Companies House WebFiling Update #90721

Compulsory Companies House WebFiling Update #90721

This is an important notice to inform you as a registered company to update your details.

This will make it easier to update our database and keep records of our company.

Kindly follow the link below to update your information.

CLICK - Start Here
Companies House
Crown Way
Cardiff CF14 3UZ

DX 33050 Cardiff 

The link in the email goes to [phish]www.misspanama.net/respaldo/ukcompany/CompaniesHouse.htm which asks only for a Company Name, email address and password.

Once the credentials have been harvested, the victim is sent to a genuine Companies House webpage at www.companieshouse.gov.uk/forms/introduction.shtml

So, what is being harvested here? There seems to be no malware involved, so perhaps the bad guys are actually trying to hijack company identities for some evil purpose.

It turns out that Companies House have a webpage all about this type of threat and recommend that you forward offending emails to phishing@companieshouse.gov.uk. Just remember.. sometimes phishers are after something a lot less obvious than your bank details!

Tuesday 18 June 2013

Something phishy on

A couple of phishing sites (Simply Transit, UK):

linkedlne.com - LinkedIn / Webmail Phish

This laughable fake LinkedIn login page is trying to harvest webmail addresses, being sent out via a spam message and leading to a link at [donotclick]www.linkedlne.com/login/user/:

From:     Linkedln Support [Support@supportlinkedln.com]
Date:     18 June 2013 06:53
Subject:     You need to confirm your email address.


We write to inform you that your LinkedIn account has been blocked due to inactivity.

To ensure that your online services with LinkedIn will no longer be interrupted

Click here to unblock your account.

You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.

We ask you to confirm your email address before sending invitations or requesting contacts at LinkedIn. You can have several email addresses, but one will need to be confirmed at all times to use the system.

If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.

Thank you for using LinkedIn!

--The LinkedIn Team

Learn why we included this. © 2013, LinkedIn Corporation. 2029 Stierlin 
Really this is just phishing for webmail addresses and passwords rather than LinkedIn credentials:

suncoaslfcn.org - Suncoast Schools Federal Credit Union phish

Hosted on the same server is an attempted phish for something called the "Suncoast Schools Federal Credit Union" which has an actual website at suncoastfcu.org rather than suncoaslfcn.org. The phish page is at [donotclick]sunnet.suncoaslfcn.org/SignIn/ but the phishers have left a full copy of the phishing kit which is available at [donotclick]sunnet.suncoaslfcn.org (more of which in a moment)

There's also an attempted Co-op bank phish which has been reported at [donotclick]co-operativebank.co.uk.suncoaslfcn.org/login/online-access/login.php.

There are two email addresses than can be phone in the phishing site themselves (for research purposes you can download a copy here, password is "phish"). The file verification_data.php reveals two email addresses, jsrh444@188.com and davenport1001@hotmail.com.

A quick bit of Googling around links jsrh444@188.com to the following phishing domains:

A similar bit of Googling around links the other email address to the following domains:

Monday 12 November 2012

Cableforum.co.uk hacked?

Cableforum.co.uk is a popular and useful UK site about digital TV and broadband. Unfortunately, the email address list has leaked out and is being used for spamming, for example:

NatWest : Helpful Banking
Dear Valued Member ;

To prevent unauthorized access to your accounts, your online service has been temporarily locked. No further log in attempts will be accepted.
This is a procedure that automatically occur when an invalid information is submitted during the log in process.
Please follow the provided steps below to confirm your identity
and restore your online access:


© Legal Info – Security
© 2005-2012 National Westminster Bank Plc 

This is a standard NatWest phish. It doesn't originate from Cableforum.co.uk or its servers, but it is sent to an address ONLY used for Cableforum, so it must have leaked out somehow.

So.. dutifully I pop across to Cableforum.co.uk and (changing my password en route) find the appropriate forum. It seems that the problem has already been spotted:

Here's one example:

So I received this email today:

Date: Fri, 2 Nov 2012 10:15:08 -0400
From: NatWest Online [helpdesk@nwolb.com]
To: [removed]
Subject: Please Review Your Contact Details!!!

Dear Valued Member ;
To prevent unauthorized access to your accounts, your online service has been
+temporarily locked. No further log in attempts will be accepted.

The email was sent to an address I've only used to register on Cable Forum and is a series of random characters that spammers wouldn't just 'guess'. Just wondering if anyone else has had this email? 

That's odd. That's exactly the same as me. And then there's another one:

I had two emails sent to both the addresses registered here on Cable Forum. Not sure why the earlier thread was so hastily closed?
Slightly off topic, why can I not edit my email address here?
When I attempt to change it I get this: The email address you entered is already in use. If you have forgotten your password, please click here.
I have not forgotten my password, I was trying to change it as well as my email. 

These are very precise reports from people using unique sign-on addresses. You'd think that would be pretty good evidence. So, armed with that you'd expect a concerned "we'll look into it" response. But instead the replies are:

Spammers don't "pick" anything. Their software generates emails at random and, yes, that includes strings_of_gibberish @yourdomain.

This site has not sold your email address.
This site has not been hacked, cracked or compromised.

The end.

Thread closed.

Threads of the same topic that have been closed should not be re-opened/re-created no matter what the circumstances are.

This issue cropped up several months ago and I will repeat what was said then...

We do not believe our systems have been compromised. There was no evidence to suggest an intrusion or breach took place. If anyone has any *Strong* Evidence to suggest other wise then contact us using the contact link below.

Thank you. 
which prompted a response from the original reporter:

The only spam I had was today, didn't have any earlier. I did get an explanation from the mod that closed it about how he didn't feel the thread was useful and that it would attract unwanted replies. But I think preventing people from discussing the issue stinks of a cover up (whether it is or not).

It would be much better to at least post a link to that thread, or some sort of explanation of what they think is happening rather than a dismissive knee-jerk response that it didn't happen when three people have claimed to receive the same email (and Osem says it happened before). All I want is an explanation about what happened and a promise that security of MY data is important but I don't feel like I'm getting that.  
What's worse is that this isn't the first time that this has been reported. Here's another one:

Today I received a not-so-subtle phishing email pretending to come from Santander, sent to my one-off email address associated with my cableforum account. I registered my account in 2009 and it's the first time I get spam/phish on this address. I don't really care if CF was hacked since I used a unique pw/email, but maybe a warning to other users would be the polite thing to do... 

But going back even further shows this thread with a lot of evidence that an email address leak has occured. One person who seems to know their stuff points:

Your database has been dumped and the damage is done as far as spam is concerned
now the question is are you

1) going to stick your head in the sand and thow around accusations
2) man up and fix the problem 

One of the Cableforum team shows just how far they can bury their head in the sand

But seriously, all in all, getting back to the main issue, there is about 5 people receiving it to their CF registered e-mail address and reporting it here so far. Co-incidence, yes but a very weak one. 
How many people do you think use unique emails for each site? Not many. That sort of evidence is very, very strong.. especially with multiple reports. That comment got this withering rebuke:

It's not a co-incidence at all. The emails are clearly of the same content and arrived within a small interval of each other and to CF-specific registered email addresses. If you're saying this is purely by chance and that all these email addresses were just "guessed" up by some automated program, then you're in denial.
 But another member of the CF team shows that they just don't understand it at all:

Given the extremely weak evidence provided and this appearing to only affect a very small number of members i.e less than 10, we do not believe that our systems have been breached and as a result we believe this to be the actions of brute force spamming.
Really? All these people with unique email addresses report the same spam. And it just gets dismissed?

But if you have the same problem.. forget it. All threads have been closed, creating new threads on the matter has been banned. In denial much?

Clearly there has been a problem for several months, although it isn't clear when such an address leak occurred or what data was taken with it. You should always assume that the passwords have been compromised and change it, plus change it anywhere that you re-use the same password.

Sadly, crap like this happens to good websites. And the best way to deal with it is to be honest and 'fess up so that members can act accordingly. Nobody likes to think that there site has been compromised, but in this case it clearly has been to some unknown extent.

I emailed Cableforum.co.uk to advise them (since new forum threads are banned). Let's see if I get a response..

Update: and other incidents are here and here.. so this isn't really an isolated problem.

Update 2:  predictably, raising the issue just gets the thread closed with the phrase "There is nothing to discuss and I am not interested in wild theories and stupid accusations that some how there is a cover up." Which just shows that there is a cover up..

Update 3:  and what is really ridiculous is that Cableforum mods are denying it, despite the fact that their site was recently hacked. And it isn't the first time, either.

Wednesday 31 October 2012

"Your Apple ID has been disabled" phish

I've never seen one quite like this before, although it's not the first time I've seen Apple-themed scam email (this one, for example).

From:     Apple no_reply@macapple.com
Reply-To:     no_reply@macapple.com
Date:     31 October 2012 06:08
Subject:     Your Apple ID has been disabled
Apple ID Support

Dear [redacted] ,

This Apple ID has been disabled!

For your protection, your Apple ID ([redacted]) is automatically disabled. We detect unauthorized Login Attempts to your Apple ID from other IP Location. Please verify your identity today or your account will be disabled due to concerns we have for the safety and integrity of the Apple Community.

To verify your Apple ID, we recommend that you go to:
Verify Now >
The phish is hosted at [donotclick]app.apple.com.proiectmaxim.ro/id2/sign_in/login_ID&=/?&=?reactivate=[redacted] and it looks pretty convincing if you haven't spotted the Romanian domain name..

It just goes to show that the bad guys will try to phish anything these days..

Wednesday 5 September 2012

Fake HMRC spam leads to multi-phish

Here's something I haven't seen before.. it starts with an email:

From: HM Revenue & Customs [mailto:refund.request@hmrc.gov.uk]
Sent: 05 September 2012 14:27
Subject: Tax Refund Alert - Action Required

How to complain, ask for a review or make an appeal
Review process update
Review process - the first 12 months. Find out more
Claim Your Tax Refund Online
We identified an error in the calculation of your tax from the last payment, amounting to £ 859.00. In order for us to return the excess payment, we need to confirm a few extra details after which the funds will be credited to your specified bank account. Please click "Refund Me Now" below to claim your refund:
Refund Me Now
We are here to ensure the correct tax is paid at the right time, whether this relates to payment of taxes received by the department or entitlement to benefits paid.
Best Regards,
HM Revenue & Customs Refund Department
•    See also
•    Appeal and review news
•    Working and paying tax
•    Pensioners
•    Find a form
•    Complaints factsheet C/FS (PDF 67K)
•    Feedback

HM Revenue and Customs are the UK tax collecting agency, so this is basically a tax refund. The link goes to a somewhat authentic looking page.

The phishing site in this case is in Korea (durideco.co.kr in this case). The interesting part is the drop-down menu in the middle that the victim is meant to use to select their bank. There are 17 different UK banks to choose from. Each one leads to an individual phishing page for each bank, for example:


I won't bother pasting all the pictures here, but some of the pages are very good and a few don't work at all (e.g. Northern Rock, which doesn't really exist any more).

This is quite a clever approach. Normally a phishing email is a "one bank per phish" affair.. it's no use sending someone a Barclays phish if they're with HSBC. In this case pretty much all the major UK banks are covered in one email which is really quite sneaky..

Friday 6 January 2012

"Elavon 2012 Update" phish

Elavon deals with payment processing. This email is not from Evalon.

From: "Elavon, Inc." [sobolan@myvirtualmerchan-02.com]
Date:Fri, 06 Jan 2012 16:09:48 +0100
Subject: Urgent-Notification

--Elavon 2012 Update--
Dear Customer,

We regret to inform you that your retail merchant account is locked.
To re-activate it please download the file attached to this e-mail and update your login information.

2012 Elavon Inc,
-Please note only RETAIL account are locked-
-Example : Market Segmet : Retail-

Attached is a file called myvirtualmerchant_login.html which is the phish itself, displaying the following screen.

The form itself sends the details to mail.xinsanjing.com on (HangZhou XinSanJing Food Co. Ltd. China) which is possibly a hacked server. In this case the email originated from in Puerto Rico.

If you use Elavon's services, watch out for this phish.

Tuesday 4 October 2011

Several AdWords phishing sites at Prolexic

Prolexic is an anti-DDOS specialist hosting firm with a reputation for being one of the good guys. It's a bit of a surprise to see Google AdWords phishing sites on a Prolexic server, hopefully they won't be there for long.

The phishing messages look something like this:

From: Google AdWords
Subject: Google AdWords: You have a new alert.

This message was sent from a notification-only email address that does
not accept incoming email. Please do not reply to this message. If you
have any questions, please our Help Center to find answers to
frequently asked questions.

Dear Valued Customer, 

You have a new alert from Google Adwords.

Sign in to your AdWords account at http://www.googlernn.com/Select/login

Yours Sincerely,
The Google AdWords Team

It's difficult to know just how many phishing sites are on this server, however the following can be identified:


Sites appear to be hosted on along with thousands of legitimate sites. All the domains have been registered in the past few days with hidden domain registrations.

Monday 22 August 2011

HMRC phish: refund1-hmrc.com, refund2-hmrc.com, refund3-hmrc.com and refund4-hmrc.com

Here's a bunch of web sites and domains being used to peddle fake HMRC (UK tax office) refunds:


The fake emails look something like this:

From: HM Revenue & Customs Billing Department [mailto:hmrc@refund1-hmrc.com]
Sent: 22 August 2011 09:36
To: [redacted]
Subject: Billing Notifcation

Refund Notification

This e-mail has been sent to you by HM Revenue & Customs to inform you that we must pay you back 478 GBP.
Please complete all the information to process your refund

Please allow 2 weeks for you money to be availabe in your account. (eg: address, phone)
Total refund amount: 478 GBP

To ensure that your service is not interrupted, we request you to confirm and update your information today by following the link below:

Refund Notification

Thank you for your prompt attention to this matter. Do not reply to this e-mail.
Mail sent to this address cannot be answered.

Member [redacted]

© HM Revenue & Customs 2011 

The emails actually come from  refund1-hmrc.com, refund2-hmrc.com, refund3-hmrc.com and refund4-hmrc.com so

If you click through the link then you get a pretty standard phishing page trying to get credit card details, personal information and passwords.

The HMRC don't send tax refund messages by email, so any such notification should be considered bogus.

The phishing sites are hosted on in China, blocking that IP would be a good idea, but you could go further and block as it looks like a cable modem range and there shouldn't really be any legitimate sites hosted here.

Domain registration details are clearly fake:

Domain Name.......... refund1-hmrc.com
  Creation Date........ 2011-08-22
  Registration Date.... 2011-08-22
  Expiry Date.......... 2012-08-22
  Organisation Name.... scotia bank
  Organisation Address. hah
  Organisation Address.
  Organisation Address. there
  Organisation Address. 123131
  Organisation Address. AL
  Organisation Address. UNITED STATES

Admin Name........... scotia bank
  Admin Address........ hah
  Admin Address........
  Admin Address........ there
  Admin Address........ 123131
  Admin Address........ AL
  Admin Address........ UNITED STATES
  Admin Email.......... bbuubbh2@yahoo.com
  Admin Phone.......... +1.1233213121
  Admin Fax............

Tech Name............ scotia bank
  Tech Address......... hah
  Tech Address.........
  Tech Address......... there
  Tech Address......... 123131
  Tech Address......... AL
  Tech Address......... UNITED STATES
  Tech Email........... bbuubbh2@yahoo.com
  Tech Phone........... +1.1233213121
  Tech Fax.............
  Name Server.......... ns1.refund1-hmrc.com
  Name Server.......... ns2.refund1-hmrc.com

The nameservers are hosted on in Colombia (CONSULNETWORK LTDA).

Tuesday 26 July 2011

Phishtank FAIL: paypal.de

paypal.de is pretty obviously a legitimate PayPal domain, registered to eBay and hosted on in eBay's address space. However, Phishtank thinks that it is a phish.. well, OK, false positives happen.. but the problem here is that it has been manually verified as a phish which really does show a weakness in the Phishtank verification system. It's not the first time it has happened.

So, if you are in Germany and find that paypal.de is blocked, then this is the reason why.

Tuesday 12 July 2011

Fake HMRC site: confirm-hmrc.com / onlineservice.confirm-hmrc.com

This is a rather new phishing site, pretending to be a tax refund from the UK's HMRC agency pointing to the domain confirm-hmrc.com (subdomains www.confirm-hmrc.com and onlineservice.confirm-hmrc.com).

Although the phish looks convincing, the HMRC don't do tax refunds in this way. Usually they will just transfer the money to your bank account or alternatively send you a cheque. Furthermore, in my experience the HMRC only communicate by post and not electronic mail.

The site hosted on in China. The same server also has the fraudulent domains account-update-westernunion.com, account-westernunion.com and accounts-westernunion.com. The domain registration details are fake:

Domain Name.......... confirm-hmrc.com
  Creation Date........ 2011-07-12
  Registration Date.... 2011-07-12
  Expiry Date.......... 2012-07-12
  Organisation Name.... wu wu
  Organisation Address. 12 na
  Organisation Address.
  Organisation Address. miami
  Organisation Address. 12311
  Organisation Address. AL
  Organisation Address. UNITED STATES

Admin Name........... wu wu
  Admin Address........ 12 na
  Admin Address........
  Admin Address........ miami
  Admin Address........ 12311
  Admin Address........ AL
  Admin Address........ UNITED STATES
  Admin Email.......... sadasda@re.com
  Admin Phone.......... +1.12312312312
  Admin Fax............

Tech Name............ wu wu
  Tech Address......... 12 na
  Tech Address.........
  Tech Address......... miami
  Tech Address......... 12311
  Tech Address......... AL
  Tech Address......... UNITED STATES
  Tech Email........... sadasda@re.com
  Tech Phone........... +1.12312312312
  Tech Fax.............
  Name Server.......... ns2.confirm-hmrc.com
  Name Server.......... ns1.confirm-hmrc.com

Blocking traffic to will probably do no harm.

Thursday 12 August 2010

Battle.Net / WOW Phish domains

I don't play World of Warcraft of Starcraft..but lots of people do and Blizzard accounts (used for playing the game online) are often a target for phishers. Why? Well, these accounts can be resold and are worth real money.

This post at the Sunbelt software blog caught my eye.. but knowing that fake WOW / Blizzard sites don't tend to travel alone I did some digging and came up with a whole batch of them on neighbouring IPs.

Registrant details are:
  Name           : Ji XiaoWei
  Organization   : Ji XiaoWei
  Address        : LiShui Dengtalu 25
  City           : LiShui
  Province/State : Zhejiang
  Country        : CN
  Postal Code    : 323700
  Phone Number   : 86-0578-7245132
  Fax            : 86-0578-7245132
  Email          : qnpv@163.com

These are all fake, so avoid