Webmail: setting for your mailbox ...... are changed

user-pic
By John Highway on May 9, 2010 4:12 PM 0 Vote 0 Votes
Share Share
This variation to the email notification "Webmail: Your mailbox has exceeded the storage limit" is designed to dupe folks into clicking on the link that will take you a website that is suppose to fix your email settings.  Of course, that's far from the truth.  The link that you click on will no doubt trick you into downloading a malicious malware package on your computer.

spoof_mailbox_settings_changed.pngLooks like the free usage of GoogleGroups and Yahoo!Groups is the home of many of these emails with the following pattern:

http://XXXXXX.googlegroups.com/web/XXXXXXX
http://f1.grp.yahoofs.com/XXXXXXXXXXXXXXXXX

The email headers shows that it originated from Argentina (190.176.213.228)

Received: (qmail 22391 invoked from network); 9 May 2010 15:34:08 -0400
Received: from 190-176-213-228.speedy.com.ar (HELO NTFRQLO) (190.176.213.228)
  by XXXXXXXXXXXXXXXXXX with SMTP; 9 May 2010 15:34:07 -0400
Message-ID: <000d01caefae$95d7db60$6400a8c0@futonstbc8>
From: XXXXXXXXXXXXXXXXXXXXXXXX
To: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Subject: setting for your mailbox XXXXXXXXXXXXXXXXXXXX are changed
Date: Sun, 9 May 2010 21:34:05 +0100
The IP address belongs to Telefonica de Argentina:

inetnum:     190.176/15
status:      allocated
owner:       Telefonica de Argentina
ownerid:     AR-TEAR7-LACNIC
responsible: Agust�n Gomez Dhers
address:     AV. ING. HUERGO - OBS. JUDICIALES, 723,
address:     1065 - Buenos Aires - CF
country:     AR
phone:       +54 11 4333-2220 []
owner-c:     TEA
tech-c:      TEA
abuse-c:     TEA
inetrev:     190.176/15
nserver:     DNS1.MRSE.COM.AR
nsstat:      20100505 AA
nslastaa:    20100505
nserver:     DNS2.MRSE.COM.AR
nsstat:      20100505 AA
nslastaa:    20100505
nserver:     DNS3.MRSE.COM.AR
nsstat:      20100505 AA
nslastaa:    20100505
nserver:     DNS4.MRSE.COM.AR
nsstat:      20100505 AA
nslastaa:    20100505
created:     20080311
changed:     20080311

Updated: 2010-05-09
http://mamapapabrat.googlegroups.com/web/setup.zip
http://perlox.googlegroups.com/web/setup.zip
http://goblinx.googlegroups.com/web/setup.zip
Updated: 2010-05-10
http://ferixs.googlegroups.com/web/setup.zip
Updated: 2010-05-11
http://ferzom.googlegroups.com/web/setup.zip
http://bitrixs.googlegroups.com/web/setup.zip
http://nonstops.googlegroups.com/web/setup.zip
http://misterxyz.googlegroups.com/web/setup.zip
http://lovexxxs.googlegroups.com/web/setup.zip
Update: 2010-05-12
http://monerxmonerx.googlegroups.com/web/setup.zip
http://videoxman.googlegroups.com/web/1.html
Update: 2010-05-13
http://f1.grp.yahoofs.com/v1/wAjrSwtpvg6L6efPNZBiYDP__uzORA7CvCfs583JeF5kU1cW01CupKTBEyymaZZeXC3n4Mvczz4J4m6bIFXFmA/open.exe

Reblog this post [with Zemanta]

Categories:

Tags:

Leave a commentConnect with Facebook

About this Entry

This page contains a single entry by John Highway published on May 9, 2010 4:12 PM.

Facebook: Password Reset Confirmation! Important Message was the previous entry in this blog.

iTunes: Thank you for buying iTunes Gift Certificate! is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.